SQL Injection Attack Mechanisms and Prevention Techniques

SQL Injection Attacks have been around for over a decade and yet most web applications being deployed today are vulnerable to it. The bottom line is that the web has made it easy for new developers to develop web applications without concerning themselves with the security flaws, and that SQL Injection is thought to be a simple problem with a very simple remedy. To truly bring security to the masses, we propose a classification that not only enumerates but also categorizes the various attack methodologies, and also the testing frameworks and prevention mechanisms. We intend our classification to help understand the state of the art on both sides of the fields to lay the groundwork for all future work in this area.

[1]  Eelco Visser,et al.  Preventing injection attacks with syntax embeddings , 2007, GPCE '07.

[2]  Gabriel Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[3]  Benjamin Livshits,et al.  Context-sensitive program analysis as database queries , 2005, PODS.

[4]  Frank S. Rietta Application layer intrusion detection for SQL injection , 2006, ACM-SE 44.

[5]  Konstantinos Kemalis,et al.  SQL-IDS: a specification-based approach for SQL-injection detection , 2008, SAC '08.

[6]  Pavel Laskov,et al.  Detection of Intrusions and Malware, and Vulnerability Assessment: 19th International Conference, DIMVA 2022, Cagliari, Italy, June 29 –July 1, 2022, Proceedings , 2022, International Conference on Detection of intrusions and malware, and vulnerability assessment.

[7]  Chris Anley,et al.  Advanced SQL Injection In SQL Server Applications , 2002 .

[8]  Alessandro Orso,et al.  Combining static analysis and runtime monitoring to counter SQL-injection attacks , 2005, ACM SIGSOFT Softw. Eng. Notes.

[9]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[10]  Michael Meier,et al.  Learning SQL for Database Intrusion Detection Using Context-Sensitive Modelling (Extended Abstract) , 2009, DIMVA.

[11]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[12]  V. N. Venkatakrishnan,et al.  CANDID: preventing sql injection attacks using dynamic candidate evaluations , 2007, CCS '07.

[13]  Xiang Fu,et al.  A Static Analysis Framework For Detecting SQL Injection Vulnerabilities , 2007, 31st Annual International Computer Software and Applications Conference (COMPSAC 2007).

[14]  R.A. McClure,et al.  SQL DOM: compile time checking of dynamic SQL statements , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[15]  Khaleel Ahmad,et al.  Classification of SQL Injection Attacks , 2010 .

[16]  Benjamin Livshits,et al.  Improving software insecurity with precise static and runtime analysis , 2006 .

[17]  R. Power CSI/FBI computer crime and security survey , 2001 .

[18]  Pieter H. Hartel,et al.  Panacea: Automating Attack Classification for Anomaly-Based Network Intrusion Detection Systems , 2009, RAID.

[19]  Laurie Williams,et al.  SQLUnitGen: SQL Injection Testing Using Static and Dynamic Analysis , 2006 .

[20]  Úlfar Erlingsson,et al.  Engineering Secure Software and Systems , 2011, Lecture Notes in Computer Science.

[21]  Alejandro Pérez-Villegas,et al.  An Anomaly-Based Approach for Intrusion Detection in Web Traffic , 2010 .

[22]  Alessandro Orso,et al.  Preventing SQL injection attacks using AMNESIA , 2006, ICSE.

[23]  Dibyendu Aich Secure Query Processing by Blocking SQL Injection , 2009 .

[24]  Ralph E. Johnson,et al.  Systematically Eradicating Data Injection Attacks Using Security-Oriented Program Transformations , 2009, ESSoS.