Hazem M. Harb; Derar Eleyan; Amna Eleyan

SQL Injection Detection Tools Advantages and Drawbacks

Full Text (PDF, 395KB), PP.16-21

Views: 0 Downloads: 0

Author(s)

Hazem M. Harb ^1,* Derar Eleyan ¹ Amna Eleyan ²

1. Palestine Technical University, Kadoorie

2. Manchester Metropolitan University, Department of Computing and Mathematics

* Corresponding author.

DOI: https://doi.org/10.5815/ijwmt.2021.03.03

Received: 5 Jan. 2021 / Revised: 30 Jan. 2021 / Accepted: 20 Feb. 2021 / Published: 8 Jun. 2021

Index Terms

SQLI, Web-based application, prevention and detection tools, Static analysis, Dynamic analysis

Abstract

SQL injection attack is a major threat to web application security. It has been rated as one of the most dangerous vulnerabilities for a web-based application. Based on the Open Web Application Security Project (OWASP), it is measured as one of the top ten. Many types of research have been made to face this attack either by preventing the threat or at least detecting it. We aim in this paper to give an overview of the SQL injection (SQLI) attack and classify these attacks and prevention and detection tools. We introduce the most current techniques and tools that are used to prevent and detect SQLI and highlight their strengths and weaknesses.

Cite This Paper

Hazem M. Harb, Derar Eleyan, Amna Eleyan, " SQL Injection Detection Tools Advantages and Drawbacks", International Journal of Wireless and Microwave Technologies(IJWMT), Vol.11, No.3, pp. 16-21, 2021. DOI: 10.5815/ijwmt.2021.03.03

Reference

[1]O. t. t. s. vulnerabilities, "OWASP," [Online]. Available: http://www.owasp.org/ index.php/Top_10. [Accessed 22 12 2020].

[2]"National Vulnerability Database," [Online]. Available: http://nvd.nist.gov. [Accessed 28 11 2020].

[3]K. Poulsen, "securityfocus," [Online]. Available: https://www.securityfocus.com/news/5968. [Accessed 5 12 2020].

[4]A. K. Ammar Alazab, "New strategy for Mitigating of SQL Injection Attack," International Journal of Computer Application, vol. 154, no. 11, November 2016, 2016.

[5]M. Muthuraja, "SQLIA Detection and Prevention using Parse Tree with Query Tokenization," in International Research Journal of Engineering and Technology (IRJET), Maharashtra, India, 2020.

[6]A. A. a. A. Khresiat, "New Strategy for Mitigating of SQL Injection Attack," International Journal of Computer Applications, vol. 154, pp. 1-10, 2016.

[7]B. A. a. E. O.-M. a. Z. Qin, "SQL injection attack detection using fingerprints and pattern matching technique," 2017 8th IEEE International Conference on Software Engineering and Service Science (ICSESS), pp. 583-587, 2017.

[8]M. F. Y. Zainab S. Alwan, "Detection and Prevention of SQL Injection Attack: A survey," International Journal of Computer Science and Mobile Computing, vol. 6, no. 8, August 2017, pp. 5-17, 2017.

[9]J. P. Singh, "Analysis of SQL Injection Detection Techniques," Theoretical and Applied Informatics, vol. 28, pp. 37-55, 2016.

[10]M. N. R. A. Mamdouh Alenezi, "SQL injection attacks countermeasures assessments," Indonesian Journal of Electrical Engineering and Computer Science, vol. 21, no. 2, pp. 1121-1131, Feb 2021.

[11]X. L. B. P. S. C. K. Q. a. L. T. Xiang Fu, " "A Static Analysis Framework For Detecting SQL Injection Vulnerabilities," Proc. of the 31st International Conf. on Computer Software and Applications, COMPSAC, vol. 07, pp. 87-96, 2007.

[12]R. M. a. P. Frankl, " "Preventing SQL Injection through Automatic Query Sanitization with ASSIST"," TAV-WEB (EPTCS), vol. 35, pp. 27-38, 210.

[13]L. W. a. T. X. S. Thomas, "On Automated Prepared Statement Generation to Remove SQL Injection Vulnerabilities," Information and Software Technology, vol. 51, no. 3, pp. 589-598, 2009.

[14]F. D. a. M. Sherriff, "Automated Fix Generator for SQL Injection Attacks"," Proc. of the 19th International Symposium on Software Reliability Engineering, pp. 311-312, 2008.

[15]P. G. K. J. a. M. E. A. Kieyzun, " "Automatic creation of SQL Injection and cross-site scripting attacks,"," Proc. of the IEEE 31st International Conference on Software Engineering, ICSE, 2009.

[16]a. G. A. R. Ezumalai, " "Combinatorial Approach for Preventing SQL Injection Attacks"," Proc. of the International Advance Computing Conference (IACC ‘09), IEEE Computer Society, pp. 1212-1217, 2009.

[17]R. A. M. a. I. H. Kruger, "SQL DOM: compile-time checking of dynamic SQL statements”," Proc. of the 27th International Conference on Software Engineering, ICSE’05, pp. 88-96, 2005.

[18]J. X. K. L. Y. Z. J. Y. W. Tian, "Research on mock attack testing for SQL injection vulnerability in multi-defense level web applications," Proc. of the 2nd International Conference on Information Science and Engineering (ICISE’10), pp. 1-5, 2010.

[19]D. M. a. G. V. F. Valeur, "A Learning-Based Approach to the Detection of SQL Attacks”," Proc. of the Conference on Detection of Intrusions and Malware Vulnerability Assessment (DIMVA), Vienna, Austria, 2005.

[20]L. W. G. W. D. Z. a. Y. Y. X. Wang, "Hidden web crawling for SQL injection detection," the 3rd IEEE International Conference on Broadband Network and Multimedia Technology (IC-BNMT’10), pp. 14-18, 2010.

[21]P. K. S. M. A. Harish Dehariya, "A Survey on Detection and Prevention Techniques for SQL Injection Attack," International Journal of Wireless and Microwave Technologies(IJWMT), vol. 6, no. 6, pp. 72-79, 2016.

[22]C. M. X. a. J. M. G. Jiao, "SQLIMW: A New Mechanism against SQL-injection,”," International Conference on Computer Science & Service System, pp. 1178-1180, 2012.

[23]R. R. a. S. Shrivastav, " “SQL injection attack Detection using SVM," ” International Journal of Computer Applications", pp. 1-4, 2012.

[24]C. L. S. C. Y. H. H. H. a. F. H. K. Zhang, " “TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks," Proc. of the First International Conference on Robot, Vision and Signal processing, pp. 248-251, 2011.

[25]Y. H. a. N. Zhihong, "A database security testing scheme of the web application"," Proc. of the 4th International Conference on Computer Science & Education, no. 09, pp. 953-955, 2009.

[26]K. K. a. T. Tzouramanis, "SQL-IDS: A Specification-based approach for SQL-injection Detection," Proc. of the 2008 ACM symposium on Applied Computing, 2008.

[27]M. Asaad, "Artificial Neural Network based Web Application Firewall for SQL Injection," World Academy of Science, Engineering & Technology., vol. 64, pp. 12-21, 2010.

[28]R. J. J. V.nithya, "A survey on SQL Injection attacks, their Detection, and Prevention Techniques," International Journal oF Engineering and Computer Science ISSN: 2319-7242, vol. 2, no. 4 April 2013, pp. 886-905, 2013.

[29]C. M. X. a. J. M. G. Jiao, "SQLIMW: A New Mechanism against SQL-injection,”

International Journal of Wireless and Microwave Technologies (IJWMT)