Systematic Review Analysis on SQLIA Detection and Prevention Approaches

Abstract

SQL injection attack (SQLIA) is one of the most severe attacks that can be used against web database driving applications. Attackers use SQLIA to get unauthorized access and perform unauthorized data modification. To combat problem of SQLIA, different researchers proposed variety of tools and methods that can be used as defense barrier between client application and database server. However, these tools and methods failed to address the whole problem of SQL injection attack, because most of the approaches are vulnerable in nature, cannot resist sophisticated attack or limited to scope of subset of SQLIA type. With regard to this different researcher proposed different approach (experimental and analytical evaluation) to evaluate the effectiveness of these existing tools based on type SQLIAs they can detect or prevent. However, none of the researcher considers evaluating these existing tool or method based on their ability to be deployed in various injection parameters or development requirements therefore, in this study Kitchenham’s guidelines of performing systematic review of software for conducting our study. In this paper, we reviewed the tools and methods that are commonly used in detection and prevention of SQLIA, Finally, we analytically evaluated the reviewed tools and methods based on our experience with respect to SQIAs types and injection parameters. The evaluation result showed that most researchers focused on proposing approaches to detect and prevent SQLIAs, rather than evaluating the efficiency and effectiveness of the existing SQLIA detection and prevention tools/methods. The study also revealed that more emphasis was given by the previous studies on prevention measures than detection measures in combating problem of SQLIAs. An analysis showed that these tools and methods are developed to prevent subset of SQLIAs type and only few of them can be deployed to various injection parameters to be considered in examining SQLIAs. It further revealed that none of the tools or methods can be deployed to prevent attacks that can take advantage of second order (server side SQLIA) SQLI vulnerability. Finally, the study highlights the major challenges that require immediate response by developers and researchers in order to prevent the risk of being hacked through SQLIAs.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17

References

  1. 1.

    Qureshi, K. N., Bashir, F., & Abdullah, A. H. (2019). Distance and signal quality aware next hop selection routing protocol for vehicular ad hoc networks. Neural Computing and Applications, 1–14.

  2. 2.

    Anwar, M., et al. (2018). Securing data communication in wireless body area networks using digital signatures. Technical Journal,23(02), 50–55.

    Google Scholar 

  3. 3.

    Qureshi, K. N., & Abdullah, A. H. (2014). Adaptation of wireless sensor network in industries and their architecture, standards and applications. World Applied Sciences Journal,30(10), 1218–1223.

    Google Scholar 

  4. 4.

    Iqbal, S., et al. (2018). Critical link identification and prioritization using Bayesian theorem for dynamic channel assignment in wireless mesh networks. Wireless Networks,24(7), 2685–2697.

    Article  Google Scholar 

  5. 5.

    Aliero, M. S., Ghani, I., Zainudden, S., Khan, M. M., & Bello, M. (2015). Review on SQL injection protection methods and tools. Jurnal Teknologi,77(13), 49–66.

    Google Scholar 

  6. 6.

    Aliero, M. S., et al. (2019). An algorithm for detecting SQL injection vulnerability using black-box testing. Journal of Ambient Intelligence and Humanized Computing, 11, 1–18.

    Google Scholar 

  7. 7.

    Thiyagarajan, A., et al. (2015). Methods for detection and prevention of SQL attacks in analysis of web field data. International Journal of Computer Science and Mobile Computing, 4(4), 657–662.

    Google Scholar 

  8. 8.

    Kitchenham, B., et al. (2009). Systematic literature reviews in software engineering—A systematic literature review. Information and Software Technology,51(1), 7–15.

    Article  Google Scholar 

  9. 9.

    Halfond, W. G., & Orso, A. (2007). Detection and prevention of sql injection attacks, in Malware Detection (pp. 85–109). Berlin: Springer.

    Google Scholar 

  10. 10.

    Sadeghian, A., Zamani, M., & Manaf, A. A. (2013). A taxonomy of SQL injection detection and prevention techniques. In 2013 international conference on informatics and creative multimedia (pp. 53–56). IEEE.

  11. 11.

    Tiwari, Y., & Tiwari, M. (2015). A study of SQL of injections techniques and their prevention methods. International Journal of Computer Applications, 114(17), 31–33.

    Article  Google Scholar 

  12. 12.

    Tajpour, A., Ibrahim, S., & Sharifi, M. (2012). Web application security by SQL injection detectiontools. IJCSI International Journal of Computer Science,9, 2.

    Google Scholar 

  13. 13.

    Kindy, D. A., & Pathan, A. S. K. (2011). A survey on SQL injection: Vulnerabilities, attacks, and prevention techniques. In 2011 IEEE 15th international symposium on consumer electronics (ISCE) (pp. 468–471). IEEE.

  14. 14.

    Tajpour, A., & zade Shooshtari, M. J. (2010). Evaluation of SQL injection detection and prevention techniques. In 2010 2nd international conference on computational intelligence, communication systems and networks (pp. 216-221). IEEE.

  15. 15.

    Doshi, J. C., Christian, M., & Trivedi, B. H. (2014). SQL FILTER–SQL Injection prevention and logging using dynamic network filter. In International symposium on security in computing and communication (pp. 400-406). Springer, Berlin, Heidelberg.

  16. 16.

    Medhane, M. (2013). R-WASP: Real time-web application SQL injection detector and preventer. International Journal of Innovative Technology and Exploring Engineering (IJITEE),2(5), 327–330.

    Google Scholar 

  17. 17.

    Son, S., McKinley, K. S., & Shmatikov, V. (2013). Diglossia: Detecting code injection attacks with precision and efficiency. In Proceedings of the 2013 ACM SIGSAC conference on computer & communications security. ACM.

  18. 18.

    Shin, Y., Williams, L., & Xie, T. (2006). Sqlunitgen: SQL injection testing using static and dynamic analysis. In 17th IEEE proceedings of the international symposium on software reliability engineering (ISSRE).

  19. 19.

    Bandhakavi, S., et al. (2007). CANDID: Preventing SQL injection attacks using dynamic candidate evaluations. In Proceedings of the 14th ACM conference on computer and communications security. ACM.

  20. 20.

    Liu, A., et al. (2009). SQLProb: A proxy-based architecture towards preventing SQL injection attacks. In Proceedings of the 2009 ACM symposium on applied computing. ACM.

  21. 21.

    Cheon, E. H., Huang, Z., & Lee, Y. S. (2013). Preventing SQL injection attack based on machine learning. International Journal of Advancements in Computing Technology,5(9), 967–974.

    Article  Google Scholar 

  22. 22.

    Joshi, A., & Geetha, V. (2014). SQL injection detection using machine learning. In 2014 international conference on control, instrumentation, communication and computational technologies (ICCICCT). IEEE.

  23. 23.

    Shahriar, H., & Zulkernine, M. (2012). Information-theoretic detection of SQL injection attacks. In 2012 IEEE 14th international symposium on high-assurance systems engineering. IEEE.

  24. 24.

    Gubbi, J., et al. (2013). Internet of Things (IoT): A vision, architectural elements, and future directions. Future generation computer systems,29(7), 1645–1660.

    Article  Google Scholar 

  25. 25.

    Johari, R., & Sharma, P. (2012). A survey on web application vulnerabilities (SQLIA, XSS) exploitation and security engine for SQL injection. In 2012 international conference on communication systems and network technologies. IEEE.

  26. 26.

    Mishra, N., & Gond, S. (2013). Defenses to protect against SQL injection attacks. International Journal of Advanced Research in Computer and Communication Engineering, 2(10), 3829–3833.

    Google Scholar 

  27. 27.

    Manoj, R. J., Chandrasekhar, A., & Praveena, M. A. (2014). An approach to detect and prevent tautology Type SQL injection in web service based on XSchema validation. International Journal Of Engineering And Computer Science, 10, 2319–7242.

    Google Scholar 

  28. 28.

    Lee, I., et al. (2012). A novel method for SQL injection attack detection based on removing SQL query attribute values. Mathematical and Computer Modelling,55(1), 58–68.

    MathSciNet  MATH  Article  Google Scholar 

  29. 29.

    Indrani, B., & Ramaraj, E. (2011). X-log authentication technique to prevent SQL injection attacks. International Journal of Information Technology and Knowledge Management,4(1), 323–328.

    Google Scholar 

  30. 30.

    Das, D., Sharma, U., & Bhattacharyya, D. (2010). An approach to detection of SQL injection attack based on dynamic query matching. International Journal of Computer Applications,1(25), 28–34.

    Article  Google Scholar 

  31. 31.

    Prabakar, M. A., Karthikeyan, M., & Marimuthu, K. (2013). An efficient technique for preventing SQL injection attack using pattern matching algorithm. In 2013 IEEE international conference on emerging trends in computing, communication and nanotechnology (ICECCN). IEEE.

  32. 32.

    Narayanan, S. N., Pais, A. R., & Mohandas, R. (2011). Detection and prevention of sql injection attacks using semantic equivalence. In International conference on information processing (pp. 103–112). Springer, Berlin.

  33. 33.

    Kumar, K., Jena, D., & Kumar, R. (2013). A novel approach to detect SQL injection in web applications. International Journal of Application or Innovation in Engineering & Management (IJAIEM), 2(6), 37–48.

    Google Scholar 

  34. 34.

    Zhang, X. H., & Wang, Z. J. (2010). A static analysis tool for detecting web application injection vulnerabilities for ASP program. In 2010 2nd international conference on e-business and information system security (EBISS).

  35. 35.

    Tongshu, L., Jing, Z., & Jianzheng, L. (2013), SQL injection prevention. Google Patents.

  36. 36.

    Randive, P. U., Khatke, M. B., & Reddi, M. B. (2014). An Approach for Prevention of SQL Injection Attacks on Database: A Review. International Journal of Innovative Research in Advanced Engineering,1(3), 38–41.

    Google Scholar 

  37. 37.

    Masri, W., & Sleiman, S. (2015). SQLPIL: SQL injection prevention by input labeling. Security and Communication Networks,8(15), 2545–2560.

    Article  Google Scholar 

  38. 38.

    Antunes, N., & Vieira, M. (2009). Comparing the effectiveness of penetration testing and static code analysis on the detection of SQL injection vulnerabilities in web services. In 2009 15th IEEE pacific rim international symposium on dependable computing. IEEE.

  39. 39.

    Antunes, N., & Vieira, M. (2011). Enhancing penetration testing with attack signatures and interface monitoring for the detection of injection vulnerabilities in web services. In 2011 IEEE international conference on services computing. IEEE.

  40. 40.

    Antunes, N., & Vieira, M. (2015). Assessing and comparing vulnerability detection tools for web services: Benchmarking approach and examples. IEEE Transactions on Services Computing,8(2), 269–283.

    Article  Google Scholar 

  41. 41.

    Khoury, N. et al. (2011). An analysis of black-box web application security scanners against stored SQL injection. In 2011 IEEE third international conference on privacy, security, risk and trust (PASSAT) and 2011 IEEE third international conference on social computing (SocialCom). IEEE.

  42. 42.

    Antunes, N., & Vieira, M. (2012). Evaluating and improving penetration testing in web services. In 2012 IEEE 23rd international symposium on software reliability engineering. IEEE.

  43. 43.

    Djuric, Z. (2013). A black-box testing tool for detecting SQL injection vulnerabilities. In 2013 Second international conference on informatics & applications (ICIA). IEEE.

  44. 44.

    Liban, A., & Hilles, S. M. (2014). Enhancing MYSQL Injector vulnerability checker tool (MYSQL Injector) using inference binary search algorithm for blind timing-based attack. In 2014 IEEE 5th control and system graduate research colloquium. IEEE.

  45. 45.

    Doupé, A.et al. (2012). Enemy of the state: A state-aware black-box web vulnerability scanner. In Presented as part of the 21st {USENIX} Security Symposium ({USENIX} Security 12).

  46. 46.

    Shakhatreh, A. Y. I. (2010). SQL-injection vulnerability scanner using automatic creation of SQL-injection attacks (MySqlinjector), Universiti Utara Malaysia).

  47. 47.

    Ciampa, A., Visaggio, C. A., & Di Penta, M. (2010). A heuristic-based approach for detecting SQL-injection vulnerabilities in Web applications. In Proceedings of the 2010 ICSE workshop on software engineering for secure systems. ACM.

  48. 48.

    Fu, X. et al. (2007). A static analysis framework for detecting SQL injection vulnerabilities. In 31st annual international computer software and applications conference (COMPSAC 2007). IEEE.

  49. 49.

    Cho, Y.-C., & Pan, J.-Y. (2015). Design and implementation of website information disclosure assessment system. PLoS ONE,10(3), e0117180.

    Article  Google Scholar 

  50. 50.

    Falcove. (2007) Falcove web vulnerability scanner and penetration testing. http://www.ramsayfalcove.com/htdocs/Welcome.html. Accessed June 29, 2015

  51. 51.

    Singh, A. K., & Roy, S. (2012). A network based vulnerability scanner for detecting sqli attacks in web applications. In 2012 1st international conference on recent advances in information technology (RAIT). IEEE.

  52. 52.

    Aliero, M. S., & Ghani, I. (2015). A component based SQL injection vulnerability detection tool. In 2015 9th Malaysian software engineering conference (MySEC). IEEE.

  53. 53.

    Seyyar, M. B., Çatak, F. Ö., & Gül, E. (2018). Detection of attack-targeted scans from the Apache HTTP Server access logs. Applied Computing and Informatics,14(1), 28–36.

    Article  Google Scholar 

  54. 54.

    Eassa, A. M., et al. (2019). NoSQL injection attack detection in web applications using RESTful service. Programming and Computer Software,44(6), 435–444.

    Article  Google Scholar 

  55. 55.

    Taylor, C., & Sakharkar, S. (2019). DROP TABLE textbooks: An Argument for SQL injection coverage in database textbooks. In Proceedings of the 50th ACM technical symposium on computer science education (pp. 191–197). ACM.

  56. 56.

    Basit, N., Hendawi, A., Chen, J., & Sun, A. (2019). A learning platform for SQL injection. In Proceedings of the 50th ACM technical symposium on computer science education (pp. 184–190). ACM.

  57. 57.

    Batista, L., et al. (2018). Fuzzy neural networks to create an expert system for detecting attacks by SQL Injection. The International Journal of Forensic Computer Science,13(1), 8–21.

    Article  Google Scholar 

  58. 58.

    Khanna, S., & Verma, A. K. (2018). Classification of SQL injection attacks using fuzzy tainting. In Progress in intelligent computing techniques: Theory, practice, and applications (pp. 463-469). Springer, Singapore.

  59. 59.

    Uwagbole, S. O., Buchanan, W. J., & Fan, L. (2016). Numerical encoding to Tame SQL injection attacks. In NOMS 2016–2016 IEEE/IFIP network operations and management symposium (pp. 1253–1256). IEEE.

  60. 60.

    Ross, K. et al. (2018). Multi-source data analysis and evaluation of machine learning techniques for SQL injection detection. In Proceedings of the ACMSE 2018 conference (pp. 1–8). ACM.

  61. 61.

    Sharafaldin, I., Lashkari, A. H., & Ghorbani, A. A. (2018). Toward generating a new intrusion detection dataset and intrusion traffic characterization. In ICISSP (pp. 108–116).

  62. 62.

    Moh, M. et al. (2016). Detecting web attacks using multi-stage log analysis. In 2016 IEEE 6th international conference on advanced computing (IACC) (pp. 733–738). IEEE.

  63. 63.

    Iqbal, S., et al. (2016). On cloud security attacks: A taxonomy and intrusion detection and prevention as a service. Journal of Network and Computer Applications,74, 98–120.

    Article  Google Scholar 

  64. 64.

    Deepa, G., & Thilagam, P. S. (2016). Securing web applications from injection and logic vulnerabilities: Approaches and challenges. Information and Software Technology,74, 160–180.

    Article  Google Scholar 

  65. 65.

    Yadav, N., & Shekokar, N. (2018). Analysis on injection vulnerabilities of web application. In Proceedings of international conference on wireless communication (pp. 13–22). Springer, Singapore.

  66. 66.

    Buro, S., & Mastroeni, I. (2018). Abstract code injection. In International conference on verification, model checking, and abstract interpretation (pp. 116–137). Springer, Cham.

  67. 67.

    Deshpande, G., & Kulkarni, S. (2019). Modeling and mitigation of XPath injection attacks for web services using modular neural networks. In Recent findings in intelligent computing techniques (pp. 301–310). Springer, Singapore.

  68. 68.

    Schwichtenberg, H. (2018). Reading and modifying data with SQL, stored procedures, and table-valued functions. In Modern Data Access with Entity Framework Core (pp. 305–315). Apress, Berkeley, CA.

  69. 69.

    Heled, J., et al. (2018) Research on SQL injection detection technology based on SVM. In MATEC web of conferences.

  70. 70.

    Yan, R., et al. (2018). New deep learning method to detect code injection attacks on hybrid applications. Journal of Systems and Software,137, 67–77.

    Article  Google Scholar 

  71. 71.

    Wang, X., & Zhao, Y. (2018). Order-revealing encryption: File-injection attack and forward security. In European symposium on research in computer security. Springer, Cham.

  72. 72.

    Thomé, J., et al. (2018). Security slicing for auditing common injection vulnerabilities. Journal of Systems and Software,137, 766–783.

    Article  Google Scholar 

  73. 73.

    Stasinopoulos, A., Ntantogian, C., & Xenakis, C. (2019). Commix: Automating evaluation and exploitation of command injection vulnerabilities in Web applications. International Journal of Information Security,18(1), 49–72.

    Article  Google Scholar 

  74. 74.

    Kaur, G., et al. (2018). Efficient yet robust elimination of XSS attack vectors from HTML5 web applications hosted on OSN-based cloud platforms. Procedia Computer Science,125, 669–675.

    Article  Google Scholar 

  75. 75.

    Irmak, E., & Erkek, İ. (2018). An overview of cyber-attack vectors on SCADA systems. In 2018 6th international symposium on digital forensic and security (ISDFS). IEEE.

  76. 76.

    Barzegar, M., & Shajari, M. (2018). Attack scenario reconstruction using intrusion semantics. Expert Systems with Applications,108, 119–133.

    Article  Google Scholar 

  77. 77.

    Babiker, M., Karaarslan, E., & Hoscan, Y. (2018). Web application attack detection and forensics: A survey. In 2018 6th international symposium on digital forensic and security (ISDFS). IEEE.

  78. 78.

    Nadeem, R. M., et al. (2017). Detection and prevention of SQL injection attack by dynamic analyzer and testing model. International JournalOURNAL of Advanced Computer Science and Applications,8(8), 209–214.

    Google Scholar 

  79. 79.

    Rahman, T. F. A., et al. (2017). SQL injection attack scanner using Boyer-Moore string matching algorithm. JCP,12(2), 183–189.

    Article  Google Scholar 

  80. 80.

    Baror, S. O., & Venter, H. (2019). A Taxonomy for cybercrime attack in the public cloud. In International conference on cyber warfare and security (pp. 505). Academic Conferences International Limited.

  81. 81.

    Mukherjee, S. (2019). Popular SQL server database encryption choices. arXiv preprint arXiv:1901.03179.

  82. 82.

    Zheng, L. et al. (2019). Research and implementation of web application system vulnerability location technology. In The international conference on cyber security intelligence and analytics. Springer, Cham.

  83. 83.

    Awad, M., et al. (2019). Security vulnerabilities related to web-based data. Telkomnika,17(2), 852–856.

    MathSciNet  Article  Google Scholar 

  84. 84.

    Deshpande, D. S., Deshpande, S. P., & Thakare, V. M. (2019). Detection of online malicious behavior: An overview. In Ambient communications and computer systems (pp. 11-24). Springer, Singapore.

  85. 85.

    Kozik, R., Choras, M., & Keller, J. (2019). Balanced efficient lifelong learning (B-ELLA) for cyber attack detection. Journal of Universal Computer Science,25(1), 2–15.

    MathSciNet  Google Scholar 

  86. 86.

    Qureshi, K. N., Bashir, F., & Abdullah, A. H. (2017). Provision of security in vehicular ad hoc networks through an intelligent secure routing scheme. In 2017 international conference on frontiers of information technology (FIT). IEEE.

  87. 87.

    Qureshi, K. N., Bashir, F., & Islam, N. U. (2019). Link aware high data transmission approach for internet of vehicles. In 2019 2nd international conference on computer applications & information security (ICCAIS). IEEE.

  88. 88.

    Qureshi, K. N., Abdullah, A. H., & Iqbal, S. (2016). Improving quality of service through road side back-bone network in Vanet. Jurnal Teknologi, 78(2), 7–14.

    Article  Google Scholar 

Download references

Author information

Affiliations

Authors

Corresponding author

Correspondence to Kashif Naseer Qureshi.

Ethics declarations

Conflict of interest

The authors declare that they have no conflict of interest.

Ethical Approval

This article does not contains any studies with human participants performed by any of the authors.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Aliero, M.S., Qureshi, K.N., Pasha, M.F. et al. Systematic Review Analysis on SQLIA Detection and Prevention Approaches. Wireless Pers Commun 112, 2297–2333 (2020). https://doi.org/10.1007/s11277-020-07151-2

Download citation

Keywords

  • SQLIA prevention
  • SQLIAs detection
  • Detection method
  • Detection tool
  • Types of SQLIAs
  • Injection parameters
  • Analytical evaluation