Abstract
The computer world is definitely familiar with SQL as it plays a major role in the development of web applications. Almost all applications have data to be stored for future reference and most of them use RDBMS. Many applications choose its backend from the SQL variants. Large and important applications like the bank and credit-cards will have highly sensitive data in their databases. With the incredible advancement in technology, almost no data can survive the omniscient eyes of the attackers. The only thing that can be done is to make the attackers work difficult. The conventional fixes help in the prevention of attacks to an extent. However, there is a need for some authentic work about the effectiveness of these fixes. In this paper, we present a study of the popular SQL Injection Attack (SQLIA) techniques and the effectiveness of conventional fixes in reducing them. For addressing the SQLIA’s in depth, a thorough background study was done and the mitigation techniques were evaluated using both automated and manual testing. We took the help of a renowned penetration testing tool, SQLMap, for the automated testing. The results indicate the importance of incorporating these mitigation techniques in the code apart from going for complex fixes that require both effort and time.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
OWASP Top 10 list: https://www.owasp.org/index.php/Top_10_2013-Top_10
LizaMoon the Latest SQL-Injection Attack: http://blogs.mcafee.com/mcafee-labs/lizamoon-the-latest-sql-injection-attack
Lilupophilupop: Tongue-twister SQL injection attacks pass one million mark: http://www.infosecurity-magazine.com/news/lilupophilupop-tongue-wister-sql-injection/
Kindy, D.A., Pathan, A.K.: A Detailed survey on various aspects of SQL injection in web applications: vulnerabilities, innovative attacks and remedies. In: International Journal of Communication Networks and Information Security, vol. 5, no. 2, pp. 80–92 August 2013
Bono, S.C., Domangue, E.: SQL Injection: A Case Study, Whitepaper Oct 2012
Shar, L.K., Beng, H., Tan, K.: Defeating SQL Injection. IEEE Comput. Soc. 46(3), 69–77 (2013) (IEEE)
Ahmad, K., Shekhar, J., Yadav, K.P.: Classification of SQL injection attacks. In: VSRD-TNTJ, vol. I, no. (4), pp. 235–242(2010)
Bisht, P., Madhusudan, P., Venkatakrishnan, V.N.: CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks. In: ACM Transactions on Information and System Security, vol. 13, no. 2, p. 139. ACM (2010)
Jane, P.Y., Chaudhari, M.S.: SQLIA: Detection and prevention techniques: a survey. IOSR J. Comput. Eng. 2, 56–60. IOSR J. (2013)
Halfond, W.G.J., Orso, A.: AMNESIA: analysis and monitoring for neutralizing SQL injection attacks. In: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, pp. 174–183. ACM, New York (2005)
Clarke, J.: SQL Injection Attacks and Defense. Elsevier Inc (2009)
Howard, M., LeBlanc, D.: Writing Secure Code, 2nd edn. Microsoft Press, Washington (2003)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer India
About this paper
Cite this paper
Joseph, S., Jevitha, K.P. (2016). Evaluating the Effectiveness of Conventional Fixes for SQL Injection Vulnerability. In: Nagar, A., Mohapatra, D., Chaki, N. (eds) Proceedings of 3rd International Conference on Advanced Computing, Networking and Informatics. Smart Innovation, Systems and Technologies, vol 44. Springer, New Delhi. https://doi.org/10.1007/978-81-322-2529-4_44
Download citation
DOI: https://doi.org/10.1007/978-81-322-2529-4_44
Published:
Publisher Name: Springer, New Delhi
Print ISBN: 978-81-322-2528-7
Online ISBN: 978-81-322-2529-4
eBook Packages: EngineeringEngineering (R0)