Evaluation of SQL injection detection and prevention techniques

Proceedings - 2nd International Conference on Computational Intelligence, Communication Systems and Networks, CICSyN 2010

Volumn , Issue , 2010, Pages 216-221

  Tajpour, Atefeh ^a   Shooshtari, Mohammad Jorjor Zade ^a  

^a MALAYSIA JAPAN INTERNATIONAL INSTITUTE OF TECHNOLOGY   (Malaysia)

Author keywords

Detection; Evaluation; Prevention; SQL Injection Attacks; Technique

Indexed keywords

DETECTION; EVALUATION; PREVENTION; SQL INJECTION; TECHNIQUE;

ARTIFICIAL INTELLIGENCE; COMMUNICATION SYSTEMS; DATABASE SYSTEMS; WORLD WIDE WEB;

COMPUTER CRIME;

EID: 78649806181     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/CICSyN.2010.55     Document Type: Conference Paper

References (28)

1. W. G. Halfond, A. Orso, Using Positive Tainting and Syntax Aware Evaluation to Counter SQL Injection Attacks, 14th ACM SIGSOFT international symposium on Foundations of software engineering 2006, ACM. pp 175 - 185.
2. Sruthi Bandhakavi, Prithvi Bisht, P. Madhusudan, CANDID: Preventing SQL Injection Attacks using Dynamic Candidate Evaluations, 2007, Alexandria, Virginia, USA, ACM.
3. Marco Cova, Davide Balzarotti. Swaddler: An Approach for the Anomaly-based Detection of State Violations in Web Applications. In Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection (RAID), (Queensland, Australia), September 5-7, 2007, pp. 63-86.
4. W. G. Halfond, J. Viegas and A. Orso, "A Classification of SQL Injection Attacks and Countermeasures," College of Computing Georgia Institute of Technology IEEE, 2006.
5. Z. Su and G Wassermann. The Essence of Command Injection Attacks in Web Applications. In The 33rd Annual Symposium on Principles of Programming Languages (POPL 2006), Jan. 2006.
6. F. Valeur, D. Mutz, and G Vigna. A Learning-Based Approach to the Detection of SQL Attacks. In Proceedings of the Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), Vienna, Austria, July 2005.
7. Prithvi Bisht, P. Madhusudan. CANDID: Dynamic Candidate Evaluations for Automatic Prevention of SQL Injection Attacks. Proceedings of the 14th ACM Conference on Computer and Communications Security. 2007. USA: ACM, pp 1-38.
8. Konstantinos Kemalis and Theodoros Tzouramanis. SQL-IDS: A Specification-based Approach for SQL Injection Detection Symposium on Applied Computing. 2008, Pp: 2153-2158, Fortaleza, Ceara, Brazil. New York, NY, USA: ACM.
9. A. S. Christensen, A. MOller, and M. I. Schwartzbach. Precise Analysis of String Expressions. In Proc. 10th International Static Analysis Symposium, SAS '03, volume 2694 of LNCS, pp 1-18. Springer-Verlag, June 2003.
10. G. T. Buehrer, B. W. Weide, and P. A. G. Sivilotti. Using Parse Tree Validation to Prevent SQL Injection Attacks. In International Workshop on Software Engineering and Middleware (SEM), 2005.
11. P. Grazie., PhD SQLPrevent thesis. University of British Columbia (UBC) Vancouver, Canada.2008.
12. th International Conference on Software Engineering (ICSE 04) Formal Demos, pp 697-698, 2004.
13. C. Gould, Z. Su, and P. Devanbu. Static Checking of Dynamically Generated Queries in Database Applications. In Proceedings of the 26th International Conference on Software Engineering (ICSE 04).
14. M. Martin, B. Livshits, and M. S. Lam. Finding Application Errors and Security Flaws Using PQL: A Program Query Language. In Proceedings of the 20th Annual ACM SIGPLAN conference on Object oriented programming systems languages and applications (OOPSLA 2005), pp 365-383, 2005.
15. Y. Huang, F. Yu, C. Hang, C. H. Tsai, D. T. Lee, and S. Y. Kuo. Securing Web Application Code by Static Analysis and Runtime Protection. In Proceedings of the 12th International World Wide Web Conference (WWW 04), May 2004.
16. W. G. Halfond and A. Orso. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In Proceedings of the IEEE and ACM International Conference on Automated Software Engineering (ASE 2005), Long Beach, CA, USA, Nov 2005.
17. W. G. Halfond and A. Orso. Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks. In Proceedings of the Third International ICSE Workshop on Dynamic Analysis (WODA 2005), pp 22-28, St. Louis, MO, USA, May 2005.
18. Y. Huang, S. Huang, T. Lin, and C. Tsai. Web Application Security Assessment by Fault Injection and Behavior Monitoring. In Proceedings of the 11th International World Wide Web Conference (WWW 03), May 2003.
19. T. Pietraszek and C. V. Berghe. Defending Against Injection Attacks through Context-Sensitive String Evaluation. In Proceedings of Recent Advances in Intrusion Detection (RAID 2005), 2005.
20. A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically Hardening Web Applications Using Precise Tainting Information. In Twentieth IFIP International Information Security Conference (SEC 2005), May 2005.
21. V. Haldar, D. Chandra, and M. Franz. Dynamic Taint Propagation for Java. In Proceedings 21st Annual Computer Security Applications Conference, Dec. 2005.
22. S. W. Boyd and A. D. Keromytis. SQLrand: Preventing SQL Injection Attacks. In Proceedings of the 2nd Applied Cryptography and Network Security (ACNS) Conference, pp 292-302. June 2004.
23. G. Wassermann and Z. Su. An Analysis Framework for Security in Web Applications. In Proceedings of the FSE Workshop on Specification and Verification of Component-Based Systems (SAVCBS 2004), pp 70-78.
24. th International Conference on Software Engineering (ICSE 2005), 2005.
25. R. McClure and I. Kruger. SQL DOM: Compile Time Checking of Dynamic SQL Statements. In Proceedings of the 27th International Conference on Software Engineering (ICSE 05), pp 88-96, 2005.
26. th International Conference on the World Wide Web (WWW 2002), pp 396-407, 2002.
27. V. B. Livshits and M. S. Lam. Finding Security Errors in Java Programs with Static Analysis. In Proceedings of the 14th Usenix Security Symposium, pp 271-286, Aug. 2005.
28. Xiang Fu, Kai Qian. SAFELI-SQL Injection Scanner Using Symbolic Execution. Proceedings of the 2008 workshop on Testing, analysis, and verification of web services and applications. (2008). pp 34-39: ACM.