Abstract
In this paper, we propose three new approaches to detect and prevent SQL Injection Attacks (SQLIA), as an alternative to the existing solutions namely: (i) Query Rewriting-based approach, (ii) Encoding-based approach, and (iii) Assertion-based approach. We discuss in detail the benefits and shortcomings of the proposals w.r.t. the literature.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Bisht, P., Madhusudan, P., Venkatakrishnan, V.N.: Candid: dynamic candidate evaluations for automatic prevention of sql injection attacks. ACM Trans. Inf. Syst. Secur. 13(2), 14:1–14:39 (2010)
Boyd, S.W., Keromytis, A.D.: Sqlrand: preventing sql injection attacks. In: In Proceedings of the 2nd ACNS Conference, pp. 292–302 (2004)
Buehrer, G., Weide, B.W., Sivilotti, P.A.G.: Using parse tree validation to prevent sql injection attacks. In: Proceedings of the 5th International Workshop on SEM, pp. 106–113. ACM (2005)
Clarke, J.: SQL Injection Attacks and Defense, 1st edn. Syngress Publishing, New York (2009)
Comini, M., Gori, R., Levi, G.: Assertion based inductive verification methods for logic programs. Electr. Notes Theor. Comput. Sci. 40, 52–69 (2000)
Cook, W.R.: Safe query objects: statically typed objects as remotely executable queries. In: In Proceedings of the 27th ICSE, pp. 97–106. ACM (2005)
Gould, C., Su, Z., Devanbu, P.: Jdbc checker: a static analysis tool for sql/jdbc applications. In: Proceedings of the 26th ICSE, pp. 697–698. IEEE Computer Society (2004)
Halder, R., Cortesi, A.: Obfuscation-based analysis of SQL injection attacks. In: Proceedings of the 15th IEEE Symposium ISCC, pp. 931–938. IEEE (2010)
Halfond, W.G.J., Orso, A.: Amnesia: analysis and monitoring for neutralizing sql-injection attacks. In: Proceedings of the 20th IEEE/ACM ASE, pp. 174–183. ACM (2005)
Halfond, W.G.J., Orso, A.: Combining static analysis and runtime monitoring to counter sql-injection attacks. SIGSOFT Softw. Eng. Notes 30(4), 1–7 (2005)
Halfond, W.G., Viegas, J., Orso, A.: A classification of SQL-injection attacks and countermeasures. In: Proceedings of the IEEE International Symposium on Secure Software Engineering. IEEE (2006)
Huang, Y.W., Yu, F., Hang, C., Tsai, C.H., Lee, D.T., Kuo, S.Y.: Securing web application code by static analysis and runtime protection. In: Proceedings of the 13th International Conference on WWW, pp. 40–52. ACM (2004)
Leavens, G.T., Baker, A.L., Ruby, C.: Preliminary design of jml: a behavioral interface specification language for java. SIGSOFT Softw. Eng. Notes 31(3), 1–38 (2006)
Lin, J., Chen, J., Liu, C.: An automatic mechanism for adjusting validation function. In: 22nd AINA, 2008, pp. 602–607. IEEE Computer Society, Okinawa, Japan (2008)
Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in java applications with static analysis. In: Proceedings of the 14th Conference on USENIX Security Symposium, vol. 14, p. 18. USENIX Association (2005)
Mcclure, R.A., Krger, I.H.: Sql dom: compile time checking of dynamic sql statements. In: ICSE05: Proceedings of the 27th ICSE, pp. 88–96. ACM (2005)
Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically hardening web applications using precise tainting. In: Security and Privacy in the Age of Ubiquitous Computing, IFIP TC11 20th International Conference on SEC, pp. 295–308 (2005)
Ray, D., Ligatti, J.: Defining code-injection attacks. In: Proceedings of the 39th POPL, pp. 179–190. ACM (2012)
Scott, D., Sharp, R.: Abstracting application-level web security. In: Proceedings of the 11th International Conference on WWW, pp. 396–407. ACM (2002)
Son, S., McKinley, K.S., Shmatikov, V.: Diglossia: detecting code injection attacks with precision and efficiency. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 1181–1192. ACM (2013)
Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: Conference Record of the 33rd POPL, pp. 372–382. ACM (2006)
Valeur, F., Mutz, D., Vigna, G.: A learning-based approach to the detection of sql attacks. In: Proceedings of the 2nd International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 123–140. Springer (2005)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer India
About this chapter
Cite this chapter
Ahuja, B.K., Jana, A., Swarnkar, A., Halder, R. (2016). On Preventing SQL Injection Attacks. In: Chaki, R., Cortesi, A., Saeed, K., Chaki, N. (eds) Advanced Computing and Systems for Security. Advances in Intelligent Systems and Computing, vol 395. Springer, New Delhi. https://doi.org/10.1007/978-81-322-2650-5_4
Download citation
DOI: https://doi.org/10.1007/978-81-322-2650-5_4
Published:
Publisher Name: Springer, New Delhi
Print ISBN: 978-81-322-2648-2
Online ISBN: 978-81-322-2650-5
eBook Packages: EngineeringEngineering (R0)