Mark E. Fioravanti
Liam M. Mayron
ABSTRACT
SQL injection (SQLi) attacks present severe risks to applications; they may result in the unintended exposure, modification, corruption, or deletion of information. An error in a single line of code can introduce a vulnerability to an application, compounding the risk. There are a variety of strategies for detecting and mitigating SQLi, including but not limited to output filtering. Output filtering protects a system and its information by validating the records that are returned from the database management system. In this paper, we evaluate the effectiveness of output filtering, which has not yet been examined in the literature. We employ output filtering to protect custom Web application known to be vulnerable to SQLi attack. An experiment was performed to determine if output filtering was able to defend an application against SQLi attacks, as well as measure the potential performance impact. Results demonstrate that output filtering has the potential to defend against SQLi attacks and has a limited impact on an application's response time.
- OWASP top 10 2004: The ten most critical web application security vulnerabilities. OWASP Foundation, 1(5):8, April 2004.Google Scholar
- Pangolin v3.2.4 user guide, Jan 2011.Google Scholar
- Havij advanced SQL injection, 2012.Google Scholar
- Common attack pattern enumeration and classification (CAPEC)-66: SQL injection, version 2.1, June 2013.Google Scholar
- Common attack pattern enumeration and classification (CAPEC)-7: Blind SQL injection, version 2.1, June 2013.Google Scholar
- Common weakness enumeration (CWE)-89: Improper neutralization of special elements used in an SQL command ('SQL injection'), version 2.5, July 2013.Google Scholar
- R. Barnett. WASC threat classification: Sql injection. Technical report, Web Application Security Consortium, June 2010.Google Scholar
- E. Bertino, A. Kamra, and J. P. Early. Profiling database application to detect SQL injection attacks. In Performance, Computing, and Communications Conference, 2007. IPCCC 2007. IEEE International, pages 449--458, 2007.Google Scholar
- S. W. Boyd and A. D. Keromytis. SQLrand: Preventing SQL injection attacks. In M. Jakobsson, M. Yung, and J. Zhou, editors, Applied Cryptography and Network Security, volume 3089 of Lecture Notes in Computer Science, pages 292--302. Springer Berlin Heidelberg, 2004.Google ScholarCross Ref
- S. M. Christey. 2010 CWE/SANS top 25 most dangerous software errors. 2010.Google Scholar
- S. M. Christey. 2011 CWE/SANS top 25 most dangerous software errors. 2011.Google Scholar
- C. Cochin. SQLiX, 2006.Google Scholar
- B. Damele and S. M. SQLmap user's guide, 2013.Google Scholar
- X. Fu, X. Lu, B. Peltsverger, S. Chen, K. Qian, and L. Tao. A static analysis framework for detecting SQL injection vulnerabilities. In Computer Software and Applications Conference, 2007. COMPSAC 2007. 31st Annual International, volume 1, pages 87--96, 2007. Google ScholarDigital Library
- W. G. J. Halfond and A. Orso. AMNESIA: analysis and monitoring for neutralizing SQL-injection attacks. In Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering, ASE '05, pages 174--183, New York, NY, USA, 2005. ACM. Google ScholarDigital Library
- W. G. J. Halfond, J. Viegas, and A. Orso. A classification of SQL-injection attacks and countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering, Arlington, VA, USA, pages 13--15, 2006.Google Scholar
- H. Shahriar and M. Zulkernine. Information-theoretic detection of sql injection attacks. In High-Assurance Systems Engineering (HASE), 2012 IEEE 14th International Symposium on, pages 40--47. IEEE, 2012. Google ScholarDigital Library
- A. Stock, J. Williams, and D. Wichers. OWASP top 10 2007: The ten most critical web application security vulnerabilities. OWASP Foundation, 1(5):8, April 2007.Google Scholar
- S.-T. Sun, T. H. Wei, S. Liu, and S. Lau. Classification of SQL injection attacks. University of British Columbia, Term Project, 2007.Google Scholar
- S. Thomas, L. Williams, and T. Xie. On automated prepared statement generation to remove SQL injection vulnerabilities. Information and Software Technology, 51(3):589--598, 2009. Google ScholarDigital Library
- K. Wei, M. Muthuprasanna, and S. Kothari. Preventing SQL injection attacks in stored procedures. In Software Engineering Conference, 2006. Australian, pages 8 pp.--, 2006. Google ScholarDigital Library
- D. Wichers, J. Manico, and M. Seil. SQL injection prevention cheat sheet, December 2012.Google Scholar
- J. Williams and D. Wichers. OWASP top 10 2010: The ten most critical web application security vulnerabilities. OWASP Foundation, 1(5):8, April 2010.Google Scholar
- J. Williams and D. Wichers. OWASP top 10 2013: The ten most critical web application security risks. OWASP Foundation, 1(5):8, April 2013.Google Scholar
Index Terms
- Measuring the effectiveness of output filtering against SQL injection attacks
Recommendations
A Survey on SQL Injection Attacks, Detection and Prevention
ICMLC '20: Proceedings of the 2020 12th International Conference on Machine Learning and ComputingSince the uses of Web in daily life is increasing in past 20 years and becoming trend now, almost every Web application has its own database to store important data. An attacker can get or even modify the data from database through SQL injection ...
Mitigation of SQL Injection Attacks using Threat Modeling
Day after day, SQL Injection (SQLI) attack is consistently proliferating across the globe. According to Open Web Application Security Project (OWASP) Top Ten Cheat Sheet-2014, SQLI is at top in the list of online attacks. The cause of spread of SQLI is ...
Eliminating SQL injection and cross site scripting using aspect oriented programming
ESSoS'13: Proceedings of the 5th international conference on Engineering Secure Software and SystemsSecurity vulnerabilities in the web applications that we use to shop, bank, and socialize online expose us to exploits that cost billions of dollars each year. This paper describes the design and implementation of AspectShield, a system designed to ...
Comments