CFP last date
20 May 2024
Call for Paper
June Edition
IJCA solicits high quality original research papers for the upcoming June edition of the journal. The last date of research paper submission is 20 May 2024

Submit your paper
Know more
The week's pick
Responsive image
Enhancing Privacy Preservation: Multi-Attribute Protection with P-Sensitive K-Anonymity

Twinkle Patel Kiran Amin
Random Articles
Reseach Article

Securing Web Applications against Structured Query Language Injection Attacks using a Hybrid Approach: Input Filtering and Web Application Firewall

by Francis Kyalo Muia, Calvins Otieno, Dennis Njagi
journal cover thumbnail

International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Volume 182 - Number 9
Year of Publication: 2018
Authors: Francis Kyalo Muia, Calvins Otieno, Dennis Njagi
10.5120/ijca2018917666

Francis Kyalo Muia, Calvins Otieno, Dennis Njagi . Securing Web Applications against Structured Query Language Injection Attacks using a Hybrid Approach: Input Filtering and Web Application Firewall. International Journal of Computer Applications. 182, 9 ( Aug 2018), 20-27. DOI=10.5120/ijca2018917666

@article{ 10.5120/ijca2018917666,
author = { Francis Kyalo Muia, Calvins Otieno, Dennis Njagi },
title = { Securing Web Applications against Structured Query Language Injection Attacks using a Hybrid Approach: Input Filtering and Web Application Firewall },
journal = { International Journal of Computer Applications },
issue_date = { Aug 2018 },
volume = { 182 },
number = { 9 },
month = { Aug },
year = { 2018 },
issn = { 0975-8887 },
pages = { 20-27 },
numpages = {9},
url = { https://ijcaonline.org/archives/volume182/number9/29847-2018917666/ },
doi = { 10.5120/ijca2018917666 },
publisher = {Foundation of Computer Science (FCS), NY, USA},
address = {New York, USA}
}
%0 Journal Article
%1 2024-02-07T01:10:52.628427+05:30
%A Francis Kyalo Muia
%A Calvins Otieno
%A Dennis Njagi
%T Securing Web Applications against Structured Query Language Injection Attacks using a Hybrid Approach: Input Filtering and Web Application Firewall
%J International Journal of Computer Applications
%@ 0975-8887
%V 182
%N 9
%P 20-27
%D 2018
%I Foundation of Computer Science (FCS), NY, USA
Abstract

SQL injection is a type of attack used to gain, manipulate, or delete information in any data-driven system regardless of whether the system is online or offline and whether this system is a web or non-web based. A common approach for an attacker to launch SQLIA is by modifying the user input to contain partial SQL queries and trick the server into executing them. In this paper, a literature review of the SQL injection attacks and their mitigation is presented. It shows that the study of SQL injection in general has been conducted in diverse range of areas. The main objective of this paper is to give an elaborate study on different types of SQL injection, their mitigation strategies, critiques of past approaches and finally the knowledge gap. It seeks to create knowledge on work done by others in the area of SQL injection attacks in web applications which remains a threat up-to-date despite the numerous studies done on the same field.

References
  1. [Angelo et al.] Angelo Ciampa, Corrado Aaron Visaggio, Massimiliano Di Penta:” A heuristic-based approach for detecting SQL-injection vulnerabilities in Web applications”.
  2. “SQL Injection Tutorial,” Oracle Corp., 2009. [Online]. Available:http://stcurriculum.oracle.com/tutorial/SQLInjection/index.htm. [Accessed: Mar. 11, 2010].
  3. F. Valeur, D. Mutz, and G. Vigna, “A learning-based approach to the detection of sql injection attacks”, in proceedings of the conference on detection of intrusions and Malware and vulnerability assessment (DIMVA), 2005.
  4. Lowe, D., and Henderson-Sellers, B. (2003b) Characterizing Web Systems: Merging Information and Functional Architectures. Architectural Issues of Web-Enabled Electronic Business. V. K. S. Murthy, N. Hershey, PA, USA, Idea Group Publishing.
  5. Using Automated Fix Generation to Secure SQL Statements. Stephen Thomas, Laurie Williams. IEEE Computer Society Washington, DC, USA: s.n., 2007. SESS '07 Proceedings of the Third International Workshop on Software Engineering for Secure Systems. p. 9.
  6. W. G. Halfond, J. Viegas, and A. Orso, “A Classification of SQL Injection Attacks and Countermeasures,” in Proc. the International Symposium on Secure Software Engineering, 2006
  7. R.A. McClure, I.H. Kruger, "SQL DOM: compile time checking of dynamic SQL statements", Software Engineering 2005. ICSE 2005. Proceedings. 27th International Conference on, pp. 88-96, 15–21 May 2005.
  8. Kasra Amirtahmasebi, Seyed Reza Jalalinia, and Saghar Khadem. A survey of SQL injection defense mechanisms. The 4th International Conference for Internet Technology and Secured Transactions (ICITST-2012), pages 1-8, Nov 2014.
  9. [Shanmughaneethi et al., 2009] Shanmughaneethi, S.V.; Shyni, S.C.E.; Swamynathan, S.; "SBSQLID: Securing Web Applications with Service Based SQL Injection Detection," Advances in Computing, Control, & Telecommunication Technologies, 2009. ACT '09. International Conference on, vol., no., pp.702-704, 28-29 Dec. 2009
  10. Servlet and jsp filters. Online document, Sun Microsystems and Prentice Hall. http://www.moreservlets.com/.
  11. Junjin, M., An Approach for SQL Injection Vulnerability Detection. Proc. of the 6th International Conference on Information Technology: New Generations, Las Vegas, Nevada, April 2009, pp. 1411- 1414.
  12. A heuristic-based approach for detecting SQL-injection vulnerabilities in web applications. Angelo Ciampa, Corrado Aaron Visaggio , Massimiliano Di Penta. New York : s.n., 2010. Proceeding SESS '10 Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems. pp. 43-49
  13. CANDID: Dynamic Candidate Evaluations for Automatic Prevention of SQL Injection Attacks. Prithvi Bisht, P. Madhusudan , V. N.Venkatakrishnan. 2, February 2010, ACM Transactions on Information and System Security (TISSEC), Vol. 13.
  14. Chandershekhar Sharma and S.C. Jain,‖Analysis and Classification of SQL Injection Vulnerabilities and Attacks on Web Applications,‖ Proc. IEEE Int. Conf. on Advances in Engineering & Technology research (ICAETR-2014),Dr. virendra Swarup group of institutions, Unnao, India,pp.1-6, August 2014
  15. Preventing SQL injection attacks in stored procedures. Ke Wei, Muthuprasanna, M. And Kothari, S. 2012. Australian Software Engineering Conference, 2012. pp. 18-21.
  16. SecuBat: a web vulnerability scanner. Kals, Stefan, et al. New York, NY, USA: s.n., 2013. WWW '13 Proceedings of the 15th international conference on World Wide Web. pp. 247-256.
  17. An Automatic Revised Tool for Anti-Malicious Injection. Lin, Jin-Cherng and Chen, Jan-Min. Seoul: s.n., 2006. The Sixth IEEE International Conference on Computer and Information Technology, 2006. CIT '06. p. 164.
  18. Eliminating SQL Injection Attacks – A Transparent Defense Mechanism. Muthuprasanna, M., Wei, Ke and Kothari, S. Philadelphia, PA: son. 2015. Eighth IEEE International Symposium on Web Site Evolution, 2015. WSE '06. pp. 22-32.
  19. Defending against Injection Attacks through Context-Sensitive String Evaluation. Pietraszek, Tadeusz and Berghe, Chris Vanden. 2005. Proceedings of Recent Advances in Intrusion Detection (RAID2005). pp. 3-26.
  20. D-WAV A Web Application Vulnerabilities Detection Tool Using Characteristics of Web Forms. Zhang, Lijiu, et al. Nice: s.n., 2010. Fifth International Conference on Software Engineering Advances (ICSEA), 2010. pp. 501 - 507.
  21. X-log authentication technique to prevent sql injection attacks. B. Indrani, E. Ramaraj. 2011, International Journal of Information Technology and Knowledge Management. Vol. 4, pp. 4:323-328.
  22. Smask: Preventing injection attacks in web applications by approximating automatic data/code separation. Martin Johns, Christian Beyerlein. 2014. in 22nd ACM Symposium on Applied Computing (SAC 2014).
  23. Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection. Kosuga, Y., et al. Miami Beach, FL: s.n., 2007. Twenty-Third Annual Computer Security Applications Conference, 2007. ACSAC 2007. pp. 107 – 117.
  24. Automated Protection of PHP Applications against SQL-injection Attacks. Merlo, E. Letarte, D.and Antoniol, G. Amsterdam: s.n., 2016.11th European Conference on Software Maintenance and Reengineering, 2016. CSMR '16 . pp. 191-202.
  25. Veracode. (2012). SQL Injection. Retrieved from Veracode: http://www.veracode.com/security/sql-injection
  26. S. W. Boyd, A. D. Keromytis, "SQLrand: Preventing SQL Injection Attacks", Proceedings of the 2nd Applied Cryptography and Network Security Conference, pp. 292-302, June 2004.
  27. H. Holm and M. Ekstedt, "Estimates on the effectiveness of web application firewalls against targeted attacks," Info Mngmnt & Comp Security, vol. 21, no. 4, pp. 250-265, 10/07; 2016/11.
  28. M. Sharifi, M. Zoroufi, A. Saberi, '"How to Counter Control Flow Tampering Attacks," In: 2007 IEEE/ACS International Conference on Computer Systems and Applications, 2007, pp. 815-818.
  29. F. Fangmei, C. Shao, D. Liu, '"Design and Implementation of Coldfusion-Based Web Application Firewall," In: Computer Science & Service System (CSSS), 2012 International Conference on, 2012, pp. 659-662.
  30. A. Tekerek, C. Gemci, O. F. Bay, '"Development of a hybrid web application firewall to prevent web based attacks," In: Application of Information and Communication Technologies (AICT), 2014 IEEE 8th International Conference on, 2014, pp. 1-4.
  31. S. Prandl, M. Lazarescu, D. Pham, '"A Study of Web Application Firewall Solutions," In: Proceedings of 11th International Conference on Information
Index Terms

Computer Science
Information Sciences

Keywords

Structured Query Language Structured Query Language Injection Attacks Web Application Keywords.

Powered by PhDFocusTM