CFP last date
22 April 2024
Reseach Article

New Strategy for Mitigating of SQL Injection Attack

by Ammar Alazab, Ansam Khresiat
International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Volume 154 - Number 11
Year of Publication: 2016
Authors: Ammar Alazab, Ansam Khresiat
10.5120/ijca2016911974

Ammar Alazab, Ansam Khresiat . New Strategy for Mitigating of SQL Injection Attack. International Journal of Computer Applications. 154, 11 ( Nov 2016), 1-10. DOI=10.5120/ijca2016911974

@article{ 10.5120/ijca2016911974,
author = { Ammar Alazab, Ansam Khresiat },
title = { New Strategy for Mitigating of SQL Injection Attack },
journal = { International Journal of Computer Applications },
issue_date = { Nov 2016 },
volume = { 154 },
number = { 11 },
month = { Nov },
year = { 2016 },
issn = { 0975-8887 },
pages = { 1-10 },
numpages = {9},
url = { https://ijcaonline.org/archives/volume154/number11/26532-2016911974/ },
doi = { 10.5120/ijca2016911974 },
publisher = {Foundation of Computer Science (FCS), NY, USA},
address = {New York, USA}
}
%0 Journal Article
%1 2024-02-06T23:59:56.727094+05:30
%A Ammar Alazab
%A Ansam Khresiat
%T New Strategy for Mitigating of SQL Injection Attack
%J International Journal of Computer Applications
%@ 0975-8887
%V 154
%N 11
%P 1-10
%D 2016
%I Foundation of Computer Science (FCS), NY, USA
Abstract

SQL injection attack (SQLIA) is a serious threat to web applications. A successful SQLIAs can have serious consequences to the victimized organization that include financial lose, reputation lose, compliance and regulatory breach. Therefore, developing approaches for mitigating SQLIA is paramount important. To this end, we propose an approach based on negative tainting along with SQL keyword analysis for detecting and preventing SQLIA. We have tested our proposed approach on all types of SQLIAs techniques by generating SQL queries containing legitimate SQL commands and SQLIA. We present an analysis and evaluation of the proposed approach to demonstrate its effectiveness in detecting and protecting SQLIA attack.

References
  1. C. Torrano-Gimenez, A. Perez-Villegas, and G. Alvarez, "WASAT-A New Web Authorization Security Analysis Tool," Web Application Security, pp. 39-49, 2010.
  2. P. Bisht, P. Madhusudan, and V. Venkatakrishnan, "CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks," ACM Transactions on Information and System Security (TISSEC), vol. 13, p. 14, 2010.
  3. A. Alazab, J. H. Abawajy, and M. Hobbs, "Web Malware that Targets Web Applications," in Social Network Engineering for Secure Web Data and Services, ed: IGI Global, 2013, pp. 248-264.
  4. W. G. Halfond, A. Orso, and P. Manolios, "Using positive tainting and syntax-aware evaluation to counter SQL injection attacks," in Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering, 2006, pp. 175-185.
  5. A. Alazab, M. Alazab, J. Abawajy, and M. Hobbs, "Web application protection against SQL injection attack," in ICITA 2011: Proceedings of the 7th International Conference on Information Technology and Applications ICITA 2011, 2012, pp. 1-7.
  6. Softpedia. (2013, April). Stories about: SQL injection. Available: http://news.softpedia.com/newsTag/SQL+injection
  7. Y. Shin, S. Myers, and M. Gupta, "A Case Study on Asprox Infection Dynamics," Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 1-20, 2009.
  8. N. Lowe, "Shields Up! Protecting browsers, endpoints and enterprises against web-based attacks," Network Security, vol. 2009, pp. 4-7, 10// 2009.
  9. A. K. Sood, R. J. Enbody, and R. Bansal, "Dissecting SpyEye – Understanding the design of third generation botnets," Computer Networks, vol. 57, pp. 436-450, 2/4/ 2013.
  10. Open Web Application Security Project. (2010, 3 April). The Top 10 Most Critical Web Application Security Risks. Available: https://www.owasp.org/index.php/Main_Page
  11. D. Hartley, "Chapter 1 - What Is SQL Injection?," in SQL Injection Attacks and Defense, ed Boston: Syngress, 2012, pp. 1-25.
  12. Greensql. (2013, April). GreenSQL December Survey. Available: http://www.greensql.com/content/greensql-december-survey-88-all-companies-surveyed-do-not-protect-their-databases-external-a
  13. A. Alazab, J. Abawajy, and M. Hobbs, "Web Malware That Target Web Application," Social Network Engineering for Secure Web Data and Services, Luca Caviglione, Mauro Coccoli, Alessio Merlo (Eds.) IGI Global, USA., 2013.
  14. P. Bisht, P. Madhusudan, and V. Venkatakrishnan, "CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks," ACM Transactions on Information and System Security vol. 13, pp. 1-39, 2010.
  15. C. S. Peng, S. K. Chen, J. Y. Chung, A. Roy-Chowdhury, and V. Srinivasan, "Accessing existing business data from the World Wide Web," IBM Systems Journal, vol. 37, pp. 115-132, 2010.
  16. A. Alazab, M. Alazab, J. Abawajy, and M. Hobbs, "Web application protection against SQL injection attack," in ICITA 2011: Proceedings of the 7th International Conference on Information Technology and Applications ICITA 2011, 2011, pp. 1-7.
  17. W. D. Yu, D. Aravind, and P. Supthaweesuk, "Software vulnerability analysis for web services software systems," 2006, pp. 740-748.
  18. K. J. Vella. (2007, 2011). Web Applications: What are they? What about them? Available: http://www.windowsecurity.com/articles/Web-Applications.html?printversion
  19. J. Abawajy, "SQLIA detection and prevention approach for RFID systems," Journal of Systems and Software, vol. 86, pp. 751-758, 3// 2013.
  20. H. Fernando and J. Abawajy, "Securing RFID systems from SQLIA," in Algorithms and architectures for parallel processing, ed: Springer, 2011, pp. 245-254.
  21. N. Jovanovic, C. Kruegel, and E. Kirda, "Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities," in IEEE Symposium on Security and Privacy, Oakland, CA, 2006, pp. 258-263.
  22. W. G. J. Halfond and A. Orso, "Preventing SQL injection attacks using AMNESIA," presented at the Proceedings of the 28th international conference on Software engineering, Shanghai, China, 2006.
  23. IndraniBalasundaram and Ramaraj, "An Approach to Detect and Prevent SQL Injection Attacks in Database Using Web Service," International Journal of Computer Science and Network Security, vol. 11, pp. 197-205, 2011.
  24. M. Martin, B. Livshits, and M. S. Lam, "Finding application errors and security flaws using PQL: a program query language," ACM SIGPLAN Notices, vol. 40, pp. 365-383, 2005.
  25. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo, "Securing web application code by static analysis and runtime protection," presented at the Proceedings of the 13th international conference on World Wide Web, New York, NY, USA, 2004.
  26. C. Gould, Z. Su, and P. Devanbu, "JDBC checker: A static analysis tool for SQL/JDBC applications," 2004, pp. 697-698.
  27. R. A. McClure and I. H. Krüger, "SQL DOM: compile time checking of dynamic SQL statements," 2005, pp. 88-96.
  28. W. G. J. Halfond, A. Orso, and P. Manolios, "Using positive tainting and syntax-aware evaluation to counter SQL injection attacks," 2006, pp. 175-185.
  29. A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans, "Automatically hardening web applications using precise tainting," Security and Privacy in the Age of Ubiquitous Computing, pp. 295-307, 2005.
  30. S. Bandhakavi, P. Bisht, P. Madhusudan, and V. Venkatakrishnan, "CANDID: preventing sql injection attacks using dynamic candidate evaluations," 2007, pp. 12-24.
  31. Y. Shin, S. Myers, and M. Gupta, "A case study on asprox infection dynamics," in Detection of Intrusions and Malware, and Vulnerability Assessment, ed: Springer, 2009, pp. 1-20.
  32. A. K. Sood, "The crux and the myth — breaches in security vendor websites," Computer Fraud & Security, vol. 2009, pp. 11-13, 7// 2009.
  33. A. K. Sood, "The crux and the myth—breaches in security vendor websites," Computer Fraud & Security, vol. 2009, pp. 11-13, 2009.
  34. W. Kim, O.-R. Jeong, C. Kim, and J. So, "The dark side of the Internet: Attacks, costs and responses," Information systems, vol. 36, pp. 675-705, 2011.
  35. C. Tankard, "Advanced Persistent threats and how to monitor and deter them," Network Security, vol. 2011, pp. 16-19, 8// 2011.
  36. D. Das, U. Sharma, and D. Bhattacharyya, "An Approach to Detection of SQL Injection Vulnerabilities Based on Dynamic Query Matching," International Journal of Computer Applications, vol. 1, pp. 39-45, 2010.
  37. M. Alazab, S. Venkataraman, and P. Watters, "Towards Understanding Malware Behaviour by the Extraction of API Calls," in Second Cybercrime and Trustworthy Computing Workshop, Ballarat, VIC, 2010, pp. 52-59.
  38. M. Alazab, S. Ventatraman, P. Watters, M. Alazab, and A. Alazab, "Cybercrime: The Case of Obuscated Malware," in 7th International Conference on Global Security, Safety & Sustainability, Thessaloniki, Greece, 2011.
  39. I. Lee, S. Jeong, S. Yeo, and J. Moon, "A novel method for SQL injection attack detection based on removing SQL query attribute values," Mathematical and Computer Modelling, vol. 55, pp. 58-68, 1// 2012.
  40. W. G. J. Halfond and A. Orso, "Preventing SQL injection attacks using AMNESIA," 2006, pp. 795-798.
  41. Z. Su and G. Wassermann, "The essence of command injection attacks in web applications," SIGPLAN Not., vol. 41, pp. 372-382, 2006.
  42. S. Thomas and L. Williams, "Using Automated Fix Generation to Secure SQL Statements," presented at the Proceedings of the Third International Workshop on Software Engineering for Secure Systems, 2007.
  43. G. Wassermann and Z. Su, "An analysis framework for security in Web applications," in Proceedings of the FSE Workshop on Specification and Verification of component-Based Systems (SAVCBS 2004), 2004, pp. 70-78.
  44. G. Buehrer, B. W. Weide, and P. A. G. Sivilotti, "Using parse tree validation to prevent SQL injection attacks," presented at the Proceedings of the 5th international workshop on Software engineering and middleware, Lisbon, Portugal, 2005.
  45. A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans, Automatically hardening web applications using precise tainting: Springer, 2005.
  46. F. Valeur, D. Mutz, and G. Vigna, "A learning-based approach to the detection of SQL attacks," in Detection of Intrusions and Malware, and Vulnerability Assessment, ed: Springer, 2005, pp. 123-140.
Index Terms

Computer Science
Information Sciences

Keywords

Cybercrime SQL Injection SQLIA Vulnerabilities Web Application Security