A Survey on Detection and Prevention Techniques for SQL Injection Attacks

Full Text (PDF, 439KB), PP.72-79

Views: 0 Downloads: 0

Author(s)

Harish Dehariya 1,* Piyush Kumar Shukla 1 Manish Ahirwar 1

1. Department of Computer Science and Engineering, UIT-RGPV, Bhopal, 462036 India

* Corresponding author.

DOI: https://doi.org/10.5815/ijwmt.2016.06.08

Received: 20 Jul. 2016 / Revised: 4 Sep. 2016 / Accepted: 3 Oct. 2016 / Published: 8 Nov. 2016

Index Terms

SQL Injection Attack, Web Application, Vulnerabilities, Detection, Prevention techniques

Abstract

In this current scenario web application are widely using for various purpose like online shopping, online money transfer, e-bill payment, online mobile recharges etc. As per increasing the dependency on these web applications also raises the attacks on these applications. SQL injection Attacks (SQLIA) and Cross Site Scripting (XSS) are being a major problem for web applications. SQL injection Attack (SQLIA) is the most common type of vulnerability in which a malicious mind person is inserts its own crafted query as input for retrieving personal information about others sensitive users. In this paper, for detection and prevention of SQL injection attacks various techniques are described and perform a comparison between them.

Cite This Paper

Harish Dehariya, Piyush Kumar Shukla, Manish Ahirwar,"A Survey on Detection and Prevention Techniques for SQL Injection Attacks", International Journal of Wireless and Microwave Technologies(IJWMT), Vol.6, No.6, pp.72-79, 2016. DOI: 10.5815/ijwmt.2016.06.08

Reference

[1]Venkatramulu Sunkari, Dr. C.V.Guru Rao: Protect Web Applications against SQL Injection Attacks Using Binary Evaluation Approach, International Journal of Innovations in Engineering and Technology (IJIET), Volume 6 Issue 4 April 2016.

[2]Chandershekhar Sharma, Dr. S. C. Jain, Dr. Arvind K Sharma: Explorative Study of SQL Injection attacks and Mechanisms to secure web application database –A Review International Journal of Advanced Computer Science and Applications, (IJACSA) Vol. 7, No. 3, 2016.

[3]Anuj Dakwala, Kruti Lavingia: A Machine learning approach to improve the efficiency of Fake websites detection Techniques, International journal of computer Science and Communication (IJCSC) Vol. 7, no. 1, PP 236-243, March 2016.

[4]Jose Fonseca, Marco Vieira and Henrique Madeira: Evaluation of web security Mechanism using Vulnerabilities and Attack Injection IEEE Transactions on Dependable and secure computing Vol. 11 no 5 September/October 2014.

[5]Nuno Seixas, Marco Vieira, Jose Fonseca, Henqirque Madeira: Analysis of field data on web security vulnerabilities, IEEE Transactions on Dependable and secure computing Vol. 11 No.2 March/Aril 2014.

[6]www.owasp.org/index.php/SQL_Injection

[7]Hussein AlNabulsi, Izzat Alsmadi, Mohammad Al-Jarrah: Textual Manipulation for SQL Injection attack, I.J. computer Network and Information Security, 2014.

[8]Hossaian Shahriar, Mohammad Zulkernine: Information Theoretic Detection of SQL Injection Attacks, International Symposium on high-Assurance system s Engineering, IEEE 2014.

[9]Jaskanwal Minhas Raman Kumar: Blocking of SQL Injection attack by Comparing Static and Dynamic queries, International Journal of computer network and Information Security 2013.

[10]Monali R. Borade, Neeta A. Despande: Extensive Review of SQLIA's Detection and Prevention Techniques, International Journal of Emerging Technology and Advanced Engineering ISSN 2250-2459, ISO 9001:2008 Certified Journal, Vol;ume3, Issue 10, October 2013.

[11]Iyano Alessandro Elia, Jose Fonseca and Marco Vieira: Computing SQL Injection Detection Tools Using Attack Injection: An Experimental study IEEE International Symposium on software reliability Engineering 2012.

[12]Atefeh Tajpour, Suhaimi Ibrahim, Mohammad Sharifi: Web Application security by SQL Injection Detection tools, International Journal of Computer science, Issue, Volume 9 Issue 2 No 3 March 2012.

[13]Srinivas Avireddy, Varalaxhmiperumal, Narayan Gowraj, Ram Srivastava Kannan, Random4: An Application Specific Randomized Encryption Algorithm to prevent SQL Injection" 11th International conference on trust, Security and privacy in computing and communications, IEEE 2012.

[14]Inyong Lee, Soonki Jeong, Sangsoo Yeo, Jongsub Moon: A novel method for SQL Injection attack detection based on removing SQL Query attribute values, ELSEVIER 2012. 

[15]Kanchana Natrajan, Sarala Subramani: Generation of SQL injection free secure algorithm to detect and prevent SQL Injection attack, ELESEVIER C3IT-2012.

[16]I. Elia, J. Fonseca and M. Vieira: Comparing SQLi Detection Tools using attack Injection: An Experimental Study, IEEE Symp. Software Reliability engineering, November 2010.

[17]Atefeh Tajpour, Maslin Masrom, Suhaimi Ibrahim, Mohammad Sharifi: SQL injection detection and prevention Tools Assessments, IEEE 2010.

[18]Ntagwabira Lambert, Kang Song Lin: Use of Query Tokenization to detect and prevent SQL Injection attacks, IEEE 2010.

[19]Michelle Ruse, Tanmoy Sarkar, Samik Basu: Analysis and Detection of SQL Injection Vulnerabilities via Automatic Test Case Generation of Programs, Annual International Symposium on application and the Internet. 2010.

[20]A. Roichman E. Gudes: DIWeDa –Detecting Intrusions in Web Databases, Vol. 5094, pp. 313-329 Springer Heidelberg 2008.

[21]J. Fonseca and Marco Vieira: Mapping software fault with web security vulnerabilities, IEEE conference on dependable system and network, June 2008.

[22]P. Grazie: SQL Prevent Thesis, University of Columbia, Vancouver, Canada 2008.

[23]J. Fonseca and Marco Vieira and Henrique Madeira: Training Security Assurance Team using Vulnerability Injection, IEEE Pacific Rim Dependable Computing, December 2008.

[24]T. Pietraszek, C. V. Bergh: Defending against Injection Attacks Trough Context-Sensitive String Evaluation, Recent Advanced in Intrusion Detection Volume: 3858, 2006.

[25]Z. Su and G. Wassermann The Essence of Command Injection Attacks in Web Applications The 33rd Annual Symposium on Principles of Programming Languages, 2006.

[26]McClure and I. H. Kruger: SQL DOM: Compile time checking and dynamic SQL statements, Software Engineering ICSE 2005.

[27]M. Martin, B. Livshits, and M. S. Lam. Finding Application Errors and Security Flaws Using PQL: A Program Query Language. ACM SIGPLAN Notices, Volume: 40, Issue: 10, pp: 365-383, 2005.

[28]V. B. Livshits and M. S. Lam: Finding Security Errors in Java Programs with Static Analysis. In Proceedings of the 14th Usenix Security Symposium, pages 271–286, Aug. 2005.

[29]V. Haldar, D. Chandra, and M. Franz: Dynamic Taint Propagation for Java in Proceedings 21st Annual Computer Security Applications Conference, Dec. 2005.

[30]G. T. Buehrer, B. W. Weide, and P. A. G. Sivilotti: Using Parse Tree Validation to Prevent SQL Injection Attacks International Workshop on Software Engineering and Middleware (SEM), 2005. 

[31]A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans: Automatically Hardening Web Applications Using Precise Tainting Information. In Twentieth IFIP International Information Security Conference May 2005. 

[32]S. W. Boyd and A. D. Keromytis "SQL Rand Preventing" Cryptography and network security conference pages 292-302 June 2004.

[33]G. Wassermann and Z. Su: An Analysis Framework for Security in Web Applications in Proceedings of the FSE Workshop on Specification and Verification of Component-Based Systems, pages 70–78, 2004. 

[34]C. Gould, Z. Su, and P. Devanbu JDBC Checker: A Static Analysis Tool for SQL/JDBC Applications. In Proceedings of the 26th International Conference on Software Engineering pages 697–698, 2004. 

[35]Yao-Wen Huang, Fang Yu, Christian Hang, Chuang Hang, Tsai, D.T. Lee, Sy-Yen Kuo "Securing Web Application Code by Static Analysis and Runtime Protection" 13th conference on World wide web in ACM New York USA 2004.

[36]Y. Huang S. Huang T. Lin and C. Tsai: Web Application security Assessment by Fault Injection and Behaviour, In Proceeding of the 11th International World Wide Web Conference, May 2003.

[37]D. Scott and R. Sharp: Abstracting Application-level Web Security. In Proceedings of the 11th International Conference on the World Wide Web, pages 396–407, 2002.