Neutralizing SQL Injection Attack Using Server Side Code Modification in Web Applications

Reports on web application security risks show that SQL injection is the top most vulnerability. The journey of static to dynamic web pages leads to the use of database in web applications. Due to the lack of secure coding techniques, SQL injection vulnerability prevails in a large set of web applications. A successful SQL injection attack imposes a serious threat to the database, web application, and the entire web server. In this article, the authors have proposed a novel method for prevention of SQL injection attack. The classification of SQL injection attacks has been done based on the methods used to exploit this vulnerability. The proposed method proves to be efficient in the context of its ability to prevent all types of SQL injection attacks. Some popular SQL injection attack tools and web application security datasets have been used to validate the model. The results obtained are promising with a high accuracy rate for detection of SQL injection attack.

[1]  Richard Sharp,et al.  Abstracting application-level web security , 2002, WWW.

[2]  Kim-Kwang Raymond Choo,et al.  A Study of Ten Popular Android Mobile VoIP Applications: Are the Communications Encrypted? , 2014, 2014 47th Hawaii International Conference on System Sciences.

[3]  Premkumar T. Devanbu,et al.  JDBC checker: a static analysis tool for SQL/JDBC applications , 2004, Proceedings. 26th International Conference on Software Engineering.

[4]  Benjamin Livshits,et al.  Context-sensitive program analysis as database queries , 2005, PODS.

[5]  Ayed A. Salman,et al.  PSIAQOP: preventing SQL injection attacks based on query optimization process , 2011 .

[6]  Alessandro Orso,et al.  Combining static analysis and runtime monitoring to counter SQL-injection attacks , 2005, ACM SIGSOFT Softw. Eng. Notes.

[7]  Claus Brabrand,et al.  PowerForms: Declarative client-side form field validation , 2004, World Wide Web.

[8]  Richard Sharp,et al.  Specifying and Enforcing Application-Level Web Security Policies , 2003, IEEE Trans. Knowl. Data Eng..

[9]  Zhendong Su,et al.  An Analysis Framework for Security in Web Applications , 2004 .

[10]  Angelos Stavrou,et al.  SQLProb: a proxy-based architecture towards preventing SQL injection attacks , 2009, SAC '09.

[11]  Kim-Kwang Raymond Choo,et al.  Forensic taxonomy of android productivity apps , 2017, Multimedia Tools and Applications.

[12]  Alexander Aiken,et al.  Static Detection of Security Vulnerabilities in Scripting Languages , 2006, USENIX Security Symposium.

[13]  Lin Liu,et al.  DIGITAL & MULTIMEDIA SCIENCES , 2016 .

[14]  Yasser Fouad,et al.  A Survey of SQL Injection Attack Detection and Prevention , 2014 .

[15]  Giovanni Vigna,et al.  A Learning-Based Approach to the Detection of SQL Attacks , 2005, DIMVA.

[16]  B. B. Meshram,et al.  Analysis of different technique for detection of SQL injection , 2011, ICWET.

[17]  Kim-Kwang Raymond Choo,et al.  Context-oriented web application protection model , 2016, Appl. Math. Comput..

[18]  Kim-Kwang Raymond Choo,et al.  An Android Social App Forensics Adversary Model , 2016, 2016 49th Hawaii International Conference on System Sciences (HICSS).

[19]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[20]  Shukor Abd Razak,et al.  System architecture for SQL injection and insider misuse detection system for DBMS , 2008, 2008 International Symposium on Information Technology.

[21]  Alessandro Orso,et al.  Preventing SQL injection attacks using AMNESIA , 2006, ICSE.

[22]  Kim-Kwang Raymond Choo,et al.  Forensic Taxonomy of Popular Android mHealth Apps , 2015, AMCIS.

[23]  Angelos D. Keromytis,et al.  SQLrand: Preventing SQL Injection Attacks , 2004, ACNS.

[24]  Kim-Kwang Raymond Choo,et al.  Android mobile VoIP apps: a survey and examination of their security and privacy , 2016, Electron. Commer. Res..

[25]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[26]  Angelos D. Keromytis,et al.  On the General Applicability of Instruction-Set Randomization , 2010, IEEE Transactions on Dependable and Secure Computing.

[27]  Kim-Kwang Raymond Choo,et al.  Intent-Based Extensible Real-Time PHP Supervision Framework , 2016, IEEE Transactions on Information Forensics and Security.

[28]  Kim-Kwang Raymond Choo,et al.  Web application protection techniques: A taxonomy , 2016, J. Netw. Comput. Appl..

[29]  Sin Yeung Lee,et al.  Learning Fingerprints for a Database Intrusion Detection System , 2002, ESORICS.

[30]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.