Evaluation of SQL Injection Detection and Prevention Techniques

Database driven web application are threaten by SQL Injection Attacks (SQLIAs) because this type of attack can compromise confidentiality and integrity of information in databases. Actually, an attacker intrudes to the web application database and consequently, access to data. For stopping this type of attack different approaches have been proposed by researchers but they are not enough because usually they have limitations. Indeed, some of these approaches have not implemented yet and also most of implemented approaches cannot stop all type of attacks. In this paper all type of SQL injection attack and also different approaches which can detect or prevent them are presented. Finally we evaluate these approaches against all types of SQL injection attacks and deployment requirements.

[1]  B. Achiriloaie,et al.  VI REFERENCES , 1961 .

[2]  Richard Sharp,et al.  Abstracting application-level web security , 2002, WWW.

[3]  Shih-Kun Huang,et al.  Web application security assessment by fault injection and behavior monitoring , 2003, WWW '03.

[4]  Aske Simon Christensen,et al.  Precise Analysis of String Expressions , 2003, SAS.

[5]  Angelos D. Keromytis,et al.  SQLrand: Preventing SQL Injection Attacks , 2004, ACNS.

[6]  Premkumar T. Devanbu,et al.  JDBC checker: a static analysis tool for SQL/JDBC applications , 2004, Proceedings. 26th International Conference on Software Engineering.

[7]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[8]  Zhendong Su,et al.  An Analysis Framework for Security in Web Applications , 2004 .

[9]  Premkumar T. Devanbu,et al.  Static checking of dynamically generated queries in database applications , 2004, Proceedings. 26th International Conference on Software Engineering.

[10]  Combining static analysis and runtime monitoring to counter SQL-injection attacks , 2005, ACM SIGSOFT Softw. Eng. Notes.

[11]  Benjamin Livshits,et al.  Finding application errors and security flaws using PQL: a program query language , 2005, OOPSLA '05.

[12]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[13]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[14]  Michael Franz,et al.  Dynamic taint propagation for Java , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[15]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[16]  Giovanni Vigna,et al.  A Learning-Based Approach to the Detection of SQL Attacks , 2005, DIMVA.

[17]  Tadeusz Pietraszek,et al.  Defending Against Injection Attacks Through Context-Sensitive String Evaluation , 2005, RAID.

[18]  R.A. McClure,et al.  SQL DOM: compile time checking of dynamic SQL statements , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[19]  Siddhartha Rai,et al.  Safe query objects: statically typed objects as remotely executable queries , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[20]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[21]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[22]  Alessandro Orso,et al.  Using positive tainting and syntax-aware evaluation to counter SQL injection attacks , 2006, SIGSOFT '06/FSE-14.

[23]  Giovanni Vigna,et al.  Swaddler: An Approach for the Anomaly-Based Detection of State Violations in Web Applications , 2007, RAID.

[24]  V. N. Venkatakrishnan,et al.  CANDID: preventing sql injection attacks using dynamic candidate evaluations , 2007, CCS '07.

[25]  Konstantinos Kemalis,et al.  SQL-IDS: a specification-based approach for SQL-injection detection , 2008, SAC '08.

[26]  Xiang Fu,et al.  SAFELI: SQL injection scanner using symbolic execution , 2008, TAV-WEB '08.

[27]  V. N. Venkatakrishnan,et al.  CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks , 2010, TSEC.