Survey on securing a querying process by blocking SQL injection

Web site applications are an important part of our daily life. Hence, attacking those sites increases quick, one of these attacks is SQL injection attack (SQLIA). The SQLIA is a well known way of attack in terms of common threats and document structure nowadays, this attack is launched through specially crafted user inputs and target web applications that used backend databases. Characteristics feature of this attack is, it will change the intended query structure. To avoid this type of attack, the best solution is to do not allow user to enter any part of the SQL query directly. This survey will support the future research and development work as well as to raise the awareness for the presented approaches.

[1]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[2]  Richard Sharp,et al.  Abstracting application-level web security , 2002, WWW.

[3]  Xiang Fu,et al.  A Static Analysis Framework For Detecting SQL Injection Vulnerabilities , 2007, 31st Annual International Computer Software and Applications Conference (COMPSAC 2007).

[4]  Zhendong Su,et al.  An Analysis Framework for Security in Web Applications , 2004 .

[5]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[6]  Kun Liu,et al.  An Improved Eliminating SQL Injection Attacks Based Regular Expressions Matching , 2012 .

[7]  Sang-Soo Yeo,et al.  A novel method for SQL injection attack detection based on removing SQL query attribute values , 2012, Math. Comput. Model..

[8]  Anjali Sardana,et al.  Protecting web applications from SQL injection attacks by using framework and database firewall , 2012, ICACCI '12.

[9]  Alexander Aiken,et al.  Static Detection of Security Vulnerabilities in Scripting Languages , 2006, USENIX Security Symposium.

[10]  Mazdak Zamani,et al.  A Taxonomy of SQL Injection Attacks , 2013, 2013 International Conference on Informatics and Creative Multimedia.

[11]  Shih-Kun Huang,et al.  Web application security assessment by fault injection and behavior monitoring , 2003, WWW '03.

[12]  Giovanni Vigna,et al.  A Learning-Based Approach to the Detection of SQL Attacks , 2005, DIMVA.

[13]  Angelos D. Keromytis,et al.  SQLrand: Preventing SQL Injection Attacks , 2004, ACNS.

[14]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[15]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[16]  Benjamin Livshits,et al.  Securing web applications with static and dynamic information flow tracking , 2008, PEPM '08.

[17]  Premkumar T. Devanbu,et al.  JDBC checker: a static analysis tool for SQL/JDBC applications , 2004, Proceedings. 26th International Conference on Software Engineering.

[18]  Christopher Krügel,et al.  SecuBat: a web vulnerability scanner , 2006, WWW '06.