A Survey of SQL Injection Attack Detection and Prevention

Khaled Elshazly; Yasser Fouad; Mohamed Saleh; Adel Sewisy

doi:10.4236/jcc.2014.28001

Home > Journals > Computer Science & Communications > JCC

JCC> Vol.2 No.8, June 2014

Share This Article:

Open Access

A Survey of SQL Injection Attack Detection and Prevention

Abstract Full-Text HTML XML

Download as PDF (Size:426KB) PP. 1-9

DOI: 10.4236/jcc.2014.28001 5,065 Downloads 8,071 Views Citations

Author(s) Leave a comment

Khaled Elshazly, Yasser Fouad, Mohamed Saleh, Adel Sewisy

Affiliation(s)

Assistant Professor, Head of Department of Mathematics, Faculty of Science, Suez University, Suez, Egypt.
Demonstrator of Computer Science, Information System Institute, Suez, Egypt.
Lecturer of Computer Science, Faculty of Science, Suez University, Suez, Egypt.
Professor of Computer Science, Faculty of Computers & Information, Assiut University, Assiut, Egypt.

ABSTRACT

Structured Query Language Injection Attack (SQLIA) is the most exposed to attack on the Internet. From this attack, the attacker can take control of the database therefore be able to interpolate the data from the database server for the website. Hence, the big challenge became to secure such website against attack via the Internet. We have presented different types of attack methods and prevention techniques of SQLIA which were used to aid the design and implementation of our model. In the paper, work is separated into two parts. The first aims to put SQLIA into perspective by outlining some of the materials and researches that have already been completed. The section suggesting methods of mitigating SQLIA aims to clarify some misconceptions about SQLIA prevention and provides some useful tips to software developers and database administrators. The second details the creation of a filtering proxy server used to prevent a SQL injection attack and analyses the performance impact of the filtering process on web application.

KEYWORDS

SQL Injection, Database Security, Attack, Authentication

Conflicts of Interest

The authors declare no conflicts of interest.

Cite this paper

Elshazly, K. , Fouad, Y. , Saleh, M. and Sewisy, A. (2014) A Survey of SQL Injection Attack Detection and Prevention. Journal of Computer and Communications, 2, 1-9. doi: 10.4236/jcc.2014.28001.

References

[1]	Anley, C. (2002) Advanced SQL Injection in SQL Server Applications. White Paper, Next Generation Security Software Ltd.

[2]	Overstreet, R. (2004) Protecting Yourself from SQL Injection Attacks. http://www.4guysfromrolla.com/webtech/061902-1.shtml.

[3]	Imperva Inc. (2004) SQL Injection-Glossary. http://www.imperva.com/application_defense_center/glossary/sql_injection.html

[4]	Finnigan, P. (2002) SQL Injection and Oracle. Part One. http://www.securityfocus.com/infocus/1644

[5]	Huang, Y., Huang, S., Lin, T. and Tsai, C. (2003) Web Application Security Assessment by Fault Injection and Behavior Monitoring. http://doi.acm.org/10.1145/775152.775174

[6]	Microsoft (2003) Secure Multi-Tier Deployment. http://www.microsoft.com/technet/prodtechnol/SQL/2000/maintain/sp3sec03.mspx

[7]	Hotchkies, C. (2004) Blind SQL Injection Automation Techniques. http://www.blackhat.com/html/bh-media-archives/bh-archives-2004.html#USA-2004

[8]	Microsoft (2003) Checklist: Security Best Practices. http://www.microsoft.com/technet/prodtechnol/SQL/2000/mainain/sp3sec04.mspx

[9]	Beyond Security Ltd. (2002) SQL Injection Walkthrough. http://www.securiteam.com/securityreviews/5DP0N1P76E.html

[10]	Finnigan, P. (2003) Detecting SQL Injection in Oracle. http://securityfocus.com/infocus/1714

[11]	Spett, K. (2002) SPI Dynamics 2005, Inc. SQL Injection: Are Your Web Applications Vulnerable? http://www.spidynamics.com/whitepapers/WhitepaperSQLInject ion.pdf

[12]	Grossman, J. (2004) The Challenges of Automated Web Application Scanning. http://www.blackhat.com/presentations/win-usa-04/bh-win-04-grossman/bh-win-04-grossman-up.pdf

[13]	Halfond, W.G.J. and Orso, A. (2005) Combining Static Analysis and Runtime Monitoring to Counter SQL Injection Attacks. 3rd International Workshop on Dynamic Analysis.

[14]	Imperva Inc. (2005) SecureSphereTM: Dynamic Profiling FirewallTM”. http://www.imperva.com/products/securesphere/resources.asp?show=datasheet

[15]	Ristic I (2005) “ModSecurity for Java”. http://www.modsecurity.org/projects/modsecurity/java/

[16]	Seclutions, A.G. (2003) Airlock—Application Security Gateway. http://www.seclutions.com/en/downloads/AirLock_Overview_Nov_2003.pdf

[17]	Angelo, C., Corrado, A.V. and Massimiliano, D.P. (2010) A Heuristic-Based Approach for Detecting SQL-Injection Vulnerabilities in Web Applications.

[18]	Boyd, S.W. and Keromytis, A.D. (2004) SQLrand: Preventing SQL Injection Attacks. Proceedings of the 2nd Applied Cryptography and Network Security Conference, Yellow Mountain, 8-11 June 2004, 292-302. http://dx.doi.org/10.1007/978-3-540-24852-1_21

[19]	Homepage for GreenSQL. http://www.greensql.net/

[20]	About Page for Dot Defender from Applicure. http://www.applicure.com/About_dotDefender

[21]	About Page for CodeScan from CodeScan Limited. http://codescan-labs.software.informer.com/

[22]	Kosuga, Y., Kernel, K., Hanaoka, M., Hishiyama, M. and Takahama, Y. (2007) Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection. Computer Security Applications Conference, 107-117.

[23]	Parosproxy.org. http://sourceforge.net/projects/dynamicproxy/?source=directory

[24]	Maor, O. and Shulman, A. (2004) Blind SQL Injection. http://injection.rulezz.ru/SQLInjectionSignaturesEvasion.pdf