Blocking of SQL Injection Attacks by Comparing Static and Dynamic Queries

Автор: Jaskanwal Minhas, Raman Kumar

Журнал: International Journal of Computer Network and Information Security(IJCNIS) @ijcnis

Статья в выпуске: 2 vol.5, 2013 года.

Бесплатный доступ

Due to internet expansion web applications have now become a part of everyday life. As a result a number of incidents which exploit web application vulnerabilities are increasing. A large number of these incidents are SQL Injection attacks which are a serious security threat to databases which contain sensitive information, the leakage of which cause a large amount of loss. SQL Injection Attacks occur when an intruder changes the query structure by inserting any malicious input. There are a number of methods available to detect and prevent SQL Injection Attacks. But these are too complex to use. This paper proposes a very simple, effective and time saving technique to detect SQLIAs which uses combined static and dynamic analysis and also defines an attack other than existing classification of SQLIAs.

Еще

Dynamic and Static query, SQL query, SQLIAs

Короткий адрес: https://sciup.org/15011159

IDR: 15011159

Список литературы Blocking of SQL Injection Attacks by Comparing Static and Dynamic Queries

  • PHP, magic quotes, http: // www.php.net/magic_quotes/ .
  • C. Gould, Z. Su, P. Devanbu, "JDBC checker: a static analysis tool for SQL/JDBC applications", In Proceedings of the 26th International Conference on Software Engineering, ICSE, 2004, pp. 697–698.
  • G. Wassermann, Z. Su, "An analysis framework for security in web applications", In Proceedings of the FSE Workshop on Specification and Verification of Component-Based Systems, SAVCBS, 2004, pp. 70–78.
  • Paros. Parosproxy.org. http : // www.Parosproxy.org/.
  • Yuji Kosuga et al, "Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection", In Computer Security Applications Conference, 2007, pp.107-117.
  • Halfond W. G, Orso. A, "AMNESIA : Analysis and Monitoring for Neutralizing SQL-Injection Attacks", In Proceedings of the 20th IEEE/ACM international Conference on Automated Software Engineering, 2005, pp. 174-183.
  • Z. Su, G. Wassermann, "The essence of command injection attacks in web applications", In Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 2006, pp. 372–382.
  • Buehrer. G, Weide. B. W, Sivilotti. P A, "Using Parse Tree Validation to Prevent SQL Injection Attacks", In Proceedings of the 5th international Workshop on Software Engineering and Middleware, 2005, pp. 105-113.
  • Wei. K, Muthuprasanna. M, Kothari. S, "Preventing SQL injection attacks in stored procedures", In Software Engineering Conference 2006. Australian, 2006, pp. 18-21.
  • F. Valeur, D. Mutz, G. Vigna , "A Learning-Based Approach to the Detection of SQL Attacks", In Proceedings of the Conference of Detection of Intrusions and Malware and Vulnerability Assessment, 2005, pp. 123-140.
  • William G.J. Halfond et al, "A Classification of SQL Injection Attacks and Counter measures", In Proceedings of the Intern. Symposium on Secure Software Engineering, 2006, pp. 101-111.
  • S. Boyd, A. Keromytis, "SQLrand: preventing SQL injection attacks", In Applied Cryptography and Network Security, In LNCS, vol. 3089, 2004, pp. 74-82.
  • M. Martin, B. Livshits, and M. S. Lam, "Finding Application Errors and Security Flaws Using PQL: A Program Query Language", In Proceedings of the 20th Annual ACM SIGPLAN conference on Object oriented programming systems languages and applications, 2005.
  • V. Haldar, D. Chandra, and M. Franz, "Dynamic Taint Propagation for Java", In Proceedings 21st Annual Computer Security Applications Conference, 2005.
  • T.C. Pietraszek, V. Berghe, "Defending against injection attacks through context–sensitive string evaluation", In Proceeding of Recent Advances in Intrusion Detection, in: LNCS, vol. 3858, 2006, pp. 124–145.
  • A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, D. Evans, "Automatically hardening web application using precise tainting information", In Twentieth IFIP International Information Security Conference, in: LNCS, vol. 181, 2005, pp. 295–307.
  • V.B. Livshits, M.S. Lam, "Finding security errors in Java programs with static analysis", In Proceedings of the 14th Usenix Security Symposium, 2005, pp. 271–286.
  • W. R. Cook and S. Rai, "Safe Query Objects: Statically Typed Objects as Remotely Executable Queries", In Proceedings of the 27th Intern. Conf. on Software Engineering, 2005, pp. 97–106.
  • D. Scott, R. Sharp, "Abstracting application-level web security", In Proceedings of the 11th International Conference on the World Wide Web, 2002, pp. 396–407.
  • R. McClure and I. Kr¨uger, "SQL DOM: Compile Time Checking of Dynamic SQL Statements", In Proceedings of the 27th Intern. Conf. on Software Engineering , 2005, pp. 88–96.
  • Y. Huang, S. Huang, T. Lin, C. Tasi, "Web application security assessment by fault injection and behavior monitoring", In Proceedings of the 12th International Conference on World Wide Web, 2003, pp. 148–159.
  • Y. Huang, F. Yu, C. Hang, C.H. Tsai, D.T. Lee, S.Y. Kuo, "Securing web application code by static analysis and runtime protection", In Proceedings of the 12th International World Wide Web Conference ACM, 2004, pp. 40–52.
  • Inyong Lee, Soonki Jeong, Sangsoo Yeo, Jongsub Moon, "A novel method for SQL injection attack detection based on removing SQL query attribute values", In Center for Information Security Technologies, Korea University, 2011, pp. 136-713.
  • Jeom-Goo Kim , "Injection Attack Detection using the Removal of SQL Query Attribute Values", In IEEE, 2011.
  • W. G. Halfond and A. Orso, "Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks", In Proceedings of the Third Intern. ICSE Workshop on Dynamic Analysis (WODA 2005), 2005, pp. 22–28.
  • Stephen Thomas, Laurie Williams, "Using Automated Fix Generation to Secure SQL Statements", In Third International Workshop on Software Engineering for Secure Systems, 2007, pp. 287-293.
  • V. Shanmughaneethi et al, "Securing Web Applications with Service Based SQL Injection Detection", In International Conference on Advances in Computing, Control and Telecommunication Technologies, 2009, pp. 702-704.
Еще
Статья научная