Skip to main content
SpringerLink
Log in

Analysis on Injection Vulnerabilities of Web Application

  • Conference paper
  • First Online:
Proceedings of International Conference on Wireless Communication

Part of the book series: Lecture Notes on Data Engineering and Communications Technologies ((LNDECT,volume 19))

Abstract

The number of Internet users has incredible grown. Web applications are normally utilized in various sectors like Ecommerce, Banking, and Military. It is collection of thousands of lines of program, which habitually contain some bugs. Part of them have impact on security and can lead to complete control of the application by an attacker. While in client–server communication, the attacker inputs the vulnerable content into the application, these unnoticed vulnerabilities cause financial losses to organizations. Thus, mitigating such an attack is vital to evade mischievous penalties. An enormous research work on application security has been continuously going on but every defense has its own advantages and disadvantages. The aim of this paper is to study and consolidate the understanding of injection vulnerabilities and its mitigation technique. Different approaches proposed by researchers are analyzed here and discussed about the observed pitfalls present in the existing solutions.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 129.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 169.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Deepa, G., Thilagam, P.S.: Securing web applications from injection and logic vulnerabilities: approaches & challenges. ACM Inf. Soft. Technol. (India) 74, 160–180 (2016)

    Google Scholar 

  2. European Personal Security Blog. [online] Available: http://securityaffairs.co/

  3. CYREN, August 2015: How to Overcome Web Security Challenges. [online] Available: http://pages.cyren.com/WP_Overcome_WebSec_Challenges.html

  4. OWASP Group: Top 10 Most Critical Web Application Security Vulnerabilities. [online] Available: https//www.Owasp.org/index.php

    Google Scholar 

  5. WAP Tool Website: [Online] Available: http://awap.sourceforge.net/

  6. Moh, M., Pininti, S., Doddapaneni, S., Moh, T.S.: Detecting web attacks using multi-stage log analysis. In: 2016 IEEE 6th International Conference on Advanced Computing (IACC), Bhimavaram, pp. 733–738 (2016)

    Google Scholar 

  7. Xiao, L., Ishikawa, T., Sakurai, K.: SQL Injection Attack Detection Method Using Expectation Criterion. CANDAR, IEEE, Hiroshima, Japan, pp. 649–654 (2016)

    Google Scholar 

  8. Deva Priyaa, B., Devi, M.I.: Fragmented query parse tree based SQL injection detection system for web applications. ICCTIDE, IEEE, Kovilpatti, pp. 1–5 (2016)

    Google Scholar 

  9. Kar, D., Agarwal, K., Sahoo, A., Panigrahi, S.: Detection of SQL injection attacks using Hidden Mar kov Model. IEEE-ICETECH, Coimbatore, pp. 1–6 (2016)

    Google Scholar 

  10. Uwagbole, S.O., Buchanan, W.J., Fan, L.: Numerical encoding to Tame SQL injection attacks. NO-MS 2016 IEEE/IFIP, pp. 1253–1256 (2016)

    Google Scholar 

  11. Pramod, A., Ghosh, A., Mohan, A., Shrivastava, M., Shettar, R.: SQLI detection system for a safer web application. Int Conf IEEE (IACC) (2015)

    Google Scholar 

  12. Wang, Y., Wang, D., Liu, Y.: Detecting SQL vulnerability attack based on the dynamic and static analysis. COMPSAC, IEEE, Taichung, pp. 604–607 (2015)

    Google Scholar 

  13. Watcharapupong, A., Threepak, T.: Web attack detection using chromatography-like entropy analysis. In: Recent Advances in Information and Communication Technology, 361. Springer, Switzerland (2015)

    Google Scholar 

  14. Sonewar, P., Mhetre, N.: A novel approach for detection of SQL injection and cross site scripting attacks. In: ICPC. IEEE, Pune, India (2015)

    Google Scholar 

  15. Sadeghian, A., Zamani, M., Abd. Manaf, A.: SQL injection vulnerability general patch using header sanitization. In: IEEE I4CT, Langkawi, Malaysia (2014)

    Google Scholar 

  16. Joshi, A., Geetha, V.: SQL injection detection using machine learning. In: ICCICCT, pp. 1111–1115. IEEE, Kanyakumari (2014)

    Google Scholar 

  17. Shahriar, H., Zulkernine, M.: Information-theoretic detection of SQL injection attacks. In: IEEE 14th ISHASE, Omaha, USA (2012)

    Google Scholar 

  18. Murtaza, S., Abid, A.S.: Automated white-list learning technique for detection of malicious attack on web application. In: IBCAST, pp. 416–420. IEEE, Islamabad (2016)

    Google Scholar 

  19. Qbea’h, M., Alshraideh, M., Sabri, K.E.: Detecting and preventing SQL injection attacks: a formal approach. In: IEEE/CCC, Amman, pp. 123–129 (2016)

    Google Scholar 

  20. Chenyu, M., Fan, G.: Defending SQL injection attacks based-on intention-oriented detection. In: 11th International Conference ICCSE, Nagoya, pp. 939–944 (2016)

    Google Scholar 

  21. Rauti, S., Teuhola, J., Leppänen, V.: Diversifying SQL to prevent injection attacks. In: IEEE Trustco-m/BigDataSE/ISPA (2015)

    Google Scholar 

  22. Halfond, W.G.J., Orso, A.: AMNESIA: analysis and monitoring for neutralizing SQL injection attacks. In: ACM, ASE’05, Long Beach, California, USA (2005)

    Google Scholar 

  23. McClure, R.A., Krüger, I.H.: SQL DOM: compile time checking of dynamic SQL statements. In: ACM ICSE’05, St. Louis, Missouri, USA (2005)

    Google Scholar 

  24. Hanmanthu, B., Ram, B.R., Niranjan, P.: SQL injection attack prevention based on decision tree classification. In: IEEE ISCO, Coimbatore, India, pp. 1–5 (2015)

    Google Scholar 

  25. Afooshteh, A.N., Tuong, A.N., Hiser, J.D., Davidson, J.W.: Joza: hybrid taint inference for defeating web application SQL injection attacks. IEEE/IFIP, Brazil (2015)

    Google Scholar 

  26. Makiou, A., Begriche, Y., Serhrouchni, A.: Improving web application firewalls to detect advanced SQL injection attacks. In: IEEE/lAS, Okinawa, Japan (2014)

    Google Scholar 

  27. Liban, A., Hilles, S.M.S.: Enhancing Mysql injector vulnerability checker tool (Mysql Injector) using inference binary search algorithm for blind timing-based attack. In: IEEE 5th, Shah Alam/ICSGRC, Shah Alam, Malaysia, pp. 47–52 (2014)

    Google Scholar 

  28. Roichman, A., Gudes, E.: DIWeDa—detecting intrusions in web databases. In: Atluri, V. (ed.) IFIP International Federation for Information Processing 2008. DAS 2008, LNCS 5094, pp. 313–329 (2008)

    Google Scholar 

  29. Boyd, S.W., Keromytis, A.D.: SQLrand: preventing SQL injection attacks. In: Proceedings of the 2nd ACNS Conference, pp. 292–302 (2004)

    Google Scholar 

  30. Yusof, I., Pathan, A.-S.K.: Mitigating cross-site scripting attacks with a content security policy. Computer 49, 56–63 (IEEE) (2016)

    Google Scholar 

  31. Guo, X., Jin, S., Zhang, Y.: XSS vulnerability detection using optimized attack vector repertory. In: 2015 International Conference on Xi’an of Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), pp. 29–36 (2015)

    Google Scholar 

  32. Mewara, B., Bairwa, S., Gajrani, J., Jain, V.: Enhanced browser defense for reflected cross-site scripting. In: 2014 3rd International Conference on Reliability, Infocom Technologies and Optimization (ICRITO), Noida, pp. 1–6 (2014)

    Google Scholar 

  33. Shahriar, H., Zulkernine, M.: S2XS2: a server side approach to automatically detect XSS attacks. In: IEEE/DASC, Sydney, NSW, pp. 7–14 (2011)

    Google Scholar 

  34. Suju, D.A., Gandhi, G.M.: An automaton based approach for forestalling cross site scripting attacks in web application. In: ICoAC, Chennai, India, pp. 1–6 (2015)

    Google Scholar 

  35. Maurya, S.: Positive security model based server-side solution for prevention of cross-site scripting attacks. In: IEEE/INDICON, New Delhi, pp. 1–5 (2015)

    Google Scholar 

  36. Medeiros, I., Neves, N., Correia, M.: Detecting and removing web application vulnerabilities with static analysis and data mining. In: IEEE Transactions on Reliability, vol. 65, no. 1, pp. 54–69. IEEE Reliability Society (2016)

    Google Scholar 

  37. Shar, L.K., Briand, L.C., Tan, H.B.K.: Web application vulnerability prediction using hybrid program analysis and machine learning. In: IEEE Transactions on Dependable and Secure Computing, vol. 12, no. 6, pp. 688–707. IEEE (2015)

    Google Scholar 

  38. Threepak, T., Watcharapupong, A.: Web attack detection using entropy-based analysis. In: COIN2014, pp. 244–247. IEEE, Phuket (2014)

    Google Scholar 

  39. Bronte, R., Shahriar, H., Haddad, H.: Information theoretic anomaly detection framework for web application. In: COMPSAC, pp. 394–399. IEEE, Atlanta (2016)

    Google Scholar 

  40. Zhao, J., Qi, J., Zhou, L., Cui, B.: Dynamic taint tracking of web application based on static code analysis. In: IMIS, pp. 96–101. IEEE, Fukuoka (2016)

    Google Scholar 

  41. Tajbakhsh, M.S. Bagherzadeh, J.: A sound framework for dynamic prevention of local file inclusion. In: IKT, pp. 1–6. IEEE, Urmia (2015)

    Google Scholar 

  42. Shahriar, H., Haddad, H., Bulusu, P.: OCL fault injection-based detection of LDAP query injection vulnerabilities. In: COMPSAC, pp. 455–460. IEEE, Atlanta (2016)

    Google Scholar 

  43. Hussein, O., Hamza, N., Hefny, H.: A proposed approach to detect and thwart previously unknown code injection attacks. In: 7th International Conference on Intelligent Computing and Information Systems (ICICIS), pp. 336–342. IEEE, Cairo (2015)

    Google Scholar 

  44. Pasaribu, S., Asnar, Y., Liem, M.M.I.: Input injection detection in Java code. In: 2014 International Conference on Data and Software Engineering (ICODSE), pp. 1–6. IEEE, Bandung (2014)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Engineering, D. J. Sanghvi College of Engineering, Vile Parle, Mumbai, India

    Nilesh Yadav & Narendra Shekokar

Authors
  1. Nilesh Yadav
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Narendra Shekokar
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Nilesh Yadav or Narendra Shekokar .

Editor information

Editors and Affiliations

  1. D J Sanghvi College of Engineering, Mumbai, Maharashtra, India

    Hari Vasudevan

  2. Department of Electronics and Telecommunication Engineering, SVKM’s, D J Sanghvi College of Engineering, Mumbai, Maharashtra, India

    Amit A. Deshmukh

  3. Department of Electronics Engineering, Defence Institute of Advance Technology (DIAT), Pune, Maharashtra, India

    K. P. Ray

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Yadav, N., Shekokar, N. (2018). Analysis on Injection Vulnerabilities of Web Application. In: Vasudevan, H., Deshmukh, A., Ray, K. (eds) Proceedings of International Conference on Wireless Communication . Lecture Notes on Data Engineering and Communications Technologies, vol 19. Springer, Singapore. https://doi.org/10.1007/978-981-10-8339-6_2

Download citation

  • DOI: https://doi.org/10.1007/978-981-10-8339-6_2

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-10-8338-9

  • Online ISBN: 978-981-10-8339-6

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation