Abstract
SQL injection attack (SQLIA) is one of the most severe attacks that can be used against web database driving applications. Attackers use SQLIA to get unauthorized access and perform unauthorized data modification. To combat problem of SQLIA, different researchers proposed variety of tools and methods that can be used as defense barrier between client application and database server. However, these tools and methods failed to address the whole problem of SQL injection attack, because most of the approaches are vulnerable in nature, cannot resist sophisticated attack or limited to scope of subset of SQLIA type. With regard to this different researcher proposed different approach (experimental and analytical evaluation) to evaluate the effectiveness of these existing tools based on type SQLIAs they can detect or prevent. However, none of the researcher considers evaluating these existing tool or method based on their ability to be deployed in various injection parameters or development requirements therefore, in this study Kitchenham’s guidelines of performing systematic review of software for conducting our study. In this paper, we reviewed the tools and methods that are commonly used in detection and prevention of SQLIA, Finally, we analytically evaluated the reviewed tools and methods based on our experience with respect to SQIAs types and injection parameters. The evaluation result showed that most researchers focused on proposing approaches to detect and prevent SQLIAs, rather than evaluating the efficiency and effectiveness of the existing SQLIA detection and prevention tools/methods. The study also revealed that more emphasis was given by the previous studies on prevention measures than detection measures in combating problem of SQLIAs. An analysis showed that these tools and methods are developed to prevent subset of SQLIAs type and only few of them can be deployed to various injection parameters to be considered in examining SQLIAs. It further revealed that none of the tools or methods can be deployed to prevent attacks that can take advantage of second order (server side SQLIA) SQLI vulnerability. Finally, the study highlights the major challenges that require immediate response by developers and researchers in order to prevent the risk of being hacked through SQLIAs.
Similar content being viewed by others
References
Qureshi, K. N., Bashir, F., & Abdullah, A. H. (2019). Distance and signal quality aware next hop selection routing protocol for vehicular ad hoc networks. Neural Computing and Applications, 1–14.
Anwar, M., et al. (2018). Securing data communication in wireless body area networks using digital signatures. Technical Journal,23(02), 50–55.
Qureshi, K. N., & Abdullah, A. H. (2014). Adaptation of wireless sensor network in industries and their architecture, standards and applications. World Applied Sciences Journal,30(10), 1218–1223.
Iqbal, S., et al. (2018). Critical link identification and prioritization using Bayesian theorem for dynamic channel assignment in wireless mesh networks. Wireless Networks,24(7), 2685–2697.
Aliero, M. S., Ghani, I., Zainudden, S., Khan, M. M., & Bello, M. (2015). Review on SQL injection protection methods and tools. Jurnal Teknologi,77(13), 49–66.
Aliero, M. S., et al. (2019). An algorithm for detecting SQL injection vulnerability using black-box testing. Journal of Ambient Intelligence and Humanized Computing, 11, 1–18.
Thiyagarajan, A., et al. (2015). Methods for detection and prevention of SQL attacks in analysis of web field data. International Journal of Computer Science and Mobile Computing, 4(4), 657–662.
Kitchenham, B., et al. (2009). Systematic literature reviews in software engineering—A systematic literature review. Information and Software Technology,51(1), 7–15.
Halfond, W. G., & Orso, A. (2007). Detection and prevention of sql injection attacks, in Malware Detection (pp. 85–109). Berlin: Springer.
Sadeghian, A., Zamani, M., & Manaf, A. A. (2013). A taxonomy of SQL injection detection and prevention techniques. In 2013 international conference on informatics and creative multimedia (pp. 53–56). IEEE.
Tiwari, Y., & Tiwari, M. (2015). A study of SQL of injections techniques and their prevention methods. International Journal of Computer Applications, 114(17), 31–33.
Tajpour, A., Ibrahim, S., & Sharifi, M. (2012). Web application security by SQL injection detectiontools. IJCSI International Journal of Computer Science,9, 2.
Kindy, D. A., & Pathan, A. S. K. (2011). A survey on SQL injection: Vulnerabilities, attacks, and prevention techniques. In 2011 IEEE 15th international symposium on consumer electronics (ISCE) (pp. 468–471). IEEE.
Tajpour, A., & zade Shooshtari, M. J. (2010). Evaluation of SQL injection detection and prevention techniques. In 2010 2nd international conference on computational intelligence, communication systems and networks (pp. 216-221). IEEE.
Doshi, J. C., Christian, M., & Trivedi, B. H. (2014). SQL FILTER–SQL Injection prevention and logging using dynamic network filter. In International symposium on security in computing and communication (pp. 400-406). Springer, Berlin, Heidelberg.
Medhane, M. (2013). R-WASP: Real time-web application SQL injection detector and preventer. International Journal of Innovative Technology and Exploring Engineering (IJITEE),2(5), 327–330.
Son, S., McKinley, K. S., & Shmatikov, V. (2013). Diglossia: Detecting code injection attacks with precision and efficiency. In Proceedings of the 2013 ACM SIGSAC conference on computer & communications security. ACM.
Shin, Y., Williams, L., & Xie, T. (2006). Sqlunitgen: SQL injection testing using static and dynamic analysis. In 17th IEEE proceedings of the international symposium on software reliability engineering (ISSRE).
Bandhakavi, S., et al. (2007). CANDID: Preventing SQL injection attacks using dynamic candidate evaluations. In Proceedings of the 14th ACM conference on computer and communications security. ACM.
Liu, A., et al. (2009). SQLProb: A proxy-based architecture towards preventing SQL injection attacks. In Proceedings of the 2009 ACM symposium on applied computing. ACM.
Cheon, E. H., Huang, Z., & Lee, Y. S. (2013). Preventing SQL injection attack based on machine learning. International Journal of Advancements in Computing Technology,5(9), 967–974.
Joshi, A., & Geetha, V. (2014). SQL injection detection using machine learning. In 2014 international conference on control, instrumentation, communication and computational technologies (ICCICCT). IEEE.
Shahriar, H., & Zulkernine, M. (2012). Information-theoretic detection of SQL injection attacks. In 2012 IEEE 14th international symposium on high-assurance systems engineering. IEEE.
Gubbi, J., et al. (2013). Internet of Things (IoT): A vision, architectural elements, and future directions. Future generation computer systems,29(7), 1645–1660.
Johari, R., & Sharma, P. (2012). A survey on web application vulnerabilities (SQLIA, XSS) exploitation and security engine for SQL injection. In 2012 international conference on communication systems and network technologies. IEEE.
Mishra, N., & Gond, S. (2013). Defenses to protect against SQL injection attacks. International Journal of Advanced Research in Computer and Communication Engineering, 2(10), 3829–3833.
Manoj, R. J., Chandrasekhar, A., & Praveena, M. A. (2014). An approach to detect and prevent tautology Type SQL injection in web service based on XSchema validation. International Journal Of Engineering And Computer Science, 10, 2319–7242.
Lee, I., et al. (2012). A novel method for SQL injection attack detection based on removing SQL query attribute values. Mathematical and Computer Modelling,55(1), 58–68.
Indrani, B., & Ramaraj, E. (2011). X-log authentication technique to prevent SQL injection attacks. International Journal of Information Technology and Knowledge Management,4(1), 323–328.
Das, D., Sharma, U., & Bhattacharyya, D. (2010). An approach to detection of SQL injection attack based on dynamic query matching. International Journal of Computer Applications,1(25), 28–34.
Prabakar, M. A., Karthikeyan, M., & Marimuthu, K. (2013). An efficient technique for preventing SQL injection attack using pattern matching algorithm. In 2013 IEEE international conference on emerging trends in computing, communication and nanotechnology (ICECCN). IEEE.
Narayanan, S. N., Pais, A. R., & Mohandas, R. (2011). Detection and prevention of sql injection attacks using semantic equivalence. In International conference on information processing (pp. 103–112). Springer, Berlin.
Kumar, K., Jena, D., & Kumar, R. (2013). A novel approach to detect SQL injection in web applications. International Journal of Application or Innovation in Engineering & Management (IJAIEM), 2(6), 37–48.
Zhang, X. H., & Wang, Z. J. (2010). A static analysis tool for detecting web application injection vulnerabilities for ASP program. In 2010 2nd international conference on e-business and information system security (EBISS).
Tongshu, L., Jing, Z., & Jianzheng, L. (2013), SQL injection prevention. Google Patents.
Randive, P. U., Khatke, M. B., & Reddi, M. B. (2014). An Approach for Prevention of SQL Injection Attacks on Database: A Review. International Journal of Innovative Research in Advanced Engineering,1(3), 38–41.
Masri, W., & Sleiman, S. (2015). SQLPIL: SQL injection prevention by input labeling. Security and Communication Networks,8(15), 2545–2560.
Antunes, N., & Vieira, M. (2009). Comparing the effectiveness of penetration testing and static code analysis on the detection of SQL injection vulnerabilities in web services. In 2009 15th IEEE pacific rim international symposium on dependable computing. IEEE.
Antunes, N., & Vieira, M. (2011). Enhancing penetration testing with attack signatures and interface monitoring for the detection of injection vulnerabilities in web services. In 2011 IEEE international conference on services computing. IEEE.
Antunes, N., & Vieira, M. (2015). Assessing and comparing vulnerability detection tools for web services: Benchmarking approach and examples. IEEE Transactions on Services Computing,8(2), 269–283.
Khoury, N. et al. (2011). An analysis of black-box web application security scanners against stored SQL injection. In 2011 IEEE third international conference on privacy, security, risk and trust (PASSAT) and 2011 IEEE third international conference on social computing (SocialCom). IEEE.
Antunes, N., & Vieira, M. (2012). Evaluating and improving penetration testing in web services. In 2012 IEEE 23rd international symposium on software reliability engineering. IEEE.
Djuric, Z. (2013). A black-box testing tool for detecting SQL injection vulnerabilities. In 2013 Second international conference on informatics & applications (ICIA). IEEE.
Liban, A., & Hilles, S. M. (2014). Enhancing MYSQL Injector vulnerability checker tool (MYSQL Injector) using inference binary search algorithm for blind timing-based attack. In 2014 IEEE 5th control and system graduate research colloquium. IEEE.
Doupé, A.et al. (2012). Enemy of the state: A state-aware black-box web vulnerability scanner. In Presented as part of the 21st {USENIX} Security Symposium ({USENIX} Security 12).
Shakhatreh, A. Y. I. (2010). SQL-injection vulnerability scanner using automatic creation of SQL-injection attacks (MySqlinjector), Universiti Utara Malaysia).
Ciampa, A., Visaggio, C. A., & Di Penta, M. (2010). A heuristic-based approach for detecting SQL-injection vulnerabilities in Web applications. In Proceedings of the 2010 ICSE workshop on software engineering for secure systems. ACM.
Fu, X. et al. (2007). A static analysis framework for detecting SQL injection vulnerabilities. In 31st annual international computer software and applications conference (COMPSAC 2007). IEEE.
Cho, Y.-C., & Pan, J.-Y. (2015). Design and implementation of website information disclosure assessment system. PLoS ONE,10(3), e0117180.
Falcove. (2007) Falcove web vulnerability scanner and penetration testing. http://www.ramsayfalcove.com/htdocs/Welcome.html. Accessed June 29, 2015
Singh, A. K., & Roy, S. (2012). A network based vulnerability scanner for detecting sqli attacks in web applications. In 2012 1st international conference on recent advances in information technology (RAIT). IEEE.
Aliero, M. S., & Ghani, I. (2015). A component based SQL injection vulnerability detection tool. In 2015 9th Malaysian software engineering conference (MySEC). IEEE.
Seyyar, M. B., Çatak, F. Ö., & Gül, E. (2018). Detection of attack-targeted scans from the Apache HTTP Server access logs. Applied Computing and Informatics,14(1), 28–36.
Eassa, A. M., et al. (2019). NoSQL injection attack detection in web applications using RESTful service. Programming and Computer Software,44(6), 435–444.
Taylor, C., & Sakharkar, S. (2019). DROP TABLE textbooks: An Argument for SQL injection coverage in database textbooks. In Proceedings of the 50th ACM technical symposium on computer science education (pp. 191–197). ACM.
Basit, N., Hendawi, A., Chen, J., & Sun, A. (2019). A learning platform for SQL injection. In Proceedings of the 50th ACM technical symposium on computer science education (pp. 184–190). ACM.
Batista, L., et al. (2018). Fuzzy neural networks to create an expert system for detecting attacks by SQL Injection. The International Journal of Forensic Computer Science,13(1), 8–21.
Khanna, S., & Verma, A. K. (2018). Classification of SQL injection attacks using fuzzy tainting. In Progress in intelligent computing techniques: Theory, practice, and applications (pp. 463-469). Springer, Singapore.
Uwagbole, S. O., Buchanan, W. J., & Fan, L. (2016). Numerical encoding to Tame SQL injection attacks. In NOMS 2016–2016 IEEE/IFIP network operations and management symposium (pp. 1253–1256). IEEE.
Ross, K. et al. (2018). Multi-source data analysis and evaluation of machine learning techniques for SQL injection detection. In Proceedings of the ACMSE 2018 conference (pp. 1–8). ACM.
Sharafaldin, I., Lashkari, A. H., & Ghorbani, A. A. (2018). Toward generating a new intrusion detection dataset and intrusion traffic characterization. In ICISSP (pp. 108–116).
Moh, M. et al. (2016). Detecting web attacks using multi-stage log analysis. In 2016 IEEE 6th international conference on advanced computing (IACC) (pp. 733–738). IEEE.
Iqbal, S., et al. (2016). On cloud security attacks: A taxonomy and intrusion detection and prevention as a service. Journal of Network and Computer Applications,74, 98–120.
Deepa, G., & Thilagam, P. S. (2016). Securing web applications from injection and logic vulnerabilities: Approaches and challenges. Information and Software Technology,74, 160–180.
Yadav, N., & Shekokar, N. (2018). Analysis on injection vulnerabilities of web application. In Proceedings of international conference on wireless communication (pp. 13–22). Springer, Singapore.
Buro, S., & Mastroeni, I. (2018). Abstract code injection. In International conference on verification, model checking, and abstract interpretation (pp. 116–137). Springer, Cham.
Deshpande, G., & Kulkarni, S. (2019). Modeling and mitigation of XPath injection attacks for web services using modular neural networks. In Recent findings in intelligent computing techniques (pp. 301–310). Springer, Singapore.
Schwichtenberg, H. (2018). Reading and modifying data with SQL, stored procedures, and table-valued functions. In Modern Data Access with Entity Framework Core (pp. 305–315). Apress, Berkeley, CA.
Heled, J., et al. (2018) Research on SQL injection detection technology based on SVM. In MATEC web of conferences.
Yan, R., et al. (2018). New deep learning method to detect code injection attacks on hybrid applications. Journal of Systems and Software,137, 67–77.
Wang, X., & Zhao, Y. (2018). Order-revealing encryption: File-injection attack and forward security. In European symposium on research in computer security. Springer, Cham.
Thomé, J., et al. (2018). Security slicing for auditing common injection vulnerabilities. Journal of Systems and Software,137, 766–783.
Stasinopoulos, A., Ntantogian, C., & Xenakis, C. (2019). Commix: Automating evaluation and exploitation of command injection vulnerabilities in Web applications. International Journal of Information Security,18(1), 49–72.
Kaur, G., et al. (2018). Efficient yet robust elimination of XSS attack vectors from HTML5 web applications hosted on OSN-based cloud platforms. Procedia Computer Science,125, 669–675.
Irmak, E., & Erkek, İ. (2018). An overview of cyber-attack vectors on SCADA systems. In 2018 6th international symposium on digital forensic and security (ISDFS). IEEE.
Barzegar, M., & Shajari, M. (2018). Attack scenario reconstruction using intrusion semantics. Expert Systems with Applications,108, 119–133.
Babiker, M., Karaarslan, E., & Hoscan, Y. (2018). Web application attack detection and forensics: A survey. In 2018 6th international symposium on digital forensic and security (ISDFS). IEEE.
Nadeem, R. M., et al. (2017). Detection and prevention of SQL injection attack by dynamic analyzer and testing model. International JournalOURNAL of Advanced Computer Science and Applications,8(8), 209–214.
Rahman, T. F. A., et al. (2017). SQL injection attack scanner using Boyer-Moore string matching algorithm. JCP,12(2), 183–189.
Baror, S. O., & Venter, H. (2019). A Taxonomy for cybercrime attack in the public cloud. In International conference on cyber warfare and security (pp. 505). Academic Conferences International Limited.
Mukherjee, S. (2019). Popular SQL server database encryption choices. arXiv preprint arXiv:1901.03179.
Zheng, L. et al. (2019). Research and implementation of web application system vulnerability location technology. In The international conference on cyber security intelligence and analytics. Springer, Cham.
Awad, M., et al. (2019). Security vulnerabilities related to web-based data. Telkomnika,17(2), 852–856.
Deshpande, D. S., Deshpande, S. P., & Thakare, V. M. (2019). Detection of online malicious behavior: An overview. In Ambient communications and computer systems (pp. 11-24). Springer, Singapore.
Kozik, R., Choras, M., & Keller, J. (2019). Balanced efficient lifelong learning (B-ELLA) for cyber attack detection. Journal of Universal Computer Science,25(1), 2–15.
Qureshi, K. N., Bashir, F., & Abdullah, A. H. (2017). Provision of security in vehicular ad hoc networks through an intelligent secure routing scheme. In 2017 international conference on frontiers of information technology (FIT). IEEE.
Qureshi, K. N., Bashir, F., & Islam, N. U. (2019). Link aware high data transmission approach for internet of vehicles. In 2019 2nd international conference on computer applications & information security (ICCAIS). IEEE.
Qureshi, K. N., Abdullah, A. H., & Iqbal, S. (2016). Improving quality of service through road side back-bone network in Vanet. Jurnal Teknologi, 78(2), 7–14.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
The authors declare that they have no conflict of interest.
Ethical Approval
This article does not contains any studies with human participants performed by any of the authors.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Aliero, M.S., Qureshi, K.N., Pasha, M.F. et al. Systematic Review Analysis on SQLIA Detection and Prevention Approaches. Wireless Pers Commun 112, 2297–2333 (2020). https://doi.org/10.1007/s11277-020-07151-2
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11277-020-07151-2