REVIEW ON SQL INJECTION PROTECTION METHODS AND TOOLS

Authors

  • Muhammad Saidu Aliero Department of Computer Science, Faculty of Computing, Universiti Teknologi Malaysia, 81310 UTM Johor Bahru, Johor, Malaysia
  • Imran Ghani Department of Computer Science, Faculty of Computing, Universiti Teknologi Malaysia, 81310 UTM Johor Bahru, Johor, Malaysia
  • Syeed Zainudden Department of Computer Science, Faculty of Computing, Universiti Teknologi Malaysia, 81310 UTM Johor Bahru, Johor, Malaysia
  • Muhammad Murad Khan Department of Computer Science, Faculty of Computing, Universiti Teknologi Malaysia, 81310 UTM Johor Bahru, Johor, Malaysia
  • Munir Bello Department of Computer Science, Faculty of Computing, Universiti Teknologi Malaysia, 81310 UTM Johor Bahru, Johor, Malaysia

DOI:

https://doi.org/10.11113/jt.v77.6359

Keywords:

Attack, prevention, method, approach, injection, parameters, query

Abstract

SQL injection vulnerability is one of the most common web-based application vulnerabilities that can be exploited by SQL injection attack. Successful SQL Injection Attacks (SQLIA) result in unauthorized access and unauthorized data modification. Researchers have proposed many methods to tackle SQL injection attack, however these methods fail to address the whole problem of SQL injection attack, because most of the approaches are vulnerable in nature, cannot resist sophisticated attack or limited to scope of subset of SQLIA type. In this paper we provide a detailed background of SQLIA together with vulnerable PHP code to demonstrate how attacks are being carried out, and discuss most commonly used method by programmers to defend against SQLIA and the disadvantages of such an approach. Lastly we reviewed most commonly use tools and methods that act a firewall for preventing SQLIA, finally wean alytically evaluated reviewed tools and methods based on our experience with respect to five different perspectives. Our evaluation results point out common trends on current SQLI prevention tools and methods. Most of these methods and tools have problems addressing store-procedure attacks, as well as problems addressing attacks that take advantage of second order SQLI vulnerability. Our evaluation also shows that only a few of these methods and tools considered can be deployed in all web-based application platforms.

References

Tudor, J. 2013. Web Applications Vulnerability statistic 2013. [Online] From; http://sitic.org/wp-content/uploads/Web-Application-Vulnerability-Statistics-2013.pdf [accessed on 17 September 2015].

OWASPD-Open Web Application Security Project 2014. Top ten most critical Web Application Security Risks. [Online]. From; http://cwe.mitre.org/cwss/archive.htm [accessed on 17 September 2015).

Livshits, V., and M. S. Lam 2005. Finding Security Errors in Java Programs with Static Analysis. Technical Report.

Medhane, M. 2013. R-WASP: Real Time-Web Application SQL Injection Detector and Preventer. International Journal of Innovative Technology and Exploring Engineering (IJITEE). 2(5): 327-330. ISSN: 2278-3075.

Son, S., k. S. McKinley, and V. Shmatikov. 2013. Diglossia: Detecting Code Injection Attacks with Precision and Efficiency. Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security. 1181-1192.

Shin, Y., L. Williams, and T. Xie 2006. SQLUnitgenTest Case Generation for SQL Injection Detection. North Carolina State University, Raleigh Technical report, NCSU CSC TR.

G.J. Halfond, W., and A. Orso. 2005. Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks. In Proceedings of the Third International ICSE Workshop on Dynamic Analysis (WODA 2005). 22-28.

Valeur, F., and G. Vigna 2005. A Learning-based Approach to the Detection of SQL Attacks. Detection of Intrusions and Malware, and Vulnerability Assessment. Springer Berlin Heidelberg. 3548: 123-140.

Nguyen-Tuong, A., S. Guarnierie, J. Shirley and D. Evans 2005. Automatically Hardening Web Applications Using Precise Tainting. Springer US. 181: 295-307.

Bandhakavi, S., P. Bisht, and P. Madhusudan 2007. CANDID: Preventing Sql Injection Attacks Using Dynamic Candidate Evaluations. Proceedings of the 14th ACM conference on Computer and Communications Security. 12-24.

W. Boyd, S., W., A. D. Keromytis. 2005. SQLrand: Preventing SQL Injection Attacks. Applied Cryptography and Network Security. Springer Berlin Heidelberg. 3089: 292-302.

McClure, R., and I. H. Kruger. 2005. SQL DOM: Compile Time Checking of Dynamic SQL Statements. 27th IEEE International Conference on Software Engineering. St. Louis, USAS, 18-21 May 2005. 88-96.

R. Cook, W., and S. Rai. 2005. Safe Query Objects: Statically Typed Objects as Remotely Executable Queries. 27th IEEE International Conference on Software Engineering. St. Louis, USAS, 18-21 May 2005. 97-106.

Scott, D., and R. Sharp. 2002. Abstracting Application-Level Web Security. Proceedings of the 11th international conference on World Wide Web. Hawaii, USA, 7-11 May 2006. 396-407.

Liu, A., Y. Yaun, and D. Wijesekera 2009. SQLProb: A Proxy-Based Architecture Towards Preventing SQL Injection Attacks. Proceedings of the 2009 ACM Symposium on Applied Computing. ACM. 2054-2061.

Buehrer, G., B. W. Weide, and P. Sivilotti 2005. Using Parse Tree Validation to Prevent SQLinjection Attacks. 5th International Workshop on Software Engineering and Middleware. 106-113.

Cheon, E., Z. Huang, and Y. Lee 2013. Preventing SQL Injection Attack Based on Machine Learning. International Journal of Advancements in Computing Technology. 5(9): 967-974.

Joshi, A., and G. V. 2014. SQL Injection Detection Using Machine Learning. IEEE International Conference on Control, Instrumentation, Communication and Computational Technologies. 1111-1115.

Shahriar, H., and M. Zulkernine. 2012. Information-theoretic Detection of SQL Injection Attacks. IEEE 14th International Symposium on High-Assurance Systems Engineering. Miami, USA. 9-11 January 2014. 40-47.

Kumar, P., and R. Pateriya. 2013. Enhanced Intrusion Detection System for Input Validation Attacks in Web Application. International Journal of Computer Science Issues (IJCSI). 10(1): 435-437.

Tajpour, A., S. Ibrahim, and M. Sharifi. 2012. Web Application Security by SQL Injection Detection Tools. IJCSI International Journal of Computer Science Issues (IJSCI). 9(2): 332-339.

Xin-hua, Z., and W. Zhi-Jian. 2010. Notice of Retraction A Static Analysis Tool for Detecting Web Application Injection Vulnerabilities for ASP Program. 2nd IEEE International Conference on e-Business and Information System Security. Wuhan, China. 22-23 May 2010. 1-5.

Sadeghian, A., M. Zamani, and A. Manaf. 2013. Taxonomy of SQL Injection Detection and Prevention Methods. IEEE International Conference on Informatics and Creative Multimedia. Kuala Lumpur, Malaysia. 4-6 September. 53-56.

G. J. Halfond, W., J. Viegas and A. Orso. 2006. Classification of SQL Injection Attacks and Countermeasure.. IEEE International Symposium on Secure Software Engineering. Washington DC, USA, 13-15 March 2006. 87-96.

Downloads

Published

2015-11-17

Issue

Vol. 77 No. 13: Technology-Driven Sustainable Development in Sciences & Engineering Vol. 2

Section

Science and Engineering

License

Copyright of articles that appear in Jurnal Teknologi belongs exclusively to Penerbit Universiti Teknologi Malaysia (Penerbit UTM Press). This copyright covers the rights to reproduce the article, including reprints, electronic reproductions, or any other reproductions of similar nature.

How to Cite

REVIEW ON SQL INJECTION PROTECTION METHODS AND TOOLS. (2015). Jurnal Teknologi, 77(13). https://doi.org/10.11113/jt.v77.6359