Advertisement

SQLshield: Preventing SQL Injection Attacks by Modifying User Input Data

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9478)

Abstract

SQL injection attacks, a class of code injection attacks, pose a serious threat to web applications. A web server allows users to perform a query in order to get the intended service where the SQL queries containing user inputs are executed by the database server. An attacker can take advantage of this query-response mechanism to inject some characters into the user input based on the attack strategy. This may lead to an SQL injection attack. If an attacker can bypass the SQL injection defense put at the web server, then the attacker can obtain some sensitive information from the database. In this paper, we present a scheme, SQLshield that prevents SQL injection attacks in web applications. SQLshield uses a randomization technique that modifies the user input data before the SQL query is executed at the database server. The randomization technique used in SQLshield modifies the user input data in such a way that the execution of the resultant SQL query does not divert from its programmer-intended execution. We compare SQLshield with other schemes and show that SQLshield performs better than the other approaches used to detect and prevent SQL injection attacks.

Keywords

Web security SQL injection attacks SQL parse tree Randomization 

References

  1. 1.
    The Open Web Application Security Project (OWASP), OWASP top 10 web application security risks in year (2013). https://www.owasp.org/index.php/Top_10_2013-Top_10
  2. 2.
    Boyd, S.W., Keromytis, A.D.: SQLrand: preventing SQL injection attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 292–302. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  3. 3.
    Bisht, P., Madhusudan, P., Venkatakrishnan, V.N.: CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks. ACM Trans. Inf. Syst. Secur. 13(2), 1–39 (2010)CrossRefGoogle Scholar
  4. 4.
    Bisht, P., Sistla, A.P., Venkatakrishnan, V.N.: TAPS: automatically preparing safe SQL queries. In: Proceedings of the International Conference on Financial Cryptography and Data Security, pp. 272–288 (2010)Google Scholar
  5. 5.
    Buehrer, G., Weide, B.W., Sivilotti, P.A.: Using parse tree validation to prevent SQL injection attacks. In: Proceedings of the International Workshop on Software Engineering and Middleware, pp. 106–113 (2005)Google Scholar
  6. 6.
    Mitropoulos, D., Spinellis, D.: SDriver: Location-specific signatures prevent SQL injection attacks. J. Comput. Secur. 28(3–4), 121–129 (2009)CrossRefGoogle Scholar
  7. 7.
    General SQL parser implemented in JAVA. http://www.sqlparser.com/products.php
  8. 8.
    Clarke, J.: SQL Injection Attacks and Defense, vol. 2. Elsevier publisher, USA (2012)Google Scholar
  9. 9.
    Halfond, W.G., Orso, A.: Combining static analysis and runtime monitoring to counter SQL-injection attacks. In: Proceedings of the Third International Workshop on Dynamic Analysis, pp. 22–28 (2005)Google Scholar
  10. 10.
    Martin, M., Lan, M.S.: Automatic generation of XSS and SQL injection attacks with goal-directed model checking. In: Proceedings of the Conference on Security Symposium, pp. 31–43 (2008)Google Scholar
  11. 11.
    Halfond, W.G., Viegas, J., Orso, A.: A classification of SQL-injection attacks and countermeasures. In: Proceedings of the IEEE International Symposium on Secure Software Engineering (2006)Google Scholar
  12. 12.
    McClure, R., Kruger, I.: SQL DOM: compile time checking of dynamic SQL statements. In: Proceedings of the International Conference on Software Engineering (ICSE 05), pp 88–96 (2005)Google Scholar
  13. 13.
    McDonald, S.: SQL Injection: Modes of attack, defense, and why it matters. White paper (2002). GovernmentSecurity.org
  14. 14.
    Anley, C.: Advanced SQL Injection In SQL Server Applications. Next Generation Security Software Ltd., White paper (2002)Google Scholar
  15. 15.
    McDonald, S.: SQL Injection Walkthrough. White paper, SecuriTeam, May 2002. http://www.securiteam.com/securityreviews/5DP0N1P76E.html
  16. 16.
    Antunes, N., Laranjeiro, N., Vieira, M., Madeira, H.: Effective detection of SQL/XPath injection vulnerabilities in web services. In: Proceedings of IEEE International Conference on Services Computing (SCC 2009), pp. 260–267. IEEE (2009)Google Scholar
  17. 17.
    Shahriar, H., Zulkernine, M.: Mitigating program security vulnerabilities: approaches and challenges. ACM Comput. Surv. 44(3), 1–46 (2012). Article 11CrossRefGoogle Scholar
  18. 18.
    Gould, C., Su, Z., Devanbu, P.: JDBC Checker: a static analysis tool for SQL/JDBC applications. In: Proceedings of the International Conference on Software Engineering (ICSE 2004) - Formal Demos, pp. 697–698 (2004)Google Scholar
  19. 19.
    Gould, C., Su, Z., Devanbu, P.: Static checking of dynamically generated queries in database applications. In: Proceedings of the International Conference on Software Engineering (ICSE 2004), pp. 645–654 (2004)Google Scholar
  20. 20.
    Maor, O., Shulman, A.: SQL injection signatures evasion. White paper, Imperva (2002)Google Scholar
  21. 21.
    Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. In: Proceedings of the USENIX Security Symposium, pp. 179–192 (2006)Google Scholar
  22. 22.
    Kiezun, A., Ganesh, V., Guo, P.J., Hooimeijer, P., Ernst, M.D.: Hampi: a solver for string constraints. In: Proceedings of the International Symposium on Software Testing and Analysis, pp. 105–116 (2009)Google Scholar
  23. 23.
    Halfond, W.G., Orso, A.: AMNESIA: analysis and monitoring for neutralizing SQL-injection. In: Proceedings of the IEEE/ACM International Conference on Automated Software Engineering, pp. 174–183 (2005)Google Scholar
  24. 24.
    Valeur, F., Mutz, D., Vigna, G.: A learning-based approach to the detection of SQL attacks. In: Proceedings of the Conference on Detection of Intrusions and Malware Vulnerability Assessment, pp. 123–140 (2005)Google Scholar
  25. 25.
    Baranwal, A.K.: Approaches to detect SQL injection and XSS in web applications. Term Survey paper-EECE 571b, University of British Columbia (2012)Google Scholar
  26. 26.
  27. 27.
    Larouche, F.: SQL Power Injector. http://www.sqlpowerinjector.com/

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.DA-IICTGandhinagarIndia

Personalised recommendations