Analysis of SQL Injection Detection Techniques

• Autorzy: Singh J. P.

Identyfikatory

DOI

10.20904/281-2037

• Języki publikacji: EN

Abstrakty

EN

SQL Injection is one of the vulnerabilities in OWASP's Top Ten List forWeb Based Application Exploitation. These type of attacks take place on Dynamic Web applications as they interact with databases for various operations. Current Content Management System like Drupal, Joomla or Wordpress have all information stored in their databases. A single intrusion into these type of websites can lead to overall control of websites by an attacker. Researchers are aware of basic SQL Injection attacks, but there are numerous SQL Injection attacks which are yet to be prevented and detected. Over here, we present the extensive review for the Advanced SQL Injection attack such as Fast Flux SQL Injection, Compounded SQL Injection and Deep Blind SQL Injection. We also analyze the detection and prevention using the classical methods as well as modern approaches. We will be discussing the Comparative Evaluation for prevention of SQL Injection.

Słowa kluczowe

EN

SQL Injection; runtime monitoring; Static Analysis

• Wydawca: Instytut Informatyki Teoretycznej i Stosowanej Polskiej Akademii Nauk
• Czasopismo: Theoretical and Applied Informatics
• Rocznik: 2016
• Tom: Vol. 28, No. 1-2
• Strony: 37--55
• Opis fizyczny: Bibliogr. 37 poz., rys.

Twórcy

autor

Singh J. P.

• CIISE, Concordia University, Montreal, Quebec, Canada

Bibliografia

• [1] K. Bagchi and G. Udo. An analysis of the growth of computer and Internet security breaches.Communications of the Association for Information Systems, 12(1):46, 2003.
• [2] M. Howard and D. LeBlanc. Writing secure code. Pearson Education, 2003.
• [3] W. G. Halfond, J. Viegas, and A. Orso. A classification of SQL-injection attacks and countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering, volume 1, pages 13-15. IEEE, 2006.
• [4] G. Kontaxis, D. Antoniades, I. Polakis, and E. P. Markatos. An empirical study on the security of cross-domain policies in rich internet applications. In Proceedings of the Fourth
• European Workshop on System Security, page 7. ACM, 2011. DOI: 10.1145/1972551.1972558.
• [5] Z. Su and G. Wassermann. The essence of command injection attacks in web applications. ACM SIGPLAN Notices, 41(1):372-382, 2006. DOI: 10.1145/1111320.1111070.
• [6] K. Wei, M. Muthuprasanna, and S. Kothari. Preventing SQL injection attacks in stored procedures. In Australian Software Engineering Conference (ASWEC'06). Institute of Electrical and Electronics Engineers (IEEE), 2006. DOI: 10.1109/aswec.2006.40.
• [7] W. G. J. Halfond and A. Orso. AMNESIA: analysis and monitoring for NEutralizing SQLinjection attacks. In Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering - ASE '05. Association for Computing Machinery (ACM), 2005.DOI: 10.1145/1101908.1101935.
• [8] R. A. McClure and I. H. Kruger. SQL DOM: Compile time checking of dynamic SQL statements. In Proceedings of the 27th International Conference on Software Engineering, ICSE '05, pages 88-96, New York, NY, USA, 2005. ACM. DOI: 10.1145/1062455.1062487.
• [9] M. J. Beranek. HTTP caching proxy to filter and control display of data in a web browser,2005. US Patent 6,886,013.
• [10] Y.-W. Huang, S.-K. Huang, T.-P. Lin, and C.-H. Tsai. Web application security assessment by fault injection and behavior monitoring. In Proceedings of the 12th International Conference on World Wide Web, WWW '03, pages 148-159, New York, NY, USA, 2003. ACM.DOI: 10.1145/775152.775174.
• [11] F. Mavituna. Deep blind SQL injection. White Paper, 2008.
• [12] T. N. Jagatic, N. A. Johnson, M. Jakobsson, and F. Menczer. Social phishing. Commun. ACM, 50(10):94-100, 2007. DOI: 10.1145/1290958.1290968.
• [13] L. Wichman. Mass SQL injection for malware distribution. Technical report, SANS Institute, 2010.
• [14] D. Danchev. http://www.zdnet.com/article/fast-uxing-sql-injection-attacks-executedfrom-the-asprox-botnet, 2008.
• [15] PenTestMonkey. http://pentestmonkey.net/blog/mssql-dns, 2016.
• [16] K. J. Higgins. http://www.darkreading.com/third-wave-of-web-attacks-not-the-last/d/did/1129488, 2008.
• [17] P. Kaur and K. P. Kour. SQL injection: Study and augmentation. In 2015 International Conference on Signal Processing, Computing and Control (ISPCC), pages 102-107, 2015. DOI: 10.1109/ISPCC.2015.7375006.
• [18] acunetix Vulnerability Scanner Webpage. http://www.acunetix.com/websitesecurity/crosssite-scripting/, 2015.
• [19] Adobe Developer Connection Inc. main page. http://www.adobe.com/devnet/articles. Technical report, Adobe, 2010.
• [20] M. Stampar. Data retrieval over DNS in SQL injection attacks. arXiv preprint arXiv:1303.3047, 2013.
• [21] R. Komiya, I. Paik, and M. Hisada. Classification of malicious web code by machine learning. In 2011 3rd International Conference on Awareness Science and Technology (iCAST), pages 406-411, 2011. DOI: 10.1109/ICAwST.2011.6163109.
• [22] Y. Shin, S. Myers, and M. Gupta. A case study on Asprox infection dynamics. In Detection of Intrusions and Malware, and Vulnerability Assessment, pages 1-20. Springer Nature, 2009. DOI: 10.1007/978-3-642-02918-9 1.
• [23] A. Caglayan, M. Toothaker, D. Drapeau, D. Burke, and G. Eaton. Real-time detection of fast ux service networks. In 2009 Cybersecurity Applications & Technology Conference for Homeland Security. Institute of Electrical and Electronics Engineers (IEEE), 2009. DOI: 10.1109/catch.2009.44.
• [24] T. Holz, Ch. Gorecki, K. Rieck, and F. C. Freiling. Measuring and detecting fast-ux service
• networks. In NDSS, 2008.
• [25] E. Stalmans and B. Irwin. A framework for DNS based detection and mitigation of malware infections on a network. In 2011 Information Security for South Africa. Institute of Electrical and Electronics Engineers (IEEE), 2011. DOI: 10.1109/issa.2011.6027531.
• [26] A. Kieyzun, P. J. Guo, K. Jayaraman, and M. D. Ernst. Automatic creation of SQL injection and cross-site scripting attacks. In 2009 IEEE 31st International Conference on Software Engineering. Institute of Electrical and Electronics Engineers (IEEE), 2009. DOI: 10.1109/icse.2009.5070521.
• [27] R. Putthacharoen and P. Bunyatnoparat. Protecting cookies from cross site script attacks using dynamic cookies rewriting technique. In Advanced Communication Technology (ICACT),2011 13th International Conference on, pages 1090-1094. IEEE, 2011.
• [28] Q. Zhang, H. Chen, and J. Sun. An execution-flow based method for detecting cross-site scripting attacks. In Software Engineering and Data Mining (SEDM), 2010 2nd International Conference on, pages 160-165. IEEE, 2010.
• [29] P. Vogt, F Nentwich, N. Jovanovic, E. Kirda, Ch. Kruegel, and G. Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. In NDSS, volume 2007, page 12, 2007.
• [30] N. Nikiforakis, W. Meert, Y. Younan, M. Johns, and W. Joosen. SessionShield: Lightweight protection against session hijacking. In Lecture Notes in Computer Science, pages 87-100. Springer Nature, 2011. DOI: 10.1007/978-3-642-19125-1 7.
• [31] E. Kirda, Ch. Kruegel, G. Vigna, and N. Jovanovic. Noxes: a client-side solution for mitigating cross-site scripting attacks. In Proceedings of the 2006 ACM symposium on Applied computing - SAC '06. Association for Computing Machinery (ACM), 2006. DOI: 10.1145/1141277.1141357.
• [32] D. Gollmann. Securing Web applications. Information Security Technical Report, 13(1):1-9,2008. DOI: 10.1016/j.istr.2008.02.002.
• [33] S. Van Acker, N. Nikiforakis, L. Desmet, W. Joosen, and F. Piessens. FlashOver: Automated discovery of cross-site scripting vulnerabilities in rich internet applications. In Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security - ASIACCS '12, pages 12-13. Association for Computing Machinery (ACM), 2012. DOI: 10.1145/2414456.2414462.
• [34] S. Lekies, N. Nikiforakis, W. Tighzert, F. Piessens, and M. Johns. DEMACRO: Defense against malicious cross-domain requests. In Research in Attacks, Intrusions, and Defenses, pages 254-273. Springer Nature, 2012. DOI: 10.1007/978-3-642-33338-5 13.
• [35] K. Lee, J. Kim, K. H. Kwon, Y. Han, and S. Kim. DDoS attack detection method using cluster analysis. Expert Systems with Applications, 34(3):1659-1665, 2008. DOI: 10.1016/j.eswa.2007.01.040.
• [36] S. Yu. DDoS attack detection. In Distributed Denial of Service Attack and Defense, pages 31-53. Springer Nature, 2013. DOI: 10.1007/978-1-4614-9491-1 3.
• [37] S. P. Singh, U. NathTripathi, and M. Mishra. Detection and prevention of SQL injection attack using hashing technique. International Journal of Modern Communication Technologies & Research, 2, 2014.