Abstract
With the rapid development of Internet, more and more organizations connect their databases to the Internet for resource sharing. However, due to developers’ lack of knowledge of all possible attacks, web applications become vulnerable to multiple attacks. Thus the network databases could face multiple threats. Web applications generally consist of a three tier architecture where database is in the third pole, which is the most valuable asset in any organization. SQL injection is an attack technique used to exploit code by altering back-end SQL statements through manipulating input. An attacker can directly compromise the database, that’s why this is a most threatening attack. SQL injection attack occupies first position in top ten vulnerabilities as specified by Open Web Application Security Project [12]. It is probably the most common Website vulnerability today! Current scenarios which provide solutions to SQL injection attack either have limited scope i.e. can’t be implemented in all platforms or do not cover all types of SQL injection attacks. In this work we implement Detection Block model against SQL injection attacks. The model works both on client and server side. Client side implements a filter function and server side is based on information theory. MAC static and dynamic query which is derived from entropy is compared to detect an attack.
Similar content being viewed by others
References
Shahriar, H., Zulkernine, M.: Information theoretic detection of SQL injection attacks. In: Proceedings of 14th International Symposium on High Assurance System Engineering (2012)
Xue, Q., He, P.: On defense and detection of SQL server injection attack. In: Proceedings of International Conference on Security Systems, 978-1-4244-6252-0/11/, pp. 324–330. IEEE (2011)
Balasundaram, I., Ramaraj, E.: An authentication scheme for preventing SQL injection attack using hybrid encryption (PSQLIA-HBE). Eur. J. Sci. Res. 53(3), 359–368 (2011, ISSN 1450–216X)
Avireddy, S., Perumal, V., Gowraj, N., Kannan, R.S., Prashanth, S.: Random4: an application specific randomized encryption algorithm to prevent SQL injection. In: Proceedings of 11th International Conference on Trust, Security and Privacy in Computing and Communications, pp. 1327–1335. IEEE (2012)
Zhang, K.-X., Lin, C.-J., Chen, S.-J., Hwang, Y.: TransSQL: a translation and validation-based solution for SQL-injection attacks. In: Proceedings of First International Conference on Robot, Vision and Signal Processing, pp. 248–252. IEEE (2011)
Huang, B., Xie, T., Ma, Y.: Anti SQL injection with statements sequence digest. National Science Foundation of China, Scientific Research and Development Plan of Nanning City (No. 10876012). IEEE (2012)
Mamadhan, S., Manesh T., Paul, V.: SQLStor: blockage of stored procedure SQL injection attack using dynamic query structure validation. (No. 978-1-4673-5119-5/12/\({\$}\)31.00c) IEEE, pp. 240–246. 2012
Kim, J.-G.: Injection attack detection using the removal of SQL query attribute values. 978-1-4244-9224-4/11/\({\$}\)26.00 \(\copyright \). IEEE (2011)
Jueneman, R.R., Matyas, S.M., Meyer, C.H.: Message authentication. IEEE Commun. 23(9), 29–40 (1985)
Johari, R., Sharma, P.: A survey on web application vulnerabilities (SQLIA, XSS) exploitation and security engine for SQL injection. In: Proceedings of International Conference on Communication Systems and Network Technologies, pp. 453–459. IEEE (2012)
Halfond, W.G., Viegas, J., Orso, A.: A classification of SQL injection attacks and countermeasures. In: Proceedings of the International Symposium on Secure Software Engineering (ISSSE 2006) Mar (2006)
The Open Web Application Security Project (OWASP). Available: https://www.owasp.org/index.php/Top_10_2013-Top_10. Accessed 17 July 2014
Acknowledgments
Our thanks to the experts who have contributed towards study of the SQL injection. We sincerely thank our colleagues and friends. This paper would have been uncertain without the help and guidance of my guide.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Kumar, D.G., Chatterjee, M. MAC based solution for SQL injection. J Comput Virol Hack Tech 11, 1–7 (2015). https://doi.org/10.1007/s11416-014-0219-6
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-014-0219-6