Prevention and Detection Techniques for SQL Injection Attacks
Kamlesh Kumar Raghuvanshi , Deen Bandhu Dixit ."Prevention and Detection Techniques for SQL Injection Attacks". International Journal of Computer Trends and Technology (IJCTT) V12(3):107-110, June 2014. ISSN:2231-2803. www.ijcttjournal.org. Published by Seventh Sense Research Group.
Abstract -
Different kind of Web Application run with help of web server using World Wide Web protocol and many of web application could be vulnerable with SQL Injection attacks this is the type of input validation attacks. Using this type of attacks, web application could be hacked easily and steal the confidential data by the anonymous user. This may be dangerous for organization market value
References
[1] OWASPD-Open Web Application Security Project. “Top ten most critical Web OWASPD-Open Web Application Security Project. “Top ten most critical Web Application Security Risks”, https://www.owasp.org/index.php/Top_10_2010-Main.
[2] W. G. Halfond, J. Viegas, and A. Orso. A Classification of SQLInjection Attacks and Countermeasures. In Proc. of the Intl. Symposium on Secure Software Engineering, Mar. 2006.
[3] Atefeh Tajpour, Suthaimi, Maslin Masrom. SQL Injection Detection and Prevention Techniques .In Proc. International Journal of Advancements in Computing Technology Volume 3, Number 7, August 2011.
[4] Ke Wei, M. Muthuprasanna, Suraj Kothari , “Preventing SQL Injection Attacks in Stored Procedures” Proceedings of the 2006 Australian Software Engineering Conference (ASWEC’06 IEEE).
[5] Z. Su and G. Wassermann “The essence of command injection attacks in web applications”. In ACM Symposium on Principles of Programming Languages (POPL’2006), January 2006.
[6] S. W. Boyd and A. D. Keromytis. SQLrand: Preventing SQL Injection Attacks. In Proceedings of the 2nd Applied Cryptography and Network Security Conference, pages 292–302, June 2004.
[7] William G.J. Halfond and Alessandro Orso,” Preventing SQL Injection Attacks Using AMNESIA” ICSE’06, May 20–28, 2006, Shanghai, China ACM 06/0005.
[8] G. Buehrer, B.W. Weide, P.A.G. Sivilotti, Using Parse Tree Validation to Prevent SQL Injection Attacks, in: 5th International Workshop on Software Engineering and Middleware, Lisbon,Portugal, 2005, pp. 106–113.
[9] R.A. McClure, and I.H. Kruger, "SQL DOM: compile time checking of dynamic SQL statements," Software Engineering, 2005. ICSE 2005. Proceedings. 27th International Conference on, pp. 88- 96, 15-21 May 2005.
[10] P. Bisht, P. Madhusudan, and V. N. Venkatakrishnan. CANDID: Dynamic Candidate Evaluations for Automatic Prevention of SQL Injection Attacks. ACM Trans. Inf. Syst. Secur., 13(2):1–39, 2010.
[11] Shaukat Ali, Azhar Rauf, Huma Javed. SQLIPA: An Authentication Mechanism Against SQL Injection. In Proc. European Journal of Scientific Research ISSN 1450-216X Vol.38 No.4 (2009), pp 604-611.
[12] Takeshi Matsuda,Daiki Koizumi,Michio Sonoda,Shigeichi Hirasawa, ”On predictive errors of SQL injection attack detection by the feature of the single character” Systems, Man, and Cybernetics (SMC), 2011 IEEE International Conference on 9-12 Oct 2011, On Page 1722-1727.
[13] Angelo Ciampa, Corrado Aaron Visaggio, Massimiliano Di Penta :”A heuristic-based approach for detecting SQL-injection vulnerabilities in Web applications”.
[14] Mei Junjin, "An Approach for SQL Injection Vulnerability Detection," Proc. of ITNG `09, pp.1411-1414, 27-29 April 2009.
[15] Z. Su and G. Wassermann “The essence of command injection attacks in web applications”. In ACM Symposium on Principles of Programming Languages (POPL’2006), January 2006).
[16] YongJoon Park,JaeChul Park,”Web Application Intrusion Detection System for Input Validation Attack ”Third 2008 International Conference on Convergence And Hybrid Information Technology.
[17] Needleman, S.B., Wunsch, C.D. “A general method applicable to the search for similarities in the amino acid sequence of two proteins”, J.Mol.Biol.48:443-453, 1970.
[18] G. Wassermann and Z. Su. An Analysis Framework for Security in Web Applications. In Proceedings of the FSE Workshop on Specification and Verification of Component-Based Systems (SAVCBS 2004), pp 70–78.
[19] A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically Hardening Web Applications Using Precise Tainting. Security and Privacy in the Age of Ubiquitous Computing, Volume: 181, Pages: 295-307, 2005.
[20] Adam Kie?zun,Philip J. Guo,Karthick Jayaraman,Michael D. Ernst:“Automatic Creation of SQL Injection and Cross-Site Scripting AttackS”, ICSE?09, May 16-24, 2009, Vancouver, Canada,978-1-4244-3452-7/09/$25.00 © 2009 IEEE.
[21] Raju Halder and Agostino Cortesi, “Obfuscation-based Analysis of SQL Injection Attacks”. 978-1-4244-7755-5/10/$26.00 ©2010 IEEE
[22] Shikhar Jain & Alwyn R. Pais,” Model Based Approach to Prevent SQL Injection Attacks on .NET Applications” International Journal of Computer Science & Informatics, Volume-I, Issue-II, 2011.
[23] Yao-Wan Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, D.T.Lee, Sy-Yen Kuo.Securing WebApplication Code by Static Analysis And Runtime Protection.In Proceeding of the 12th International World Wide Web Conference(WWW-04), May 2004.
[24] William G.J. Halfond, Alessandro Orso.” WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation” IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. 34, NO. 1, JANUARY/FEBRUARY 2008.
[25] T. Pietraszek and C. V. Berghe. Defending against Injection Attacks through Context-Sensitive String evaluation. Recent Advances in Intrusion Detection, Volume: 3858, Pages: 124-145, 2006.
[26] M. Martin, B. Livshits, and M. S. Lam. Finding Application Errors and Security Flaws Using PQL:A Program Query Language. ACM SIGPLAN Notices, Volume: 40, Issue: 10 Pages: 365-383,2005.
Keywords
SQLInjection Attacks, Static Analysis, Dynamic analysis, Detection, Prevention