Article

Using parse tree validation to prevent SQL injection attacks

Authors:

Gregory Buehrer,

Bruce W. Weide,

Paolo A. G. SivilottiAuthors Info & Claims

SEM '05: Proceedings of the 5th international workshop on Software engineering and middleware

Pages 106 - 113

https://doi.org/10.1145/1108473.1108496

Published: 05 September 2005 Publication History

Abstract

An SQL injection attack targets interactive web applications that employ database services. Such applications accept user input, such as form fields, and then include this input in database requests, typically SQL statements. In SQL injection, the attacker provides user input that results in a different database request than was intended by the application programmer. That is, the interpretation of the user input as part of a larger SQL statement, results in an SQL statement of a different form than originally intended. We describe a technique to prevent this kind of manipulation and hence eliminate SQL injection vulnerabilities. The technique is based on comparing, at run time, the parse tree of the SQL statement before inclusion of user input with that resulting after inclusion of input. Our solution is efficient, adding about 3 ms overhead to database query costs. In addition, it is easily adopted by application programmers, having the same syntactic structure as current popular record set retrieval methods. For empirical analysis, we provide a case study of our solution in J2EE. We implement our solution in a simple static Java class, and show its effectiveness and scalability.

References

[1]

S. W. Boyd and A. D. Keromytis. SQLRand: Preventing SQL injection attacks. In Proceedings of the 2nd Applied Cryptography and Network Security (ACNS) Conference, pages 292--302. Springer-Verlag, June 2004.

[2]

C. Brabrand, A. Møller, M. Ricky, and M. I. Schwartzbach. Powerforms: Declarative client-side form field validation. World Wide Web, 3(4):205--214, 2000.

Digital Library

[3]

C. Anley. Advanced SQL injection in SQL server applications. In http:/www.nextgenss.com/papers/advanced_sql_injection.pdf, 2002.

[4]

A. Christensen, A. Moeller, and M. Schwartzbach. Precise analysis of string expressions. In Proceedings of the 10th International Static Analysis Symposium, pages 1--18. Springer-Verlag, August 2003 2003.

Digital Library

[5]

C. Cowan, S. Beattie, J. Johansen, and P. Wagle, PointGuard: Protecting pointers from buffer overflow vulnerabilities. In Proceedings of the 12th USENIX Security Symposium, pages 91--104, August 2003.

Digital Library

[6]

C. Cowan, C. Pu, D. Maier, H. Hinton, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 7th USENIX Security Symposium, pages 63--78, January 1998.

Digital Library

[7]

P.-Y. Gibello. Zql: A java sql parser. In http://www.experlog.com/gibello/zql/, 2002.

[8]

C. Gould, Z. Su, and P. Devanbu. JDBC checker: A static analysis tool for SQL/JDBC applications. In Proceedings of the 26th International Conference on Software Engineering (ICSE'04), pages 697--698. IEEE Press, May 2004.

Digital Library

[9]

C. Gould, Z. Su, and P. Devanbu. Static checking of dynamically generated queries in database applications. In Proceedings of the 26th International Conference on Software Engineering (ICSE'04), pages 645--654. IEEE Press, May 2004.

Digital Library

[10]

W. G. Halfond and A. Orso. Combining static analysis and runtime monitoring to counter SQL-injection attacks. In Online Proceeding of the Third International ICSE Workshop on Dynamic Analysis (WODA 2005), pages 22--28, May 2005. http://www.csd.uwo.ca/woda2005/proceedings.html.

Digital Library

[11]

Y.-W. Huang, S.-K. Huang, T.-P. Lin, and C.-H. Tsai. Web application security assessment by fault injection and behavior monitoring. In Proceedings of the 11th International World Wide Web Conference (WWW 03), pages 148--159, May 2003.

Digital Library

[12]

Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, and D. Lee. Securing web application code by static and runtime protection. In Proceedings of the 12th International World Wide Web Conference (WWW 04), pages 40--52. ACM Press, May 2004.

Digital Library

[13]

G. Kc, A. Keromytis, and V. Prevelakis. Countering code-injection attacks with instruction-set randomization. In Proceedings of the ACM Conference on Computer and Communications Security (CCS 03), pages 272--280. ACM Press, October 2003.

Digital Library

[14]

D. Litchfield. Web application disassembly with ODBC error messages. In http://www.nextgenss.com/papers/webappdis.doc.

[15]

P. Litwin. Stop SQL injection attacks before they stop you. In http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection/default.aspx, 2004.

[16]

O. Maor and A. Shulman. SQL injection signatures evasion. In http://www.imperva.com/application_defense_center/white_papers/sql_injection_signature_evasion.html, 2004.

[17]

S. McDonald. SQL injection: Modes of attack, defense, and why it matters. In http://www.governmentsecurity.org/articles/SQLInjectionModesofAttackDefenseandWhyItMatters.php, 2005.

[18]

R. McMillan. Web security flaw settlement: FTC charges that Petco web site left customer data exposed. In http://www.pcworld.com/news/article/0,aid,118638,00.asp, 2004.

[19]

A. Nguyen-Tuong, S. Guarnieri, D. Green, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In Proceedings of IFIP Security 2005. Springer, May 2005.

[20]

J. Offutt and W. Xu. Generating test cases for web services using data perturbation. In Proceedings of the 2004 Workshop on Testing, Analysis and Verification of Web Services (TAV-WEB), pages 1--10. ACM Press, July 2004.

Digital Library

[21]

W. Security. Challenges of automated web application scanning. In http://greatguards.com/docs/insightweb.htm, 2003.

[22]

K. Spett. SQL injection: Are your web applications vulnerable? In SPI Labs White Paper, 2004.

[23]

G. Wasserman and Z. Su. An analysis framework for security in web applications. In Proceedings of the FSE Workshop on Specification and Verification of Component-Based Systems (SAVCBS 2004), pages 70--78, October 2004.

Cited By

Arasteh BBouyer ASefati SCraciunescu R(2024)Effective SQL Injection Detection: A Fusion of Binary Olympiad Optimizer and Classification AlgorithmMathematics10.3390/math1218291712:18(2917)Online publication date: 19-Sep-2024
https://doi.org/10.3390/math12182917
Qu ZLing XWang TChen XJi SWu C(2024)AdvSQLi: Generating Adversarial SQL Injections Against Real-World WAF-as-a-ServiceIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.335091119(2623-2638)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3350911
Arasteh BAghaei BFarzad BArasteh KKiani FTorkamanian-Afshar M(2024)Detecting SQL injection attacks by binary gray wolf optimizer and machine learning algorithmsNeural Computing and Applications10.1007/s00521-024-09429-z36:12(6771-6792)Online publication date: 1-Apr-2024
https://dl.acm.org/doi/10.1007/s00521-024-09429-z
Show More Cited By

Recommendations

SQL Injection Attacks and Defense
Preventing SQL Injection Attacks in Stored Procedures
ASWEC '06: Proceedings of the Australian Software Engineering Conference

An SQL injection attack targets interactive web applications that employ database services. These applications accept user inputs and use them to form SQL statements at runtime. During an SQL injection attack, an attacker might provide malicious SQL ...
SQL Injection Attacks and possible Remedies: protect your Database

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SEM '05: Proceedings of the 5th international workshop on Software engineering and middleware

September 2005

121 pages

ISBN:1595932054

DOI:10.1145/1108473

Program Chairs:
Elisabetta Di Nitto
Politecnico di Milano
,
Amy L. Murphy
University of Lugano

Copyright © 2005 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 September 2005

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Article

Conference

SEM05

Sponsor:

SIGSOFT

SEM05: Software Engineering and Middleware 2005

September 5 - 6, 2005

Lisbon, Portugal

Acceptance Rates

Overall Acceptance Rate 22 of 59 submissions, 37%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

217
Total Citations
View Citations
4,097
Total Downloads

Downloads (Last 12 months)99
Downloads (Last 6 weeks)3

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Arasteh BBouyer ASefati SCraciunescu R(2024)Effective SQL Injection Detection: A Fusion of Binary Olympiad Optimizer and Classification AlgorithmMathematics10.3390/math1218291712:18(2917)Online publication date: 19-Sep-2024
https://doi.org/10.3390/math12182917
Qu ZLing XWang TChen XJi SWu C(2024)AdvSQLi: Generating Adversarial SQL Injections Against Real-World WAF-as-a-ServiceIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.335091119(2623-2638)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3350911
Arasteh BAghaei BFarzad BArasteh KKiani FTorkamanian-Afshar M(2024)Detecting SQL injection attacks by binary gray wolf optimizer and machine learning algorithmsNeural Computing and Applications10.1007/s00521-024-09429-z36:12(6771-6792)Online publication date: 1-Apr-2024
https://dl.acm.org/doi/10.1007/s00521-024-09429-z
Mahesh RChellathurai SThirunavukkarasu MRaman P(2024)SQL Injection Attack Detection and Prevention Based on Manipulating the SQL Query Input AttributesComputational Sciences and Sustainable Technologies10.1007/978-3-031-50993-3_17(213-221)Online publication date: 3-Feb-2024
https://doi.org/10.1007/978-3-031-50993-3_17
Pružinec JQuynh N(2023)Hakuin: Optimizing Blind SQL Injection with Probabilistic Language Models2023 IEEE Security and Privacy Workshops (SPW)10.1109/SPW59333.2023.00039(384-393)Online publication date: May-2023
https://doi.org/10.1109/SPW59333.2023.00039
Bhuvana Bindu Chandan H Brijesh Reddy KH Mr. Pradeep V (2022)Review Paper on a Study on SQL Attacks and DefenseInternational Journal of Advanced Research in Science, Communication and Technology10.48175/IJARSCT-7013(533-540)Online publication date: 27-Aug-2022
https://doi.org/10.48175/IJARSCT-7013
Bu SKang HCho S(2022)Ensemble of Deep Convolutional Learning Classifier System Based on Genetic Algorithm for Database Intrusion DetectionElectronics10.3390/electronics1105074511:5(745)Online publication date: 28-Feb-2022
https://doi.org/10.3390/electronics11050745
Bhanwarlal Irfan Khan (2022)XSS and SQL Injection Detection and Prevention Techniques (A Review)International Journal of Scientific Research in Computer Science, Engineering and Information Technology10.32628/CSEIT22816(53-60)Online publication date: 2-Jan-2022
https://doi.org/10.32628/CSEIT22816
Singh ASatapathy SRoy AGutub A(2022)AI-Based Mobile Edge Computing for IoT: Applications, Challenges, and Future ScopeArabian Journal for Science and Engineering10.1007/s13369-021-06348-247:8(9801-9831)Online publication date: 3-Jan-2022
https://doi.org/10.1007/s13369-021-06348-2
Bharati VKumar A(2022)An Efficient Approach Toward Security of Web Application Using SQL Attack Detection and Prevention TechniqueInventive Computation and Information Technologies10.1007/978-981-16-6723-7_58(781-792)Online publication date: 18-Jan-2022
https://doi.org/10.1007/978-981-16-6723-7_58
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents