Skip to main content
Log in

Integrated approach to prevent SQL injection attack and reflected cross site scripting attack

  • Original Article
  • Published:
International Journal of System Assurance Engineering and Management Aims and scope Submit manuscript

Abstract

The Internet and web applications are playing very important role in our today’s modern day life. Several activities of our daily life like browsing, online shopping and booking of travel tickets are becoming easier by the use of web applications. As the volumes of the web applications are increasing the security of web applications becomes a major concern. Most of the web applications use the database as a back end to store critical information such as user credentials, financial and payment information, company statistics etc. These websites are continuously targeted by highly motivated malicious users to acquire monetary gain. Multiple client side and server side vulnerabilities like SQL injection and cross site scripting are discovered and exploited by malicious users. SQL injection attacks and cross site scripting vulnerabilities are top ranked in the open web application security project top ten vulnerabilities list. A number of security approaches are proposed and used like secure coding practices, encryption, static and dynamic analysis of code to secure the web applications but statistics shows that these vulnerabilities are still transpiring at the top. In this paper, we present an integrated model to prevent SQL injection attacks and reflected cross site scripting attack in PHP based implementation. This model is more effective to prevent SQL injection attack and reflected cross site scripting attack in production web environment. Our mechanism is divided into two modes, a safe mode and a production mode environment. In the safe mode we construct a security query model for SQL injection and sanitizer model for reflected cross site scripting attack for each identified SQL queries for SQL injection attacks and input entry points for reflected cross site scripting attacks. In the production environment, input entries which create dynamic SQL queries are validated against security query model generated in safe mode and normal input text entered by the user is validated by sanitizer model instrumented in the code at safe mode. The results and analysis shows that the proposed approach is simple and effective to prevent common SQL injection vulnerabilities and reflected cross site scripting vulnerabilities.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

Abbreviations

XSS:

Cross site scripting

SQL:

Structured query language

SQLIA:

SQL injection attacks

OWASP:

Open web application security project

MHAPSIA:

Model based hybrid approach to prevent SQL injection attacks

DFA:

Deterministic finite automata

NFA:

Nondeterministic finite automata

AMNeSIA:

Analysis and monitoring for neutralizing SQL injection attacks

JDBC:

Java database connectivity

HTML:

Hyper text markup language

References

  • Clinton L (undated) Cyber-insurance metrics and impact on cyber-security. http://www.whitehouse.gov/files/documents/cyber/ISA-Cyber-InsuranceMetricandImpactonCyber-Security.pdf. Accessed Aug 2012

  • Common Weakness Enumeration (2012) CWE-89: improper neutralization of special elements used in an SQL command (‘SQL injection’). http://cwe.mitre.org/data/definitions/89.html. Accessed 13 Jan 2012

  • Common Weakness Enumeration (2012) CWE-79: improper neutralization of input during web page generation (‘cross-site scripting’). http://cwe.mitre.org/data/definitions/79.html. Accessed 13 Jan 2012

  • ENISA (2012) Incentives and barriers of the cyber insurance market in Europe June 2012. European Network and Information Security Agency (ENISA), Heraklion. http://www.enisa.europa.eu. Accessed 5 July 2012

  • Gould C, Su Z, Devanbu P (2044) Java database connectivity (JDBC) checker: a static analysis tool for SQL/JDBC applications. In: Proceedings of the 26th international conference on software engineering (ICSE 2004) formal demos, p 697–698. ICSE, Minneapolis

  • Halfond W, Orso A (2005) AMNESIA: analysis and monitoring for neutralizing SQL injection attacks. In: Proceedings on 20th IEEE and ACM international conference automated software engineering, p 174–183. ACM, New York

  • Jeom-Goo K (2011) Injection attack detection using the removal of SQL query attribute values. In: Information science and applications (ICISA), international conference, p 1–7. Department of Computer Science, Namseoul University, Cheonan, 26–29 April 2011

  • Junjin M (2009) An approach for SQL injection vulnerability detection. In: Proceedings of the 6th international conference on information technology: new generations, p 1411–1414. IEEE, Las Vegas

  • Kiezun A, Guo PJ, Jayaraman K, Ernst MD (2009) Automatic creation of SQL injection and cross-site scripting attacks. In: ARDILLA, proceedings of the 31st international conference on software engineering, p 199–209. ICSE, Vancouver

  • Kunal S, Mohandas R, Pais AR (2011) Model based hybrid approach to prevent SQL injection attacks in PHP. InfoSecHiComNet’11 proceedings of the first international conference on security aspects of information technology, p 3–15. Springer, Berlin

  • Open Web Application Security Project (OWASP) (2012) Top 10 2010-main. https://www.owasp.org/index.php/Top_10_2010-Main. Accessed 13 Jan 2012

  • Prithvi B, Madhusudan P, Venkatakrishnan VN (2010) CANDID: dynamic candidate evaluations for automatic prevention of SQL injection attacks. ACM Trans Inf Syst Secur 13(2):1–39

    Google Scholar 

  • Qianjie Z, Chen H, Sun J (2010) An execution-flow based method for detecting cross-site scripting attacks. In: Proceedings of software engineering and data mining, p 160–165. SEDM, Shanghai

  • Rahul J, Sharma P (2012) Survey on web application vulnerabilities (SQLIA,XSS) exploitation and security engine for SQL injection. In: Proceedings on CSNT 2012 IEEE international conference (978-0-7695-4692-6/1). IEEE, Washington, DC

  • Raju H, Cortesi A (2010) Obfuscation-based analysis of SQL injection attacks. In: ISCC ‘10 proceedings of the IEEE symposium on computers and communications, p 931–938. IEEE, Riccione

  • Rattipong P, Bunyatnoparat P (2011) Protecting cookies from reflected cross sitescript attacks using dynamic cookies rewriting technique. In: Method for detecting cross-site scripting attacks. 13th International conference on advanced communication technology (ICACT), p 1090–1094. IEEE Conference Publications, 13–16 Feb 2011

  • Stephen WB, Keromytis AD (2004) SQLrand: preventing SQL injection attacks. In: Proceedings of the 2nd applied cryptography and network security (ACNS) conference, p 292–302. ACNS, Yellow Mountain

  • Stephen T, Williams L, Xie T (2009) On automated prepared statement generation to remove SQL injection vulnerabilities. Department of Computer Science, North Carolina State University, Raleigh

Download references

Acknowledgments

Authors wish to express sincere gratitude to the administration of Department of Electronics & Information Technology, Government of India and GGSIP University for providing the academic environment to pursue research activities. In particular we would like to thank Dr. Gulshan Rai, DG, CERT-In, Mr. B.J Srinath, Scientist ‘G’ and Mr. A. S. Chawla, Scientist ‘F’, CERT-In for guidance and inputs.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Pankaj Sharma.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Sharma, P., Johari, R. & Sarma, S.S. Integrated approach to prevent SQL injection attack and reflected cross site scripting attack. Int J Syst Assur Eng Manag 3, 343–351 (2012). https://doi.org/10.1007/s13198-012-0125-6

Download citation

  • Received:

  • Revised:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13198-012-0125-6

Keywords

Navigation