论文信息 - Client-Side Detection of SQL Injection Attack

Client-Side Detection of SQL Injection Attack

Despite the development of many server-side approaches, SQL Injection (SQLI) vulnerabilities are still widely reported. A complementary approach is to detect the attack from the client-side (browser). This paper presents a client-side approach to detect SQLI attacks. The client-side accepts shadow SQL queries from the server-side and checks any deviation between shadow queries with dynamic queries generated with user supplied inputs. We propose four conditional entropy metrics to measure the deviation between the shadow query and dynamic query. We evaluate the approach with an open source PHP application. The results indicate that our approach can detect malicious inputs early at the client-side.

Hossain Shahriar | Sarah North | Wei-Chuen Chen

[1] Giovanni Agosta,et al. Automated Security Analysis of Dynamic Web Applications through Symbolic Code Execution , 2012, 2012 Ninth International Conference on Information Technology - New Generations.

[2] Joachim Posegga,et al. Secure Code Generation for Web Applications , 2010, ESSoS.

[3] Marco Vieira,et al. Defending against Web Application Vulnerabilities , 2012, Computer.

[4] Thomas M. Cover,et al. Elements of Information Theory: Cover/Elements of Information Theory, Second Edition , 2005 .

[5] Thomas M. Cover,et al. Elements of Information Theory , 2005 .

[6] Úlfar Erlingsson,et al. Engineering Secure Software and Systems , 2011, Lecture Notes in Computer Science.