A novel method for SQL injection attack detection based on removing SQL query attribute values

Mathematical and Computer Modelling

Volumn 55, Issue 1-2, 2012, Pages 58-68

  Lee, Inyong ^a   Jeong, Soonki ^a   Yeo, Sangsoo ^b   Moon, Jongsub ^a  

^a Korea University   (South Korea)

^b Mokwon University   (South Korea)

Author keywords

A combined dynamic and static method; DBMS; SQL injection attack; SQL query; Web application

Indexed keywords

ATTACK DETECTION; ATTRIBUTE VALUES; CODE INJECTION; DATABASE LAYER; DETECTION METHODS; DYNAMIC CONTENT; SECURITY VULNERABILITIES; SQL INJECTION; SQL QUERY; STATIC AND DYNAMIC ANALYSIS; STATIC METHOD; WEB APPLICATION;

DATABASE SYSTEMS; NETWORK SECURITY;

DYNAMIC ANALYSIS;

EID: 82755194883     PISSN: 08957177     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.mcm.2011.01.050     Document Type: Article

References (30)

1. The Open Web Application Security Project, OWASP TOP 10 Project. http://www.owasp.org/.
2. Apache Struts Project, Struts. http://struts.apache.org/.
3. PHP, magic quotes. http://www.php.net/magic_quotes/.
4. C. Gould, Z. Su, P. Devanbu, JDBC checker: a static analysis tool for SQL/JDBC applications, in: Proceedings of the 26th International Conference on Software Engineering, ICSE, 2004, pp. 697-698.
5. Y. Huang, F. Yu, C. Hang, C.H. Tsai, D.T. Lee, S.Y. Kuo, Securing web application code by static analysis and runtime protection, in: Proceedings of the 12th International World Wide Web Conference ACM, 2004, pp. 40-52.
6. V.B. Livshits, M.S. Lam, Finding security errors in Java programs with static analysis, in: Proceedings of the 14th Usenix Security Symposium, 2005, pp. 271-286.
7. Thomas S., Williams L. Using automated fix generation ot secure SQL statements. Proceeding of the 29th International Conference on Software Engineering Workshops 2007, 54. IEEE Computer Society.
8. G. Wassermann, Z. Su, An analysis framework for security in web applications, in: Proceedings of the FSE Workshop on Specification and Verification of Component-Based Systems, SAVCBS, 2004, pp. 70-78.
9. Y. Kosuga, K. Kernel, M. Hanaoka, M. Hishiyama, Y. Takahama, Sania: syntactic and semantic analysis for automated testing against SQL injection, in: Proceedings of the Computer Security Applications Conference 2007, 2007, pp. 107-117.
10. Paros. Parosproxy.org. http://www.parosproxy.org/.
11. Y. Shin, Improving the identification of actual input manipulation vulnerabilities, in: 14th ACM SIGSOFT Symposium on Foundations of Software Engineering ACM, 2006.
12. G. Buehrer, B.W. Weide, P.A. Sivilotti, Using parse tree validation to prevent SQL injection attacks, in: Proceedings of the 5th International Workshop on Software Engineering and Middleware, 2005, pp. 105-113.
13. G. Buehrer, B.W. Weide, P.A.G. Sivilotti, Using parse tree validation to prevent SQL injection attacks, in: Proceeding of the 5th International Workshop on Software Engineering and Middleware ACM, 2005, pp. 106-113.
14. W.G. Halfond, A. Orso, AMNESIA: analysis and monitoring for neutralizing SQL-injection attacks, in: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, 2005, pp. 174-183.
15. Z. Su, G. Wassermann, The essence of command injection attacks in web applications, in: Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 2006, pp. 372-382.
16. K. Wei, M. Muthuprasanna, S. Kothari, Preventing SQL injection attacks in stored procedures, in: Software Engineering Conference 2006. Australian, 2006, pp. 18-21.
17. Y. Huang, S. Huang, T. Lin, C. Tasi, Web application security assessment by fault injection and behavior monitoring, in: Proceedings of the 12th International Conference on World Wide Web, 2003, pp. 148-159.
18. F. Valeur, D. Mutz, G. Vigna, A learning-based approach to the detection of SQL attacks, in: Proceedings of the Conference on Detection of Intrusions and Malware and Vulnerability Assessment, 2005, pp 123-140.
19. P.-Y. Gibello, Zql: A java SQL parser. http://www.gibello.com/code/zql.
20. Boyd S., Keromytis A. SQLrand: preventing SQL injection attacks. LNCS 2004, vol. 3089:292-302.
21. Park J., Noh B. SQL injection attack detection: profiling of web application parameter using the sequence pairwise alignment. LNCS 2007, vol. 4298:74-82.
22. GotoCode. http://www.gotocode.com/.
23. W.G. Halfond, J. Viegas, A. Orso, A classification of SQL-injection attacks and countermeasures, in: Proceeding on International Symposium on Secure Software Engineering, Raleigh, NC, USA, 2006, pp. 65-81.
24. Pietraszek T.C., Berghe V. Defending against injection attacks through context-sensitive string evaluation. LNCS 2006, vol. 3858:124-145.
25. V. Haldar, D. Chandra, Franz, Dynamic Taint propagation for Java, in: Proceedings 21st Annual Computer Security Applications Conference, 2005, pp. 303-311.
26. Nguyen-Tuong A., Guarnieri S., Greene D., Shirley J., Evans D. Automatically hardening web application using precise tainting information. LNCS 2005, vol. 181:295-307.
27. W.R. Cook, S. Rai, Safe query objects: statically typed objects as remotely executable queries, in: Proceedings of the 27th International Conference on Software Engineering, 2005, pp. 97-106.
28. D. Scott, R. Sharp, Abstracting application-level web security, in: Proceedings of the 11th International Conference on the World Wide Web, 2002, pp. 396-407.
29. M. Martin, B. Livshits, M.S. Lam, Finding application errors and security flaws using PQL: a program query language, in: Proceedings of the 20th Annual ACM SIGPLAN Conference on Object Oriented Programming Systems Languages and Applications, 2005, pp. 365-383.
30. R. McClure, I. Krüger, SQL DOM: compile time checking of dynamic SQL statements, in: Proceedings of the 27th International Conference on Software Engineering, 2005, pp. 88-96.