A Classification of SQL Injection Attacks and Techniques to Defend These Attacks in the Passive Defense

Document Type : Original Article

Abstract

SQL injection attacks are a serious security threat to web applications in cyberspace. SQL injection attacks allow attackers to gain unlimited access to a database that includes applications and potentially sensitive information. Although researchers and practitioners have proposed different methods to solve the SQL injection problem, current approaches either fail to solve the full scope of the problem or have limitations that prevent their use and adoption. Many researchers and practitioners are familiar with only a subset of a wide range of available techniques to defend against SQL injection attacks. This paper provides a classification based on a comprehensive review of current techniques to defend against SQL injection attacks. This classification helps military and government organizations to understand the techniques of defense against SQL injection attacks. Hence, based on this classification, military and government organizations can choose appropriate techniques depending on their resources and environments. To deal with the problem of SQL injection attacks, this study provides a survey on various types of SQL injection attacks that are known today, with examples of how attacks can be made. Various methods are described to diagnose SQL injection vulnerabilities, and also existing detection and prevention techniques against SQL injection attacks are investigated. For each technique, a classification is made about its features, its strengths and weaknesses in dealing with SQL injection attacks.     

Keywords


  1. OWASP Top 10 Application Security Risks – 2017. Available: https://www.owasp.org/index.php/Top_10_2017-Top_10##
  2. K. V. P. R. Sheth, “Survey on Prevention of Web Injection using WAF and Input Whitelisting,” 2017.##
  3. Z. Su and G. Wassermann, “The Essence of Command Injection Attacks in Web Applications,” in In The 33rd Annual Symposium on Principles of Programming Languages, 2006.##
  4. W. G. Halfond, J. Viegas, and A. Orso, “A classification of SQL-injection attacks and countermeasures,” in Proceedings of the IEEE International Symposium on Secure Software Engineering, vol. 1, pp. 13-15, IEEE, 2006.##
  5. X. Fu, X. Lu, B. Peltsverger, S. Chen, K. Qian, and L. Tao, “A static analysis framework for detecting SQL injection vulnerabilities,” in Computer Software and Applications Conference, 2007. COMPSAC 2007. 31st Annual International, vol. 1, pp. 87-96: IEEE, 2007.##
  6. H. K. Kim, “Frameworks for SQL Retrieval on Web Application Security,” in Proceedings of the International MultiConference of Engineers and Computer Scientists, vol. 1, pp. 1781-2006, 2010.##
  7. I. Lee, S. Jeong, S. Yeo, and J. Moon, “A novel method for SQL injection attack detection based on removing SQL query attribute values,” Mathematical and Computer Modelling, vol. 55, no. 1, pp. 58-68, 2012.##
  8.  W. G. Halfond and A. Orso, “Preventing SQL injection attacks using AMNESIA,” in Proceedings of the 28th international conference on Software engineering, ACM, pp. 795-798, 2006.##
  9. J. Wang, R. C.-W. Phan, J. N. Whitley, and D. J. Parish, “Augmented attack tree modeling of SQL injection attacks,” in Information Management and Engineering (ICIME), 2010 The 2nd IEEE International Conference on, IEEE, pp. 182-186, 2010.##
  10. A. Yeole and B. Meshram, “Analysis of different technique for detection of SQL injection,” in Proceedings of the International Conference & Workshop on Emerging Trends in Technology, ACM, pp. 963-966, 2011.##
  11. Y. V. N. Manikanta and A. Sardana, “Protecting web applications from SQL injection attacks by using framework and database firewall,” in Proceedings of the International Conference on Advances in Computing, Communications and Informatics, ACM, pp. 609-613, 2012.##
  12. A. Tajpour, M. Z. Heydari, M. Masrom, and S. Ibrahim, “SQL injection detection and prevention tools assessment,” in Computer Science and Information Technology (ICCSIT), 2010 3rd IEEE International Conference on, vol. 9, IEEE, pp. 518-522, 2010.##
  13. J. Clarke-Salt, “SQL injection attacks and defense,” Elsevier, 2009.##
  14. D. Fraunholz, M. Zimmermann, and H. D. Schotten, “An adaptive honeypot configuration, deployment and maintenance strategy,” in Advanced Communication Technology (ICACT), 2017 19th International Conference on, pp. 53-57: IEEE, 2017.##
  15. C. Gould, Z. Su, and P. Devanbu, “JDBC checker: A static analysis tool for SQL/JDBC applications,” in Proceedings of the 26th International Conference on Software Engineering, pp. 697-698, IEEE Computer Society, 2004.##
  16. V. B. Livshits and M. S. Lam, “Finding Security Vulnerabilities in Java Applications with Static Analysis,” in USENIX Security Symposium, vol. 14, pp. 8-18, 2005.##
  17. Y. Shin and L. A. Williams, “Towards a taxonomy of techniques to detect cross-site scripting and SQL injection vulnerabilities,” North Carolina State University Dept. of Computer Science, 2008.##
  18. D. Scott and R. Sharp, “Abstracting application-level web security,” in Proceedings of the 11th international conference on World Wide Web, pp. 396-407, ACM, 2002.##
  19. Y.-W. Huang, S.-K. Huang, T.-P. Lin, and C.-H. Tsai, “Web application security assessment by fault injection and behavior monitoring,” in Proceedings of the 12th international conference on World Wide Web, pp.  148-159, ACM, 2003.##
  20. A. A. Alfantookh, “An automated universal server level solution for SQL injection security flaw,” in Proceedings of the 2004 International Conference on Electrical, Electronic and Computer Engineering (ICEEC'04), pp. 131-135, 2004.##
  21. S. Boyd and A. Keromytis, “SQLrand: Preventing SQL injection attacks,” in Applied Cryptography and Network Security, pp. 292-302, Springer, 2004.##
  22. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo, “Securing web application code by static analysis and runtime protection,” in Proceedings of the 13th international conference on World Wide Web, pp.   40-52, ACM, 2004.##
  23. G. Wassermann and Z. Su, “An analysis framework for security in web applications,” in Proceedings of the FSE Workshop on Specification and Verification of component-Based Systems (SAVCBS 2004), pp. 70-78, 2004.##
  24. G. Buehrer, B. W. Weide, and P. A. Sivilotti, “Using parse tree validation to prevent SQL injection attacks,” in Proceedings of the 5th international workshop on Software engineering and middleware, pp. 106-113, ACM, 2005.##
  25. M. Sam and N. SQLBlock, “SQL Injection Protection by Variable Normalization of SQL Statement,” Online http://www. sqlblock. com/sqlblock. pdf, 2005.##
  26. V. Haldar, D. Chandra, and M. Franz, “Dynamic taint propagation for Java,” in Computer Security Applications Conference, 21st Annual, pp. 9-311, IEEE, 2005.##
  27. W. G. Halfond and A. Orso, “AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks,” in Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering, pp.      174-183, ACM, 2005.##
  28. M. Martin, B. Livshits, and M. S. Lam, “Finding application errors and security flaws using PQL: a program query language,” in ACM SIGPLAN Notices, vol. 40, no. 10, pp. 365-383, ACM, 2005.##
  29. I. Kruger and R. McClure, “SQL DOM: compile time checking of dynamic SQL statements,” in 27th International Conference on Software Engineering, pp.    88-96: IEEE.##
  30. F. Valeur, D. Mutz, and G. Vigna, “A learning-based approach to the detection of SQL attacks,” Detection of intrusions and malware, and vulnerability assessment, pp. 533-546, 2005.##
  31. N. Jovanovic, C. Kruegel, and E. Kirda, “Pixy: A static analysis tool for detecting web application vulnerabilities,” in Security and Privacy, 2006 IEEE Symposium on, , pp. 6 -263, IEEE, 2006.##
  32. S. Kals, E. Kirda, C. Kruegel, and N. Jovanovic, “Secubat: a web vulnerability scanner,” in Proceedings of the 15th international conference on World Wide Web, pp.  247-256, ACM, 2006.##
  33. J.-C. Lin and J.-M. Chen, “An automatic revised tool for anti-malicious injection,” in Computer and Information Technology, 2006. CIT'06. The Sixth IEEE International Conference on, pp. 164-164: IEEE, 2006.##
  34. M. Muthuprasanna, K. Wei, and S. Kothari, “Eliminating SQL injection attacks-A transparent defense mechanism,” in Web Site Evolution, 2006. WSE'06. Eighth IEEE International Symposium on, pp. 22-32: IEEE, 2006.##
  35. T. Pietraszek and C. V. Berghe, “Defending against injection attacks through context-sensitive string evaluation,” in RAID, vol. 3858, pp. 124-145, Springer, 2005.##
  36. Z. Su and G. Wassermann, “The essence of command injection attacks in web applications,” in ACM SIGPLAN Notices, vol. 41, no. 1, pp. 372-382: ACM, 2006.##
  37. K. Wei, M. Muthuprasanna, and S. Kothari, “Preventing SQL injection attacks in stored procedures,” in Software Engineering Conference, Australian, pp. 8-198, IEEE, 2006.##
  38. M. Cova, D. Balzarotti, V. Felmetsger, and G. Vigna, “Swaddler: An approach for the anomaly-based detection of state violations in web applications,” in Recent Advances in Intrusion Detection, pp. 63-86, Springer, 2007.##
  39. J. Fonseca, M. Vieira, and H. Madeira, “Detecting malicious SQL,” Trust, Privacy and Security in Digital Business, pp. 259-268, 2007.##
  40. G. Hermosillo, R. Gomez, L. Seinturier, and L. Duchien, “Using aspect programming to secure web applications,” Journal of Software, vol. 6, no. 2, pp. 53-63, 2007.##
  41. M. Johns and C. Beyerlein, “SMask: preventing injection attacks in web applications by approximating automatic data/code separation,” in Proceedings of the 2007 ACM symposium on Applied computing, pp. 284-291: ACM, 2007.##
  42. Y. Kosuga, K. Kono, M. Hanaoka, M. Hishiyama, and Y. Takahama, “Sania: Syntactic and semantic analysis for automated testing against sql injection,” in Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual, pp. 107-117, IEEE, 2007.##
  43. E. Merlo, D. Letarte, and G. Antoniol, “Automated protection of php applications against SQL-injection attacks,” in Software Maintenance and Reengineering, 2007. CSMR'07. 11th European Conference on, pp.       191-202, IEEE, 2007.##
  44. S. Thomas and L. Williams, “Using automated fix generation to secure SQL statements,” in Proceedings of the Third International Workshop on Software Engineering for Secure Systems, p. 9, IEEE Computer Society, 2007.##
  45. F. Dysart and M. Sherriff, “Automated fix generator for sql injection attacks,” in Software Reliability Engineering, 2008. ISSRE 2008. 19th International Symposium on, pp. 311-312, IEEE, 2008.##
  46. X. Fu and K. Qian, “SAFELI: SQL injection scanner using symbolic execution,” in Proceedings of the 2008 workshop on Testing, analysis, and verification of web services and applications, pp. 34-39, ACM, 2008.##
  47. W. Halfond, A. Orso, and P. Manolios, “WASP: Protecting web applications using positive tainting and syntax-aware evaluation,” IEEE Transactions on Software Engineering, vol. 34, no. 1, pp. 65-81, 2008.##
  48. K. Kemalis and T. Tzouramanis, “SQL-IDS: a specification-based approach for SQL-injection detection,” in Proceedings of the 2008 ACM symposium on Applied computing, pp. 2153-2158, ACM, 2008.##
  49. M. Kiani, A. Clark, and G. Mohay, “Evaluation of anomaly based character distribution models in the detection of SQL injection attacks,” in Availability, Reliability and Security, 2008. ARES 08. Third International Conference on, pp. 47-55, IEEE, 2008.##
  50. J.-C. Lin, J.-M. Chen, and C.-H. Liu, “An automatic mechanism for sanitizing malicious injection,” in Young Computer Scientists, 2008. ICYCS 2008. The 9th International Conference for, pp. 1470-1475, IEEE, 2008.##
  51. D. Mitropoulos and D. Spinellis, “SDriver: Location-specific signatures prevent SQL injection attacks,” computers & security, vol. 28, no. 3, pp. 121-129, 2009.##
  52. H. Shahriar and M. Zulkernine, “MUSIC: Mutation-based SQL injection vulnerability checking,” in Quality Software, 2008. QSIC'08. The Eighth International Conference on, pp. 77-86, IEEE, 2008.##
  53. Z. Zhang, Q. Zheng, X. Guan, Q. Wang, and T. Wang, “A method for detecting code security vulnerability based on variables tracking with validated-tree,” Frontiers of Electrical and Electronic Engineering in China, vol. 3, no. 2, pp. 162-166, 2008.##
  54. T. M. Chen and J. Buford, “Design considerations for a honeypot for SQL injection Attacks,” in Local Computer Networks, 2009. LCN 2009. IEEE 34th Conference on, pp. 915-921, IEEE, 2009.##
  55. R. Ezumalai and G. Aghila, “Combinatorial approach for preventing SQL injection attacks,” in Advance Computing Conference, 2009. IACC 2009. IEEE International, pp. 1212-1217, IEEE, 2009.##
  56. M. Ficco, L. Coppolino, and L. Romano, “A weight-based symptom correlation approach to SQL injection attacks,” in Dependable Computing, 2009. LADC'09. Fourth Latin-American Symposium on, pp. 9-16, IEEE, 2009.##
  57. M. Junjin, “An approach for SQL injection vulnerability detection,” in Information Technology: New Generations, 2009. ITNG'09. Sixth International Conference on, pp. 1411-1414, IEEE, 2009.##
  58. A. Kieyzun, P. J. Guo, K. Jayaraman, and M. D. Ernst, “Automatic creation of SQL injection and cross-site scripting attacks,” in Software Engineering, 2009. ICSE 2009. IEEE 31st International Conference on, pp. 199-209,  IEEE, 2009.##
  59. A. Liu, Y. Yuan, D. Wijesekera, and A. Stavrou, “SQLProb: a proxy-based architecture towards preventing SQL injection attacks,” in Proceedings of the 2009 ACM symposium on Applied Computing, pp. 2054-2061, ACM, 2009.##
  60. S. Madan and S. Madan, “Shielding against sql injection attacks using admire model,” in Computational Intelligence, Communication Systems and Networks, 2009. CICSYN'09. First International Conference on, pp.        314-320, IEEE, 2009.##
  61. M. Monga, R. Paleari, and E. Passerini, “A hybrid analysis framework for detecting web application vulnerabilities,” in Proceedings of the 2009 ICSE Workshop on Software Engineering for Secure Systems, pp. 25-32, IEEE Computer Society, 2009.##
  62. A. Razzaq, A. Hur, N. Haider, and F. Ahmad, “Multi-layered defense against web application attacks,” in Information Technology: New Generations, 2009. ITNG'09. Sixth International Conference on, pp. 492-497, IEEE, 2009.##
  63. S. V. Shanmughaneethi, S. C. E. Shyni, and S. Swamynathan, “SBSQLID: Securing web applications with service based SQL injection detection,” in Advances in Computing, Control, & Telecommunication Technologies, 2009. ACT'09. International Conference on, pp. 702-704, IEEE, 2009.##
  64. J. Skaruz and F. Seredynski, “Intrusion detection in web applications: evolutionary approach,” in Computer Science and Information Technology, 2009. IMCSIT'09. International Multiconference on, pp. 117-123, IEEE, 2009.##
  65. S. Thomas, L. Williams, and T. Xie, “On automated prepared statement generation to remove SQL injection vulnerabilities,” Information and Software Technology, vol. 51, no. 3, pp. 589-598, 2009.##
  66. A. Anchlia and S. Jain, “A Novel Injection Aware Approach for the Testing of Database Applications,” in Recent Trends in Information, Telecommunication and Computing (ITC), 2010 International Conference on, pp. 311-313, IEEE, 2010.##
  67. P. Bisht, P. Madhusudan, and V. Venkatakrishnan, “CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks,” ACM Transactions on Information and System Security (TISSEC), vol. 13, no. 2, p. 14, 2010.##
  68. P. Bisht, A. P. Sistla, and V. Venkatakrishnan, “Taps: automatically preparing safe sql queries,” in Proceedings of the 17th ACM conference on Computer and communications security, pp. 645-647, ACM, 2010.##
  69. M. Bravenboer, E. Dolstra, and E. Visser, “Preventing injection attacks with syntax embeddings,” Science of Computer Programming, vol. 75, no. 7, pp. 473-495, 2010.##
  70. A. Ciampa, C. A. Visaggio, and M. Di Penta, “A heuristic-based approach for detecting SQL-injection vulnerabilities in Web applications,” in Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems, pp. 43-49, ACM, 2010.##
  71. D. Das, U. Sharma, and D. Bhattacharyya, “An approach to detection of SQL injection attack based on dynamic query matching,” International Journal of Computer Applications, vol. 1, no. 25, pp. 28-34, 2010.##
  72. Z. Jan, M. Shah, A. Rauf, M. A. Khan, and S. Mahfooz, “Access Control Mechanism For Web Databases By Using Parameterized Cursor,” in Future Information Technology (FutureTech), 5th International Conference on, pp. 1-6, IEEE, 2010.##
  73. L. Ntagwabira and S. L. Kang, “Use of Query Tokenization to detect and prevent SQL Injection Attacks,” in Computer Science and Information Technology (ICCSIT), 2010 3rd IEEE International Conference on, vol. 2, pp. 438-440, IEEE, 2010.##
  74. A. Moosa, “Artificial neural network based web application firewall for sql injection,” World Academy of Science, Engineering and Technology, vol. 40, pp. 12-21, 2010.##
  75. L. Zhang, Q. Gu, S. Peng, X. Chen, H. Zhao, and D. Chen, “D-WAV: A web application vulnerabilities detection tool using Characteristics of Web Forms,” in Software Engineering Advances (ICSEA), 2010 Fifth International Conference on, pp. 501-507, IEEE, 2010.##
  76. B. Indrani and E. Ramaraj, “X–Log Authentication Technique to Prevent SQL Injection Attacks,” International Journal of Information Technology and Knowledge Management, vol. 4, no. 1, pp. 323-328, 2011.##
  77. B. Hanmanthu, B. R. Ram, and P. Niranjan, “SQL Injection Attack prevention based on decision tree classification,” in Intelligent Systems and Control (ISCO), 2015 IEEE 9th International Conference on, pp. 1-5, IEEE, 2015.##
  78. L. Liu et al., “An effective penetration test approach based on feature matrix for exposing SQL Injection Vulnerability,” in Computer Software and Applications Conference (COMPSAC), 2016 IEEE 40th Annual, vol. 1, pp. 123-132, IEEE, 2016.##
  79. A. Khalid and M. M. Yousif, “Dynamic Analysis Tool for Detecting SQL Injection,” International Journal of Computer Science and Information Security, vol. 14, no. 2, p. 224, 2016.##

 S. Djanali, F. Arunanto, B. A. Pratomo, H. Studiawan, and S. G. Nugraha, “SQL injection detection and prevention system with raspberry Pi honeypot cluster for trapping attacker,” in Technology Management and Emerging Technologies (ISTMET), 2014 International Symposium on, pp. 163-166, IEEE, 2014.##

  1. R. M. Nadeem, R. M. Saleem, R. Bashir, and S. Habib, “Detection and Prevention of SQL Injection Attack by Dynamic Analyzer and Testing Model,” International JournalOURNAL of Advanced Computer Science and Applications, vol. 8, no. 8, pp. 209-214, 2017.##
  2. تجلی پور، ب.، اصغر صفایی، ع.، تحلیل ساختاری و معنایی پرسوجو برای تشخیص حملات تزریقSQL، مجله پدافند الکترونیکی و سایبری، سال دوم، شماره یک، صفحات 97-83، بهار 1393.##
Volume 9, Issue 3 - Serial Number 3
December 2020
Pages 101-117
  • Receive Date: 29 October 2017
  • Revise Date: 06 March 2019
  • Accept Date: 19 September 2018
  • Publish Date: 22 November 2018