Securing Web Applications against Structured Query Language Injection Attacks using a Hybrid Approach: Input Filtering and Web Application Firewall

SQL injection is a type of attack used to gain, manipulate, or delete information in any data-driven system regardless of whether the system is online or offline and whether this system is a web or non-web based. A common approach for an attacker to launch SQLIA is by modifying the user input to contain partial SQL queries and trick the server into executing them. In this paper, a literature review of the SQL injection attacks and their mitigation is presented. It shows that the study of SQL injection in general has been conducted in diverse range of areas. The main objective of this paper is to give an elaborate study on different types of SQL injection, their mitigation strategies, critiques of past approaches and finally the knowledge gap. It seeks to create knowledge on work done by others in the area of SQL injection attacks in web applications which remains a threat up-to-date despite the numerous studies done on the same field.

[1]  S. C. Jain,et al.  Analysis and classification of SQL injection vulnerabilities and attacks on web applications , 2014, 2014 International Conference on Advances in Engineering & Technology Research (ICAETR - 2014).

[2]  Cristiano Giuffrida,et al.  Detection of Intrusions and Malware, and Vulnerability Assessment , 2018, Lecture Notes in Computer Science.

[3]  Mathias Ekstedt,et al.  Estimates on the effectiveness of web application firewalls against targeted attacks , 2013, Inf. Manag. Comput. Secur..

[4]  Mohsen Sharifi,et al.  How to Counter Control Flow Tampering Attacks , 2007, 2007 IEEE/ACS International Conference on Computer Systems and Applications.

[5]  R.A. McClure,et al.  SQL DOM: compile time checking of dynamic SQL statements , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[6]  Duc-Son Pham,et al.  A Study of Web Application Firewall Solutions , 2015, ICISS.

[7]  Angelos D. Keromytis,et al.  SQLrand: Preventing SQL Injection Attacks , 2004, ACNS.

[8]  Brian Henderson-Sellers,et al.  Characterising Web Systems: Merging Information and Functional Architectures , 2003 .

[9]  Mei Junjin,et al.  An Approach for SQL Injection Vulnerability Detection , 2009, 2009 Sixth International Conference on Information Technology: New Generations.

[10]  Kenji Kono,et al.  Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[11]  David Mason,et al.  Architectural Issues of Web‐enabled Electronic Business , 2004 .

[12]  Giuliano Antoniol,et al.  Automated Protection of PHP Applications Against SQL-injection Attacks , 2007, 11th European Conference on Software Maintenance and Reengineering (CSMR'07).

[13]  Martin Johns,et al.  SMask: preventing injection attacks in web applications by approximating automatic data/code separation , 2007, SAC '07.

[14]  Changgeng Shao,et al.  Design and Implementation of Coldfusion-Based Web Application Firewall , 2012, 2012 International Conference on Computer Science and Service System.

[15]  Massimiliano Di Penta,et al.  A heuristic-based approach for detecting SQL-injection vulnerabilities in web applications , 2010, SESS '10.

[16]  Justin Clarke What Is SQL Injection , 2009 .

[17]  S. Swamynathan,et al.  SBSQLID: Securing Web Applications with Service Based SQL Injection Detection , 2009, 2009 International Conference on Advances in Computing, Control, and Telecommunication Technologies.

[18]  B. Indrani,et al.  X - LOG AUTHENTICATION TECHNIQUE TO PREVENT SQL INJECTION ATTACKS , 2011 .

[19]  Tadeusz Pietraszek,et al.  Defending Against Injection Attacks Through Context-Sensitive String Evaluation , 2005, RAID.

[20]  Suraj C. Kothari,et al.  Preventing SQL injection attacks in stored procedures , 2006, Australian Software Engineering Conference (ASWEC'06).

[21]  Jin-Cherng Lin,et al.  An Automatic Revised Tool for Anti-Malicious Injection , 2006, The Sixth IEEE International Conference on Computer and Information Technology (CIT'06).

[22]  Saghar Khadem,et al.  A survey of SQL injection defense mechanisms , 2009, 2009 International Conference for Internet Technology and Secured Transactions, (ICITST).

[23]  V. N. Venkatakrishnan,et al.  CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks , 2010, TSEC.

[24]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[25]  Laurie A. Williams,et al.  Using Automated Fix Generation to Secure SQL Statements , 2007, Third International Workshop on Software Engineering for Secure Systems (SESS'07: ICSE Workshops 2007).

[26]  Xiang Chen,et al.  D-WAV: A Web Application Vulnerabilities Detection Tool Using Characteristics of Web Forms , 2010, 2010 Fifth International Conference on Software Engineering Advances.

[27]  Omer Faruk Bay,et al.  Development of a hybrid web application firewall to prevent web based attacks , 2014, 2014 IEEE 8th International Conference on Application of Information and Communication Technologies (AICT).