A Simple and Fast Technique for Detection and Prevention of SQL Injection Attacks (SQLIAs)

In SQLIA, attacker injects an input in the query in order to change the structure of the query intended by the programmer and therefore, gain access to the data in the underlying database. Due to the significance of the stored data, web application’s security against SQLIA is vital. In this paper we propose a new technique based on static analysis and runtime validation for detection and prevention of SQLIAs. In this technique user inputs in SQL queries are removed and some information is gathered in order to make the detection easier and faster at runtime. Our experiments show that our proposed technique is fast, it has a low error rate and its detection rate is nearly 100%.

[1]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[2]  Chunhui Song SQL injection attacks and countermeasures , 2010 .

[3]  Suraj C. Kothari,et al.  Eliminating SQL Injection Attacks - A Transparent Defense Mechanism , 2006, 2006 Eighth IEEE International Symposium on Web Site Evolution (WSE'06).

[4]  Bob Martin,et al.  2010 CWE/SANS Top 25 Most Dangerous Software Errors , 2010 .

[5]  Chris Anley,et al.  Advanced SQL Injection In SQL Server Applications , 2002 .

[6]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[7]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[8]  S. Rai,et al.  Safe query objects: statically typed objects as remotely executable queries , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[9]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[10]  R.A. McClure,et al.  SQL DOM: compile time checking of dynamic SQL statements , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[11]  Kenji Kono,et al.  Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[12]  Raphael C.-W. Phan,et al.  Augmented attack tree modeling of SQL injection attacks , 2010, 2010 2nd IEEE International Conference on Information Management and Engineering.

[13]  Mattia Monga,et al.  A hybrid analysis framework for detecting web application vulnerabilities , 2009, 2009 ICSE Workshop on Software Engineering for Secure Systems.