The week's pick
Reseach Article
Techniques ofSQL Injection Detectionand Prevention
Published on March 2012 by
Shruti BangreRung,
AlkaJaiswalRungt
| International Conference and Workshop on Emerging Trends in Technology |
| Foundation of Computer Science USA |
| ICWET2012 - Number 9 |
| March 2012 |
| Authors: Shruti BangreRung, AlkaJaiswalRungt |
| 5fcf2c77-f873-4d7c-b559-4fcb157e86ec |
Shruti BangreRung, AlkaJaiswalRungt . Techniques ofSQL Injection Detectionand Prevention. International Conference and Workshop on Emerging Trends in Technology. ICWET2012, 9 (March 2012), 26-35.
@article{
author = {
Shruti BangreRung,
AlkaJaiswalRungt
},
title = { Techniques ofSQL Injection Detectionand Prevention },
journal = {
International Conference and Workshop on Emerging Trends in Technology
},
issue_date = { March 2012 },
volume = { ICWET2012 },
number = { 9 },
month = { March },
year = { 2012 },
issn = 0975-8887,
pages = {
26-35
},
numpages = 10,
url = {
/proceedings/icwet2012/number9/5380-1071/
},
publisher = {Foundation of Computer Science (FCS), NY, USA},
address = {New York, USA}
}
%0 Proceeding Article
%1 International Conference and Workshop on Emerging Trends in Technology
%A Shruti BangreRung
%A AlkaJaiswalRungt
%T Techniques ofSQL Injection Detectionand Prevention
%J International Conference and Workshop on Emerging Trends in Technology
%@ 0975-8887
%V ICWET2012
%N 9
%P 26-35
%D 2012
%I International Journal of Computer Applications
Abstract
SQLinjectionisatechniqueusedtoexploitwebapplications thatuseclient-supplied datainSQL querieswithoutvalidating the input. SQLinjectionis anattackmethodologythat targets the data residing ina database throughthe firewallthat shieldsit.TheSQLInjectionworkseveniftheSystem isfully patched,itrequires nothing butport80should open.Theattacktakesadvantageofpoorinputvalidationin code andwebsite administration.Researchers have proposed differenttoolstodetectandpreventthis vulnerability.In thispaperwe present SQLinjectionattacktypes andalsocurrent techniqueswhichcandetector preventtheseattacks.Finallywe evaluate these techniques
References
- WG.HalfonA.Orso,UW.nd,UsingPositive Tainting and SyntaxAwarEvaluationtoCounterSedreSQLInjection Atttacks, 14thACM SIGSOFinternationalsymposiumon FoundatFTmtionsofsoftwwareengineering22006,ACM. p175–185.pp
- SruthiBandhaakavi,PrithviBisht,P.Maiadhusudan, CACANDID:PrevventingSQLInjectionAttaacksusing DynamCandidate Evaluation.PmicProceedingsofthe 14th ACMconference onComputerandfMcommunicatio security.AonsACM,Alexandria,Virginia,USA.page:12,2- 24.zarotti.Swadddler:AnApprroachforthe Anomaly- baeasedDetectionofn
- [William G.J.Halfond,JeremyViegasandAlessandro Orso,“AClassificationofSQLInjectionAttacksand Countermeasures,” College ofComputingGeorgia Institute of TechnologyIEEE, 2006.
- Z.SuandG.Wassermann.The Essence ofCommand InjectionAttacks inWebApplications.ACM SIGPLAN Notices.Volume: 41,Pages: 372-382,2006.
- F.Valeur,D.Mutz,andG.Vigna.ALearning-Based Approachtothe DetectionofSQLAttacks.Detection of Intrusions AndMalware,AndVulnerability Assessment, Proceedings,Volume:3548,Pages: 123-140, 2005
- PrithviBisht,P.Madhusudan.CANDID:Dynamic Candidate Evaluations forAutomatic PreventionofSQL InjectionAttacks.SourceACMTransactions On InformationAndSystemSecurity,Volume: 13,Issue:2, 2010.
- KonstantinosKemalisandTheodorosTzouramanis. SQL- IDS:ASpecification-basedApproachfor SQLInjection DetectionSymposiumonAppliedComputing.Pp:2153- 2158,USA:ACM, 2008.
- A. S.Christensen,A.Moller,andM.I.Schwartzbach. Precise Analysis ofStringExpressions.Static Analysis, Proceedings,Volume: 2694,Pages: 1-18,2003.
- G.T.Buehrer,B.W.Weide,andP.A.G.Sivilotti.Using Parse Tree ValidationtoPrevent SQLInjectionAttacks.In InternationalWorkshoponSoftware Engineering and Middleware (SEM),2005.
- P.Grazie.,PhDSQLPreventthesis.Universityof BritishColumbia (UBC)Vancouver,Canada.2008.
- C.Gould,Z.Su, andP.Devanbu.JDBCChecker:AStatic Analysis Toolfor SQL/JDBCApplications.Proceedings of the 26thInternationalConferenceonSoftware Engineering (ICSE04)FormalDemos,pp697–698,2004.
- Wassermann,G;Gould,C;Su,Z, etal. Static Checkingof DynamicallyGeneratedQueries inDatabase Applications. ACMTransactions onSoftware Engineering and Methodology.Volume:16,Issue:4,2007.
- M. Martin,B.Livshits,andM.S.Lam. Finding ApplicationErrors andSecurityFlaws UsingPQL:A ProgramQueryLanguage.ACM SIGPLAN Notices, Volume: 40,Issue: 10Pages: 365-383,2005.
- Y.Huang, F.Yu,C.Hang,C.H.Tsai,D.T.Lee,andS.Y. Kuo.SecuringWebApplicationCode byStatic Analysis andRuntime Protection.InProceedings ofthe 12th InternationalWorldWide WebConference (WWW04), May2004.
- W.G.HalfondandA.Orso.AMNESIA:Analysis and MonitoringforNEutralizingSQL-InjectionAttacks.In Proceedings ofthe IEEEandACMInternational Conference onAutomatedSoftware Engineering(ASE 2005),LongBeach,CA,USA,Nov2005.
- W.G.HalfondandA.Orso.CombiningStatic Analysis andRuntime MonitoringtoCounter SQL-Injection Attacks.InProceedings ofthe ThirdInternationalICSE WorkshoponDynamicAnalysis(WODA2005),pp 22–28, St.Louis,MO,USA, May2005.
- Y.Huang, S.Huang,T.Lin,andC.Tsai.A Testing FrameworkforWebApplicationSecurityAssessment. ComputerNetworks,Volume: 48Issue: 5,Pages:739-761, 2005.
- T.Pietraszek andC.V.Berghe.Defending against InjectionAttacks throughContext-Sensitive String evaluation.RecentAdvances inIntrusionDetection, Volume: 3858,Pages:124-145, 2006.
- A.Nguyen-Tuong, S.Guarnieri,D.Greene,J. Shirley,and D.Evans.AutomaticallyHardeningWebApplications UsingPrecise Tainting. Security andPrivacyinthe Age of Ubiquitous Computing,Volume: 181,Pages: 295-307, 2005.
- V.Haldar,D.Chandra,andM.Franz.Dynamic Taint PropagationforJava.InProceedings 21stAnnual Computer SecurityApplicationsConference,Dec. 2005..
- S.W.BoydandA.D.Keromytis.SQLrand:Preventing SQLInjectionAttacks.InProceedings ofthe2ndApplied CryptographyandNetworkSecurity(ACNS)Conference, pp292–302.June 2004.
Index Terms
Computer Science
Information Sciences
Keywords