CFP last date
20 June 2024
Reseach Article

A Robust Method for Prevention of Second Order and Stored Procedure based SQL Injections

Published on April 2015 by Anju Muraleedharan, Neetha K N
National Conference on Advances in Computing Communication and Application
Foundation of Computer Science USA
ACCA2015 - Number 1
April 2015
Authors: Anju Muraleedharan, Neetha K N
85f87931-bf29-449c-9c27-a491796b750b

Anju Muraleedharan, Neetha K N . A Robust Method for Prevention of Second Order and Stored Procedure based SQL Injections. National Conference on Advances in Computing Communication and Application. ACCA2015, 1 (April 2015), 20-23.

@article{
author = { Anju Muraleedharan, Neetha K N },
title = { A Robust Method for Prevention of Second Order and Stored Procedure based SQL Injections },
journal = { National Conference on Advances in Computing Communication and Application },
issue_date = { April 2015 },
volume = { ACCA2015 },
number = { 1 },
month = { April },
year = { 2015 },
issn = 0975-8887,
pages = { 20-23 },
numpages = 4,
url = { /proceedings/acca2015/number1/20101-9008/ },
publisher = {Foundation of Computer Science (FCS), NY, USA},
address = {New York, USA}
}
%0 Proceeding Article
%1 National Conference on Advances in Computing Communication and Application
%A Anju Muraleedharan
%A Neetha K N
%T A Robust Method for Prevention of Second Order and Stored Procedure based SQL Injections
%J National Conference on Advances in Computing Communication and Application
%@ 0975-8887
%V ACCA2015
%N 1
%P 20-23
%D 2015
%I International Journal of Computer Applications
Abstract

Today's interconnected computer network is complex and is constantly growing in size . As per OWASP Top10 list 2013[1] the top vulnerability in web application is listed as injection attack. SQL injection[2] is the most dangerous attack among injection attacks. Most of the available techniques provide an incomplete solution. While attacking using SQL injection attacker probably use space, single quotes or double dashes in his input so as to change the indented meaning of the runtime query generated based on these inputs. Stored procedure based and second order SQL injection are two types of SQL injection that are difficult to detect and hence difficult to prevent. This work concentrates on Stored procedure based and second order SQL injection. It uses a Similarity analysis technique to detect injection. The runtime generated query is checked against a query model for similarity analysis and if both are similar then the runtime query is free from injection else query is vulnerable and the further processing of the query is blocked.

References
  1. https://www. owasp. org/index. php/Category:OWASP_Top_Ten_Project
  2. C. Anley. (more) Advanced SQL Injection. White paper, Next Generation Security Software Ltd. , 2002.
  3. S. McDonald. SQL Injection: Modes of attack, defense, and why it matters. White paper, GovernmentSecurity. org, April 2002.
  4. https://www. owasp. org/index. php/What_are_web_applications%3F
  5. W. G. J. Halfond, J. Viegas, and A. Orso, "A Classification of SQL Injection Attacks and Countermeasures," Proc. Int'l Symp. Secure Software Eng. (ISSSE 06), IEEE CS, 2006; www. cc. gatech. edu/fac/Alex. Orso/papers/halfond. viegas. orso. ISSSE06. pdf.
  6. Ke Wei, M. Muthuprasanna and Suraj Kothari (Iowa State University). 'Preventing SQL Injection Attacks in Stored Procedures' . Software engineering conference 2006.
  7. Justin Clarke, "SQL Injection Attacks " 2nd Edition,2012.
  8. William G. J. Halfond, Alessandro Orso, and Panagiotis Manolios College of Computing – Georgia Institute of Technology. ' Using Positive Tainting and Syntax Aware Evaluation to Counter SQL Injection Attacks', 2006 ACM
  9. S Mamadhan, T Manesh, V Paul, SQLStor: Blockage of stored procedure SQL injection attack using dynamic query structure validation, IEEE ,Nov 2012
  10. Sandeep Nair Narayanan, Alwyn Roshan Pais, & Radhesh Mohandas. Detection and Prevention of SQL Injection Attacks using Semantic Equivalence. Springer 2011.
  11. http://www-bcf. usc. edu/~halfond/testbed. html
  12. Lwin Khin Shar and Hee Beng Kuan Tan, Defeating SQL Injection, IEEE Computer Society, March 2013
  13. Preventing SQL Injections in Online Applications: Study, Recommendations and Java Solution Prototype Based on the SQL DOM . Etienne Janot, Pavol Zavarsky Concordia University College of Alberta, Department of Information Systems Security
  14. Xie, Y. , and Aiken, A. Static detection of security vulnerabilities in scripting languages. In USENIX Security Symposium (2006).
  15. Mcclure, R. A. and Kr¨Uger, I. H. 2005. SQL DOM: Compile time checking of dynamic SQL statements. In Proceedings of the 27th International Conference on Software Engineering (ICSE'05). ACM, New York, 88–96.
  16. Boyd, S. W. , and Keromytis, A. D. Sqlrand: Preventing sql injection attacks. In ACNS (2004), pp. 292–302.
  17. Halfond, W. , and Orso, A. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In ASE (2005), pp. 174–183.
  18. Buehrer, G. , Weide, B. W. , and Sivilotti, P. A. G. Using parse tree validation to prevent sql injection attacks. In SEM (2005)
Index Terms

Computer Science
Information Sciences

Keywords

Sql Injection Web Application Stored Procedure Second Order Injection.