Skip to main content
SpringerLink
Log in

Detection and Prevention of SQL Injection Attacks

  • Conference paper
Malware Detection

Part of the book series: Advances in Information Security ((ADIS,volume 27))

Summary

We depend on database-driven web applications for an ever increasing amount of activities, such as banking and shopping. When performing such activities, we entrust our personal information to these web applications and their underlying databases. The confidentiality and integrity of this information is far from guaranteed; web applications are often vulnerable to attacks, which can give an attacker complete access to the application’s underlying database. SQL injection is a type of code-injection attack in which an attacker uses specially crafted inputs to trick the database into executing attacker-specified database commands. In this chapter, we provide an overview of the various types of SQL injection attacks and present AMNESIA, a technique for automatically detecting and preventing SQL injection attacks. AMNESIA uses static analysis to build a model of the legitimate queries an application can generate and then, at runtime, checks that all queries generated by the application comply with this model. We also present an extensive empirical evaluation of AMNESIA. The results of our evaluation indicate that AMNESIA is, at least for the cases considered, highly effective and efficient in detecting and preventing SQL injection attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 259.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 329.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 329.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. C. Anley. Advanced SQL Injection In SQL Server Applications. White paper, Next Generation Security Software Ltd., 2002.

    Google Scholar 

  2. C. Anley. (more) Advanced SQL Injection. White paper, Next Generation Security Software Ltd., 2002.

    Google Scholar 

  3. D. Aucsrnith. Creating and maintaining software that resists malicious attack. http://www.gtisc.gatech.edu/aucsmith-bio.htm, September 2004. Distinguished Lecture Series.

    Google Scholar 

  4. S. W. Boyd and A. D. Keromytis. SQLrand: Preventing SQL injection attacks. In Proceedings of the 2nd Applied Cryptography and Network Security (ACNS) Conference, pages 292–302, June 2004.

    Google Scholar 

  5. A. S. Christensen, A. Mdler, and M. I. Schwartzbach. Precise analysis of string expressions. In Proc. 10th International Static Analysis Symposium, SAS’ 03, volume 2694 of LNCS, pages 1–18. Springer-Verlag, June 2003. Available from http://www.brics.dk/JSA/.

    Google Scholar 

  6. W. R. Cook and S. Rai. Safe Query Objects: Statically Typed Objects as Remotely Executable Queries. In Proceedings of the 27th International Conference on Soffware Engineering (ICSE 2005), 2005.

    Google Scholar 

  7. T. 0. Foundation. Top ten most critical web application vulnerabilities, 2005. http://www.owasp.org/documentation/topten.html.

    Google Scholar 

  8. C. Gould, Z. Su, and P. Devanbu. Static Checking of Dynamically Generated Queries in Database Applications. In Proceedings of the 26th International Conference on Software Engineering (ICSE 04), pages 645–654,2004.

    Google Scholar 

  9. W. G. Halfond and A. Orso. AMNESIA: Analysis and Monitoring for NEutralizing SQLInjection Attacks. In Proceedings of the IEEE and ACM International Conference on Automated Software Engineering (ASE 2005), Long Beach, CA, USA, Nov 2005.

    Google Scholar 

  10. W. G. Halfond, J. Viegas, and A. Orso. A Classification of SQL-Injection Attacks and Counter Techniques. Technical report, Georgia Institute of Technology, August 2005.

    Google Scholar 

  11. M. Howard and D. LeBlanc. Writing Secure Code. Microsoft Press, Redmond, Washington, second edition, 2003.

    Google Scholar 

  12. Y. Huang, S. Huang, T. Lin, and C. Tsai. Web Application Security Assessment by Fault Injection and Behavior Monitoring. In Proceedings of the 11th International World Wide Web Conference (WWW O3), May 2003.

    Google Scholar 

  13. Y. Huang, E Yu, C. Hang, C. H. Tsai, D. T. Lee, and S. Y. Kuo. Securing Web Application Code by Static Analysis and Runtime Protection. In Proceedings of the 12th International World Wide Web Conference (WWW 04), May 2004.

    Google Scholar 

  14. V. B. Livshits and M. S. Lam. Finding Security Vulnerabilities in Java Applications with Static Analysis. In Usenix Security Symposium, August 2005.

    Google Scholar 

  15. 0. Maor and A. Shulman. SQL Injection Signatures Evasion. White paper, Imperva, April 2004. http://www.imperva.com/application_defense_center/ whiteqapers/sql-injecti_n_signatures_evasion.html.

    Google Scholar 

  16. M. Martin, V. B. Livshits, and M. S. Lam. Finding Application Errors and Security Flaws Using PQL: a Program Query Language. In Proceedings of the ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), October 2005.

    Google Scholar 

  17. R. McClure and I. Krtiger. SQL DOM: Compile Time Checking of Dynamic SQL Statements. In Proceedings of the 27th International Conference on Software Engineering (ICSE OS), pages 88–96,2005.

    Google Scholar 

  18. S. McDonald. SQL Injection: Modes of attack, defense, and why it matters. White paper, GovernmentSecurity.org, April 2002. http://www.governmentsecurity.org/articles/SQLInjectionModesofAttackDefenceandWhyItMatters.php.

    Google Scholar 

  19. S. McDonald. SQL Injection Walkthrough. White paper, SecuriTeam, May 2002. http://www.securiteam.com/securityreviews/5DPONlP76E.html.

    Google Scholar 

  20. A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically Hardening Web Applications Using Precise Tainting Information. In Twentieth IFIP International Information Security Conference (SEC 2005), May 2005.

    Google Scholar 

  21. T. Pietraszek and C. V. Berghe. Defending Against Injection Attacks through Context-Sensitive String Evaluation. In Proceedings of Recent Advances in lntrusion Detection (RAID2005), 2005.

    Google Scholar 

  22. D. Scott and R. Sharp. Abstracting Application-level Web Security. In Proceedings of the 1lth International Conference on the World Wide Web (WWW 2002), pages 396–407, 2002.

    Google Scholar 

  23. A. Seesing and A. Orso. InsECTJ: A Generic Instrumentation Framework for Collecting Dynamic Information within Eclipse. In Proceedings of the eclipse Technology exchange (em) Workshop at OOPSLA 2005, pages 49–53, San Diego, USA, October 2005.

    Google Scholar 

  24. F. Valeur, D. Mutz, and G. Vigna. A Learning-Based Approach to the Detection of SQL Attacks. In Proceedings of the Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), Vienna, Austria, July 2005.

    Google Scholar 

  25. G. Wassermann and Z. Su. An Analysis Framework for Security in Web Applications. In Proceedings of the FSE Workshop on Specification and Verification of Component-Based Systems (SAVCBS 2004), pages 70–78,2004.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Georgia Institute of Technology, Georgia

    William G. J. Halfond & Alessandro Orso

Authors
  1. William G. J. Halfond
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alessandro Orso
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Computer Sciences Department, University of Wisconsin, 1210 W Dayton St, Madison, WI, 53706-1685

    Mihai Christodorescu  & Somesh Jha  & 

  2. Dept. of Homeland Security, Washington D.C., 20528

    Douglas Maughan

  3. Carnegie Mellon University, CIC 2122, 4720 Forbes Ave, Pittsburgh, PA, 15213

    Dawn Song

  4. Computing and Information Science Div., U.S. Army Research Office, P.O. Box 12211, Research Triangle Park, NC, 27709-2211

    Cliff Wang

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer Science+Business Media, LLC.

About this paper

Cite this paper

Halfond, W.G.J., Orso, A. (2007). Detection and Prevention of SQL Injection Attacks. In: Christodorescu, M., Jha, S., Maughan, D., Song, D., Wang, C. (eds) Malware Detection. Advances in Information Security, vol 27. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-44599-1_5

Download citation

  • DOI: https://doi.org/10.1007/978-0-387-44599-1_5

  • Publisher Name: Springer, Boston, MA

  • Print ISBN: 978-0-387-32720-4

  • Online ISBN: 978-0-387-44599-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation