Abstract
SQL injection attacks, a class of code injection attacks, pose a serious threat to web applications. A web server allows users to perform a query in order to get the intended service where the SQL queries containing user inputs are executed by the database server. An attacker can take advantage of this query-response mechanism to inject some characters into the user input based on the attack strategy. This may lead to an SQL injection attack. If an attacker can bypass the SQL injection defense put at the web server, then the attacker can obtain some sensitive information from the database. In this paper, we present a scheme, SQLshield that prevents SQL injection attacks in web applications. SQLshield uses a randomization technique that modifies the user input data before the SQL query is executed at the database server. The randomization technique used in SQLshield modifies the user input data in such a way that the execution of the resultant SQL query does not divert from its programmer-intended execution. We compare SQLshield with other schemes and show that SQLshield performs better than the other approaches used to detect and prevent SQL injection attacks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
The Open Web Application Security Project (OWASP), OWASP top 10 web application security risks in year (2013). https://www.owasp.org/index.php/Top_10_2013-Top_10
Boyd, S.W., Keromytis, A.D.: SQLrand: preventing SQL injection attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 292–302. Springer, Heidelberg (2004)
Bisht, P., Madhusudan, P., Venkatakrishnan, V.N.: CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks. ACM Trans. Inf. Syst. Secur. 13(2), 1–39 (2010)
Bisht, P., Sistla, A.P., Venkatakrishnan, V.N.: TAPS: automatically preparing safe SQL queries. In: Proceedings of the International Conference on Financial Cryptography and Data Security, pp. 272–288 (2010)
Buehrer, G., Weide, B.W., Sivilotti, P.A.: Using parse tree validation to prevent SQL injection attacks. In: Proceedings of the International Workshop on Software Engineering and Middleware, pp. 106–113 (2005)
Mitropoulos, D., Spinellis, D.: SDriver: Location-specific signatures prevent SQL injection attacks. J. Comput. Secur. 28(3–4), 121–129 (2009)
General SQL parser implemented in JAVA. http://www.sqlparser.com/products.php
Clarke, J.: SQL Injection Attacks and Defense, vol. 2. Elsevier publisher, USA (2012)
Halfond, W.G., Orso, A.: Combining static analysis and runtime monitoring to counter SQL-injection attacks. In: Proceedings of the Third International Workshop on Dynamic Analysis, pp. 22–28 (2005)
Martin, M., Lan, M.S.: Automatic generation of XSS and SQL injection attacks with goal-directed model checking. In: Proceedings of the Conference on Security Symposium, pp. 31–43 (2008)
Halfond, W.G., Viegas, J., Orso, A.: A classification of SQL-injection attacks and countermeasures. In: Proceedings of the IEEE International Symposium on Secure Software Engineering (2006)
McClure, R., Kruger, I.: SQL DOM: compile time checking of dynamic SQL statements. In: Proceedings of the International Conference on Software Engineering (ICSE 05), pp 88–96 (2005)
McDonald, S.: SQL Injection: Modes of attack, defense, and why it matters. White paper (2002). GovernmentSecurity.org
Anley, C.: Advanced SQL Injection In SQL Server Applications. Next Generation Security Software Ltd., White paper (2002)
McDonald, S.: SQL Injection Walkthrough. White paper, SecuriTeam, May 2002. http://www.securiteam.com/securityreviews/5DP0N1P76E.html
Antunes, N., Laranjeiro, N., Vieira, M., Madeira, H.: Effective detection of SQL/XPath injection vulnerabilities in web services. In: Proceedings of IEEE International Conference on Services Computing (SCC 2009), pp. 260–267. IEEE (2009)
Shahriar, H., Zulkernine, M.: Mitigating program security vulnerabilities: approaches and challenges. ACM Comput. Surv. 44(3), 1–46 (2012). Article 11
Gould, C., Su, Z., Devanbu, P.: JDBC Checker: a static analysis tool for SQL/JDBC applications. In: Proceedings of the International Conference on Software Engineering (ICSE 2004) - Formal Demos, pp. 697–698 (2004)
Gould, C., Su, Z., Devanbu, P.: Static checking of dynamically generated queries in database applications. In: Proceedings of the International Conference on Software Engineering (ICSE 2004), pp. 645–654 (2004)
Maor, O., Shulman, A.: SQL injection signatures evasion. White paper, Imperva (2002)
Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. In: Proceedings of the USENIX Security Symposium, pp. 179–192 (2006)
Kiezun, A., Ganesh, V., Guo, P.J., Hooimeijer, P., Ernst, M.D.: Hampi: a solver for string constraints. In: Proceedings of the International Symposium on Software Testing and Analysis, pp. 105–116 (2009)
Halfond, W.G., Orso, A.: AMNESIA: analysis and monitoring for neutralizing SQL-injection. In: Proceedings of the IEEE/ACM International Conference on Automated Software Engineering, pp. 174–183 (2005)
Valeur, F., Mutz, D., Vigna, G.: A learning-based approach to the detection of SQL attacks. In: Proceedings of the Conference on Detection of Intrusions and Malware Vulnerability Assessment, pp. 123–140 (2005)
Baranwal, A.K.: Approaches to detect SQL injection and XSS in web applications. Term Survey paper-EECE 571b, University of British Columbia (2012)
Security Compass. SQL Inject Me. https://addons.mozilla.org/en-US/firefox/addon/sql-inject-me/
Larouche, F.: SQL Power Injector. http://www.sqlpowerinjector.com/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Mehta, P., Sharda, J., Das, M.L. (2015). SQLshield: Preventing SQL Injection Attacks by Modifying User Input Data. In: Jajoda, S., Mazumdar, C. (eds) Information Systems Security. ICISS 2015. Lecture Notes in Computer Science(), vol 9478. Springer, Cham. https://doi.org/10.1007/978-3-319-26961-0_12
Download citation
DOI: https://doi.org/10.1007/978-3-319-26961-0_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-26960-3
Online ISBN: 978-3-319-26961-0
eBook Packages: Computer ScienceComputer Science (R0)