Skip to main content
SpringerLink
Log in

Defeating SQL injection attack in authentication security: an experimental study

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Whenever web-application executes dynamic SQL statements it may come under SQL injection attack. To evaluate the existing practices of its detection, we consider two different security scenarios for the web-application authentication that generates dynamic SQL query with the user input data. Accordingly, we generate two different datasets by considering all possible vulnerabilities in the run-time queries. We present proposed approach based on edit-distance to classify a dynamic SQL query as normal or malicious using web-profile prepared with the dynamic SQL queries during training phase. We evaluate the dataset using proposed approach and some well-known supervised classification approaches. Our proposed method is found more effective in detecting SQL injection attack under both the scenarios of authentication security.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

References

  1. MITRE/SANS: A vulnerability report. In: Top 25 most Dangerous Software Errors, MITRE Corporation Inc. (2011)

  2. CISCO: SQL injection attacks a growing menace. In: CISCO Worldwide Reports, SPAM fighter Products 2003-2011. http://www.spamfighter.com/News-15078-SQL-Injection-Attacks-A-Growing-Menace.htm (2010)

  3. Shar, L., Tan, H.B.K.: Defeating SQL injection. IEEE Comput. J. Mag. 46(3), 69–77 (2013)

    Article  Google Scholar 

  4. Su, Z., Wassermann, G.: The essence of command injection attacks in web application. In: In the 33rd Annual Symposium on Principles of Programming Languages, pp. 372–382 (2006)

  5. Bisht, P., Madhusudan, P., Venkatakrishnan, V.N.: Dynamic candidate evaluations for automatic prevention of SQL injection attacks. ACM Trans. Inf. Syst. Secur. 13(14), 14–38 (2010)

  6. Liu, A., Yuan, Y., Wijesekera, D., Stavrou, A.: SQLProb: A proxy-based architecture towards preventing SQL injection attacks. In: Proceedings of the 2009 ACM Symposium on Applied Computing. http://dl.acm.org/citation.cfm?id=1529737, ACM Digital Library, pp. 2054–2061 (2009)

  7. Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting web application vulnerabilities. In: IEEE Symposium on Security and Privacy. http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=1624016, IEEE Explore, pp. 263–268 (2006)

  8. Martin, M., Livshits, B., Lam, M.S.: Finding application errors and security flaws using PQL: a program query language. In: OPSLA ’05 Proceedings of the 20th Annual ACM SIGPLAN conference. http://dl.acm.org/ftgateway.cfm?id=1094840&type=pdf&CFID=268059182&CFTOKEN=41307654. ACM Digital Library (2005)

  9. Le, H.T., Loh, P.K.K.: Identification of performance issues in contemporary black-box web application scanners in SQLI. In: Latest Advances in Information Science and Applications. Computer Security Laboratory, Nanyang Technological University, Singapore. http://www.wseas.us/e-library/conferences/2012/Singapore/ACCIDS/ACCIDS-34.pdf

  10. Pietraszek, T., Berghe, D.V.: Defending against injection attack through contex-sensitive string evaluation. In: Proceedings of Recent Advances in Intrusion Detection. http://link.springer.com/chapter/10.1007/11663812-7. LNCS, pp. 124–145

  11. Halfond, W.G., Orso, A., Manolios, P.: Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In: SIGSOFT’06/FSE-14, Portland Oregon, USA, ACM Digital Library, pp. 175–185 (2006)

  12. Levenshtein, V.I.: Binary codes capable of correcting deletions, insertions, and reversals. In: Soviet Physics Doklady. Volume 10. The Smithsonian/NASA Astrophysics Data System. http://www.scribd.com/doc/18654513/levenshtein

  13. Pop, I.: An approach of the Naive Bayes classifier for the document classification. Gen. Math. 14(4), 135138 (2006)

    MathSciNet  Google Scholar 

  14. John, G.H., Langley, P.: Estimating continuous distributions in Bayesian classifiers. In: UAI’95 Proceedings of the Eleventh Conference on Uncertainty in Artificial Intelligence (1995)

  15. Cortes, C., Vapnik, V.: Support-vector networks. Mach. Learn. 20, 273–297 (1995)

    MATH  Google Scholar 

  16. MathWorks-India: Classify using support vector machine-matlab. http://www.mathworks.in/help/bioinfo/ref/svmclassify.html (2008)

  17. Soot:: A java optimization framework. http://www.sable.mcgill.ca/soot/

  18. Kang, J., Kim, J., Park, C., Park, H., Lee, J.: A multi channel architecture for high-performance nand flash-based storage system. J. Syst. Arch. 53(9), 644–658 (2007)

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, Tezpur University, Tezpur, India

    Debasish Das, Utpal Sharma & D. K. Bhattacharyya

Authors
  1. Debasish Das
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Utpal Sharma
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. D. K. Bhattacharyya
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Debasish Das.

Appendix

Appendix

figure u
figure v
figure w

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Das, D., Sharma, U. & Bhattacharyya, D.K. Defeating SQL injection attack in authentication security: an experimental study. Int. J. Inf. Secur. 18, 1–22 (2019). https://doi.org/10.1007/s10207-017-0393-x

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-017-0393-x

Keywords

Search

Navigation