Abstract
The number of Internet users has incredible grown. Web applications are normally utilized in various sectors like Ecommerce, Banking, and Military. It is collection of thousands of lines of program, which habitually contain some bugs. Part of them have impact on security and can lead to complete control of the application by an attacker. While in client–server communication, the attacker inputs the vulnerable content into the application, these unnoticed vulnerabilities cause financial losses to organizations. Thus, mitigating such an attack is vital to evade mischievous penalties. An enormous research work on application security has been continuously going on but every defense has its own advantages and disadvantages. The aim of this paper is to study and consolidate the understanding of injection vulnerabilities and its mitigation technique. Different approaches proposed by researchers are analyzed here and discussed about the observed pitfalls present in the existing solutions.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Deepa, G., Thilagam, P.S.: Securing web applications from injection and logic vulnerabilities: approaches & challenges. ACM Inf. Soft. Technol. (India) 74, 160–180 (2016)
European Personal Security Blog. [online] Available: http://securityaffairs.co/
CYREN, August 2015: How to Overcome Web Security Challenges. [online] Available: http://pages.cyren.com/WP_Overcome_WebSec_Challenges.html
OWASP Group: Top 10 Most Critical Web Application Security Vulnerabilities. [online] Available: https//www.Owasp.org/index.php
WAP Tool Website: [Online] Available: http://awap.sourceforge.net/
Moh, M., Pininti, S., Doddapaneni, S., Moh, T.S.: Detecting web attacks using multi-stage log analysis. In: 2016 IEEE 6th International Conference on Advanced Computing (IACC), Bhimavaram, pp. 733–738 (2016)
Xiao, L., Ishikawa, T., Sakurai, K.: SQL Injection Attack Detection Method Using Expectation Criterion. CANDAR, IEEE, Hiroshima, Japan, pp. 649–654 (2016)
Deva Priyaa, B., Devi, M.I.: Fragmented query parse tree based SQL injection detection system for web applications. ICCTIDE, IEEE, Kovilpatti, pp. 1–5 (2016)
Kar, D., Agarwal, K., Sahoo, A., Panigrahi, S.: Detection of SQL injection attacks using Hidden Mar kov Model. IEEE-ICETECH, Coimbatore, pp. 1–6 (2016)
Uwagbole, S.O., Buchanan, W.J., Fan, L.: Numerical encoding to Tame SQL injection attacks. NO-MS 2016 IEEE/IFIP, pp. 1253–1256 (2016)
Pramod, A., Ghosh, A., Mohan, A., Shrivastava, M., Shettar, R.: SQLI detection system for a safer web application. Int Conf IEEE (IACC) (2015)
Wang, Y., Wang, D., Liu, Y.: Detecting SQL vulnerability attack based on the dynamic and static analysis. COMPSAC, IEEE, Taichung, pp. 604–607 (2015)
Watcharapupong, A., Threepak, T.: Web attack detection using chromatography-like entropy analysis. In: Recent Advances in Information and Communication Technology, 361. Springer, Switzerland (2015)
Sonewar, P., Mhetre, N.: A novel approach for detection of SQL injection and cross site scripting attacks. In: ICPC. IEEE, Pune, India (2015)
Sadeghian, A., Zamani, M., Abd. Manaf, A.: SQL injection vulnerability general patch using header sanitization. In: IEEE I4CT, Langkawi, Malaysia (2014)
Joshi, A., Geetha, V.: SQL injection detection using machine learning. In: ICCICCT, pp. 1111–1115. IEEE, Kanyakumari (2014)
Shahriar, H., Zulkernine, M.: Information-theoretic detection of SQL injection attacks. In: IEEE 14th ISHASE, Omaha, USA (2012)
Murtaza, S., Abid, A.S.: Automated white-list learning technique for detection of malicious attack on web application. In: IBCAST, pp. 416–420. IEEE, Islamabad (2016)
Qbea’h, M., Alshraideh, M., Sabri, K.E.: Detecting and preventing SQL injection attacks: a formal approach. In: IEEE/CCC, Amman, pp. 123–129 (2016)
Chenyu, M., Fan, G.: Defending SQL injection attacks based-on intention-oriented detection. In: 11th International Conference ICCSE, Nagoya, pp. 939–944 (2016)
Rauti, S., Teuhola, J., Leppänen, V.: Diversifying SQL to prevent injection attacks. In: IEEE Trustco-m/BigDataSE/ISPA (2015)
Halfond, W.G.J., Orso, A.: AMNESIA: analysis and monitoring for neutralizing SQL injection attacks. In: ACM, ASE’05, Long Beach, California, USA (2005)
McClure, R.A., Krüger, I.H.: SQL DOM: compile time checking of dynamic SQL statements. In: ACM ICSE’05, St. Louis, Missouri, USA (2005)
Hanmanthu, B., Ram, B.R., Niranjan, P.: SQL injection attack prevention based on decision tree classification. In: IEEE ISCO, Coimbatore, India, pp. 1–5 (2015)
Afooshteh, A.N., Tuong, A.N., Hiser, J.D., Davidson, J.W.: Joza: hybrid taint inference for defeating web application SQL injection attacks. IEEE/IFIP, Brazil (2015)
Makiou, A., Begriche, Y., Serhrouchni, A.: Improving web application firewalls to detect advanced SQL injection attacks. In: IEEE/lAS, Okinawa, Japan (2014)
Liban, A., Hilles, S.M.S.: Enhancing Mysql injector vulnerability checker tool (Mysql Injector) using inference binary search algorithm for blind timing-based attack. In: IEEE 5th, Shah Alam/ICSGRC, Shah Alam, Malaysia, pp. 47–52 (2014)
Roichman, A., Gudes, E.: DIWeDa—detecting intrusions in web databases. In: Atluri, V. (ed.) IFIP International Federation for Information Processing 2008. DAS 2008, LNCS 5094, pp. 313–329 (2008)
Boyd, S.W., Keromytis, A.D.: SQLrand: preventing SQL injection attacks. In: Proceedings of the 2nd ACNS Conference, pp. 292–302 (2004)
Yusof, I., Pathan, A.-S.K.: Mitigating cross-site scripting attacks with a content security policy. Computer 49, 56–63 (IEEE) (2016)
Guo, X., Jin, S., Zhang, Y.: XSS vulnerability detection using optimized attack vector repertory. In: 2015 International Conference on Xi’an of Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), pp. 29–36 (2015)
Mewara, B., Bairwa, S., Gajrani, J., Jain, V.: Enhanced browser defense for reflected cross-site scripting. In: 2014 3rd International Conference on Reliability, Infocom Technologies and Optimization (ICRITO), Noida, pp. 1–6 (2014)
Shahriar, H., Zulkernine, M.: S2XS2: a server side approach to automatically detect XSS attacks. In: IEEE/DASC, Sydney, NSW, pp. 7–14 (2011)
Suju, D.A., Gandhi, G.M.: An automaton based approach for forestalling cross site scripting attacks in web application. In: ICoAC, Chennai, India, pp. 1–6 (2015)
Maurya, S.: Positive security model based server-side solution for prevention of cross-site scripting attacks. In: IEEE/INDICON, New Delhi, pp. 1–5 (2015)
Medeiros, I., Neves, N., Correia, M.: Detecting and removing web application vulnerabilities with static analysis and data mining. In: IEEE Transactions on Reliability, vol. 65, no. 1, pp. 54–69. IEEE Reliability Society (2016)
Shar, L.K., Briand, L.C., Tan, H.B.K.: Web application vulnerability prediction using hybrid program analysis and machine learning. In: IEEE Transactions on Dependable and Secure Computing, vol. 12, no. 6, pp. 688–707. IEEE (2015)
Threepak, T., Watcharapupong, A.: Web attack detection using entropy-based analysis. In: COIN2014, pp. 244–247. IEEE, Phuket (2014)
Bronte, R., Shahriar, H., Haddad, H.: Information theoretic anomaly detection framework for web application. In: COMPSAC, pp. 394–399. IEEE, Atlanta (2016)
Zhao, J., Qi, J., Zhou, L., Cui, B.: Dynamic taint tracking of web application based on static code analysis. In: IMIS, pp. 96–101. IEEE, Fukuoka (2016)
Tajbakhsh, M.S. Bagherzadeh, J.: A sound framework for dynamic prevention of local file inclusion. In: IKT, pp. 1–6. IEEE, Urmia (2015)
Shahriar, H., Haddad, H., Bulusu, P.: OCL fault injection-based detection of LDAP query injection vulnerabilities. In: COMPSAC, pp. 455–460. IEEE, Atlanta (2016)
Hussein, O., Hamza, N., Hefny, H.: A proposed approach to detect and thwart previously unknown code injection attacks. In: 7th International Conference on Intelligent Computing and Information Systems (ICICIS), pp. 336–342. IEEE, Cairo (2015)
Pasaribu, S., Asnar, Y., Liem, M.M.I.: Input injection detection in Java code. In: 2014 International Conference on Data and Software Engineering (ICODSE), pp. 1–6. IEEE, Bandung (2014)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Yadav, N., Shekokar, N. (2018). Analysis on Injection Vulnerabilities of Web Application. In: Vasudevan, H., Deshmukh, A., Ray, K. (eds) Proceedings of International Conference on Wireless Communication . Lecture Notes on Data Engineering and Communications Technologies, vol 19. Springer, Singapore. https://doi.org/10.1007/978-981-10-8339-6_2
Download citation
DOI: https://doi.org/10.1007/978-981-10-8339-6_2
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-10-8338-9
Online ISBN: 978-981-10-8339-6
eBook Packages: EngineeringEngineering (R0)