Prevention of SQL Injection attack using query transformation and hashing

In this Internet age, web applications have become an integral part of our lives, but security and privacy of our sensitive data has become a big concern. Over last several years, SQL Injection has been the most prevalent form of attack on web databases. Much research has been done in this area, but most of the approaches in the literature have high computational overhead or difficult to deploy in practical scenarios. In this paper we have proposed a lightweight approach to prevent SQL Injection attacks by a novel query transformation scheme and hashing. We implemented it on a prototype e-commerce application and the results of our experiments show that it can successfully and efficiently block a variety of SQL Injection attempts. This approach can also be easily implemented on any language or database platform with little modification.

[1]  Alessandro Orso,et al.  Using positive tainting and syntax-aware evaluation to counter SQL injection attacks , 2006, SIGSOFT '06/FSE-14.

[2]  Peter R. Pietzuch,et al.  PHP Aspis: Using Partial Taint Tracking to Protect Against Injection Attacks , 2011, WebApps.

[3]  Junho Choi,et al.  Efficient Malicious Code Detection Using N-Gram Analysis and SVM , 2011, 2011 14th International Conference on Network-Based Information Systems.

[4]  Michael Benedikt,et al.  VeriWeb: Automatically Testing Dynamic Web Sites , 2002 .

[5]  SQL Injection Signatures Evasion , 2004 .

[6]  V. N. Venkatakrishnan,et al.  CANDID: preventing sql injection attacks using dynamic candidate evaluations , 2007, CCS '07.

[7]  George M. Mohay,et al.  Length Based Modelling of HTTP Traffic for Detecting SQL Injection Attacks , 2007 .

[8]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[9]  Gang Lu,et al.  Logical Trees: an Essential Method of Parsing SQL Statement with Semantic Analysis , 2013 .

[10]  Giovanni Vigna,et al.  A Learning-Based Approach to the Detection of SQL Attacks , 2005, DIMVA.

[11]  Michael Kirchner A framework for detecting anomalies in HTTP traffic using instance-based learning and k-nearest neighbor classification , 2010, 2010 2nd International Workshop on Security and Communication Networks (IWSCN).

[12]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[13]  Sin Yeung Lee,et al.  Learning Fingerprints for a Database Intrusion Detection System , 2002, ESORICS.

[14]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[15]  Qing Wang,et al.  A method for detecting code security vulnerability based on variables tracking with validated-tree , 2008 .

[16]  Giorgio Giacinto,et al.  HMMPayl: an application of HMM to the analysis of the HTTP Payload , 2010, WAPA.

[17]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[18]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[19]  Giovanni Vigna,et al.  Static Enforcement of Web Application Integrity Through Strong Typing , 2009, USENIX Security Symposium.

[20]  Zhendong Su,et al.  Sound and precise analysis of web applications for injection vulnerabilities , 2007, PLDI '07.

[21]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[22]  Angelos D. Keromytis,et al.  SQLrand: Preventing SQL Injection Attacks , 2004, ACNS.

[23]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[24]  Keren Lenz,et al.  Simple and safe SQL queries with c++ templates , 2007, GPCE '07.

[25]  Úlfar Erlingsson,et al.  Using web application construction frameworks to protect against code injection attacks , 2007, PLAS '07.

[26]  Hiroshi Inamura,et al.  Dynamic test input generation for web applications , 2008, ISSTA '08.

[27]  Christopher Krügel,et al.  SecuBat: a web vulnerability scanner , 2006, WWW '06.

[28]  Jian Li,et al.  Simple Dynamic Key Management in SQL Randomization , 2009, 2009 3rd International Conference on New Technologies, Mobility and Security.