SQL injection attacks countermeasures assessments

SQL injections attacks have been rated as the most dangerous vulnerability of web-based systems over more than a decade by OWASP top ten. Though different static, runtime and hybrid approaches have been proposed to counter SQL injection attacks, no single approach guarantees flawless prevention/ detection for these attacks. Hundreds of components of open source and commercial software products are reported to be vulnerable for SQL injection to CVE repository every year. In this mapping study, we identify different existing approaches in terms of the cost of computation and protection offered. We found that most of the existing techniques claim to offer protection based on the testing on a very small or limited scale. This study dissects each proposed approach and highlights their strengths and weaknesses and categorizes them based on the underlying technology used to detect or counter the injection attacks.

[1]  Dongmei Zhang,et al.  Hidden web crawling for SQL injection detection , 2010, 2010 3rd IEEE International Conference on Broadband Network and Multimedia Technology (IC-BNMT).

[2]  Suraj C. Kothari,et al.  Eliminating SQL Injection Attacks - A Transparent Defense Mechanism , 2006, 2006 Eighth IEEE International Symposium on Web Site Evolution (WSE'06).

[3]  Raman Kumar,et al.  Blocking of SQL Injection Attacks by Comparing Static and Dynamic Queries , 2012 .

[4]  Wen-Kui Chang,et al.  A Hot Query Bank approach to improve detection performance against SQL injection attacks , 2012, Comput. Secur..

[5]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[6]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[7]  Alessandro Orso,et al.  Combining static analysis and runtime monitoring to counter SQL-injection attacks , 2005, ACM SIGSOFT Softw. Eng. Notes.

[8]  Alessandro Orso,et al.  Using positive tainting and syntax-aware evaluation to counter SQL injection attacks , 2006, SIGSOFT '06/FSE-14.

[9]  Konstantinos Kemalis,et al.  SQL-IDS: a specification-based approach for SQL-injection detection , 2008, SAC '08.

[10]  Nuno Laranjeiro,et al.  Protecting Database Centric Web Services against SQL/XPath Injection Attacks , 2009, DEXA.

[11]  Agostino Cortesi,et al.  Obfuscation-based analysis of SQL injection attacks , 2010, The IEEE symposium on Computers and Communications.

[12]  E. Ramaraj,et al.  An Efficient Technique for Detection and Prevention of SQL Injection Attack using ASCII Based String Matching , 2012 .

[13]  William K. Robertson,et al.  Preventing Input Validation Vulnerabilities in Web Applications through Automated Type Analysis , 2012, 2012 IEEE 36th Annual Computer Software and Applications Conference.

[14]  R.A. McClure,et al.  SQL DOM: compile time checking of dynamic SQL statements , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[15]  Sangita Roy,et al.  A network based vulnerability scanner for detecting SQLI attacks in web applications , 2012, 2012 1st International Conference on Recent Advances in Information Technology (RAIT).

[16]  Massimiliano Di Penta,et al.  A heuristic-based approach for detecting SQL-injection vulnerabilities in web applications , 2010, SESS '10.

[17]  Dimitris Mitropoulos,et al.  SDriver: Location-specific signatures prevent SQL injection attacks , 2009, Comput. Secur..

[18]  Laurie Williams,et al.  SQLUnitGen: SQL Injection Testing Using Static and Dynamic Analysis , 2006 .

[19]  Marco Vieira,et al.  Detecting SQL Injection Vulnerabilities in Web Services , 2009, 2009 Fourth Latin-American Symposium on Dependable Computing.

[20]  Kenji Kono,et al.  Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[21]  Giovanni Vigna,et al.  A Learning-Based Approach to the Detection of SQL Attacks , 2005, DIMVA.

[22]  Raheel Muzzammel,et al.  Advanced energy management system with the incorporation of novel security features , 2020 .

[23]  Haiyan Wu,et al.  Test SQL injection vulnerabilities in web applications based on structure matching , 2011, Proceedings of 2011 International Conference on Computer Science and Network Technology.

[24]  Gao Jiao,et al.  SQLIMW: A New Mechanism against SQL-injection , 2012, 2012 International Conference on Computer Science and Service System.

[25]  Mark Sherriff,et al.  Automated Fix Generator for SQL Injection Attacks , 2008, 2008 19th International Symposium on Software Reliability Engineering (ISSRE).

[26]  Nan Zhihong,et al.  A database security testing scheme of web application , 2009, 2009 4th International Conference on Computer Science & Education.

[27]  Kanchana Natarajan,et al.  Generation of Sql-injection Free Secure Algorithm to Detect and Prevent Sql-Injection Attacks , 2012 .

[28]  Phyllis G. Frankl,et al.  Preventing SQL Injection through Automatic Query Sanitization with ASSIST , 2010, TAV-WEB.

[29]  Shih-Jen Chen,et al.  TransSQL: A Translation and Validation-Based Solution for SQL-injection Attacks , 2011, 2011 First International Conference on Robot, Vision and Signal Processing.

[30]  Benjamin Livshits,et al.  Securing web applications with static and dynamic information flow tracking , 2008, PEPM '08.

[32]  Mohammad Zulkernine,et al.  Information-Theoretic Detection of SQL Injection Attacks , 2012, 2012 IEEE 14th International Symposium on High-Assurance Systems Engineering.

[33]  Maen Takruri,et al.  Security vulnerabilities related to web-based data , 2019, TELKOMNIKA (Telecommunication Computing Electronics and Control).

[34]  Javier Bajo,et al.  idMAS-SQL: Intrusion Detection Based on MAS to Detect and Block SQL injection through data mining , 2013, Inf. Sci..

[35]  Laurie A. Williams,et al.  On automated prepared statement generation to remove SQL injection vulnerabilities , 2009, Inf. Softw. Technol..

[36]  Jeom-Goo Kim,et al.  Injection Attack Detection Using the Removal of SQL Query Attribute Values , 2011, 2011 International Conference on Information Science and Applications.

[37]  D. R. Giri,et al.  Object oriented approach to SQL injection preventer , 2012, 2012 Third International Conference on Computing, Communication and Networking Technologies (ICCCNT'12).

[38]  Asaad Moosa,et al.  Artificial Neural Network based Web Application Firewall for SQL Injection , 2010 .

[39]  Monis Akhlaq,et al.  Event-Based Alert Correlation System to Detect SQLI Activities , 2011, 2011 IEEE International Conference on Advanced Information Networking and Applications.

[40]  Pongpisit Wuttidittachotti,et al.  Authentication and password storing improvement using SXR algorithm with a hash function , 2020 .

[41]  Angelos Stavrou,et al.  SQLProb: a proxy-based architecture towards preventing SQL injection attacks , 2009, SAC '09.

[42]  Nuno Laranjeiro,et al.  A Learning-Based Approach to Secure Web Services from SQL/XPath Injection Attacks , 2010, 2010 IEEE 16th Pacific Rim International Symposium on Dependable Computing.

[43]  Xiang Fu,et al.  A Static Analysis Framework For Detecting SQL Injection Vulnerabilities , 2007, 31st Annual International Computer Software and Applications Conference (COMPSAC 2007).

[44]  Romil Rawat,et al.  SQL injection attack Detection using SVM , 2012 .

[45]  Sang-Soo Yeo,et al.  A novel method for SQL injection attack detection based on removing SQL query attribute values , 2012, Math. Comput. Model..

[46]  Ram Srivatsa Kannan,et al.  Random4: An Application Specific Randomized Encryption Algorithm to Prevent SQL Injection , 2012, 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications.

[47]  Suraj C. Kothari,et al.  Preventing SQL injection attacks in stored procedures , 2006, Australian Software Engineering Conference (ASWEC'06).

[48]  Laurie A. Williams,et al.  Idea: Using System Level Testing for Revealing SQL Injection-Related Error Message Information Leaks , 2010, ESSoS.

[49]  G. Aghila,et al.  Combinatorial Approach for Preventing SQL Injection Attacks , 2009, 2009 IEEE International Advance Computing Conference.

[50]  Lwin Khin Shar,et al.  Mining input sanitization patterns for predicting SQL injection and cross site scripting vulnerabilities , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[51]  V. N. Venkatakrishnan,et al.  CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks , 2010, TSEC.

[52]  Varghese Paul,et al.  SQLStor: Blockage of stored procedure SQL injection attack using dynamic query structure validation , 2012, 2012 12th International Conference on Intelligent Systems Design and Applications (ISDA).

[53]  Patrick P. K. Chan,et al.  SQL injection attacks detection in adversarial environments by k-centers , 2012, 2012 International Conference on Machine Learning and Cybernetics.

[54]  Michael D. Ernst,et al.  Automatic creation of SQL Injection and cross-site scripting attacks , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[55]  Angelos D. Keromytis,et al.  SQLrand: Preventing SQL Injection Attacks , 2004, ACNS.

[56]  Jing Xu,et al.  Research on mock attack testing for SQL injection vulnerability in multi-defense level web applications , 2010, The 2nd International Conference on Information Science and Engineering.

[57]  Giuliano Antoniol,et al.  Automated Protection of PHP Applications Against SQL-injection Attacks , 2007, 11th European Conference on Software Maintenance and Reengineering (CSMR'07).