research-article

Protecting web applications from SQL injection attacks by using framework and database firewall

Authors:

Yakkala V. Naga Manikanta,

Anjali SardanaAuthors Info & Claims

ICACCI '12: Proceedings of the International Conference on Advances in Computing, Communications and Informatics

Pages 609 - 613

https://doi.org/10.1145/2345396.2345495

Published: 03 August 2012 Publication History

Get Access

Abstract

SQL Injection attacks are the costly and critical attacks on web applications: it is a code injection technique that allows attackers to obtain unrestricted access to the databases and potentially sensitive information like usernames, passwords, email ids, credit card details present in them. Various techniques have been proposed to address the problem of SQL Injection attack such as defense coding practices, detection and prevention techniques, and intrusion detection systems. However most of these techniques have one or more disadvantages such as requirement for code modification, applicable to limited type of attacks and web applications. In this paper, we discuss a secure mechanism for protecting web applications from SQL Injection attacks by using framework and database firewall. This mechanism uses combined static and dynamic analysis technique. In static analysis, we list URLs, forms, injection points, and vulnerable parameters of web application. Thus, we identify valid queries that could be generated by the application. In dynamic analysis, we use database firewall to monitor runtime generated queries and check them against the whitelist of queries. The experimental setup makes use of real web applications and two open source tools namely Web Application Attack and Audit Framework (w3af) and GreenSQL. We used w3af for listing all the valid queries and GreenSQL as database firewall. The results show that implemented mechanism is capable of detecting all types of SQL Injection attacks without requiring any code modification to the existing web application but with an additional element of deploying a proxy.

References

[1]

The Open Web Application Security Project, "OWASP TOP 10 Project", http://www.owasp.org.

Google Scholar

[2]

Symantec Corp., "Web Based Attacks," Feb. 2009, http://eval.symantec.com/mktginfo/enterprise/white_papers/b whitepaper_web_based_attacks_03--2009.en-us.pdf.

Google Scholar

[3]

W. G. J. Halfond, J. Viegas, and A. Orso, "A Classification of SQL-Injection Attacks and Countermeasures," in Proceedings of the IEEE International Symposium on Secure Software Engineering, Arlington, VA, USA, 2006, pp. 65--81.

Google Scholar

[4]

apache-scalp, Apache log analyzer for security, http://code.google.com/p/apache-scalp.

Google Scholar

[5]

Snort, open source network intrusion prevention and detection system (IDS/IPS), http://www.snort.org/.

Google Scholar

[6]

"GreenSQL, an Open Source database firewall used to protect databases from SQL injection attacks", http://www.greensql.net.

Google Scholar

[7]

J. Fonseca, M. Vieira and H. Madeira, "Detecting Malicious SQL", Int. Conference on Trust, Privacy & Security in Digital Business, Sep. 2007.

Digital Library

Google Scholar

[8]

Elia, I. A.; Fonseca, J.; Vieira, M.;, "Comparing SQL Injection Detection Tools Using Attack Injection: An Experimental Study," IEEE 21st International Symposium on Software Reliability Engineering (ISSRE-2010), pp. 289--298, 1--4 Nov. 2010

Digital Library

Google Scholar

[9]

"w3af is a Web Application Attack and Audit Framework", http://w3af.sourceforge.net/.

Google Scholar

[10]

Konstantinos Kemalis and Theodores Tzouramanis. 2008. SQL-IDS: a specification-based approach for SQL injection detection. In proceedings of the 2008 ACM symposium on Applied computing (SAC'08). ACM, New York, NY, USA, 2153--2158. DOI=http://doi.acm.org/10.1145/1363686.1364201.

Digital Library

Google Scholar

[11]

K. Jeom-Goo, "Injection Attack Detection Using the Removal of SQL Query Attribute Values," in International Conference on Information Science and Applications (ICISA-2011), 2011, pp. 1--7.

Google Scholar

[12]

William G. J. Halfond and Alessandro Orso. 2005. AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks. In Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering (ASE '05). ACM, New York, NY, USA, 174--183. DOI=http://doi.acm.org/10.1145/1101908.1101935.

Digital Library

Google Scholar

[13]

"Apache-JMeter static and dynamic resources performance" measurement tool, http://jmeter.apache.org/.

Google Scholar

Cited By

View all

Demilie WDeriba F(2022)Detection and prevention of SQLI attacks and developing compressive framework using machine learning and hybrid techniquesJournal of Big Data10.1186/s40537-022-00678-09:1Online publication date: 30-Dec-2022
https://doi.org/10.1186/s40537-022-00678-0
Roobini MSrividhya SSugnaya Vennela KNikhila G(2022)Detection of SQL Injection Attack Using Adaptive Deep Forest2022 International Conference on Communication, Computing and Internet of Things (IC3IoT)10.1109/IC3IOT53935.2022.9767878(1-6)Online publication date: 10-Mar-2022
https://doi.org/10.1109/IC3IOT53935.2022.9767878
Haq IKhan T(2021)Penetration Frameworks and Development Issues in Secure Mobile Application Development: A Systematic Literature ReviewIEEE Access10.1109/ACCESS.2021.30882299(87806-87825)Online publication date: 2021
https://doi.org/10.1109/ACCESS.2021.3088229

Index Terms

Protecting web applications from SQL injection attacks by using framework and database firewall

Recommendations

A Survey on SQL Injection Attacks, Detection and Prevention
ICMLC '20: Proceedings of the 2020 12th International Conference on Machine Learning and Computing

Since the uses of Web in daily life is increasing in past 20 years and becoming trend now, almost every Web application has its own database to store important data. An attacker can get or even modify the data from database through SQL injection ...
You shall not pass: Mitigating SQL Injection Attacks on Legacy Web Applications
ASIA CCS '20: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

SQL injection (SQLi) attacks pose a significant threat to the security of web applications. Existing approaches do not support object-oriented programming that renders these approaches unable to protect the real-world web apps such as Wordpress, Joomla, ...
Retrofitting Existing Web Applications with Effective Dynamic Protection Against SQL Injection Attacks

This article presents an approach for retrofitting existing Web applications with run-time protection against known, as well as unseen, SQL injection attacks SQLIAs without the involvement of application developers. The precision of the approach is also ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

ICACCI '12: Proceedings of the International Conference on Advances in Computing, Communications and Informatics

August 2012

1307 pages

ISBN:9781450311960

DOI:10.1145/2345396

Editors:
Sabu M. Thampi,
El-Sayed El-Afry,
Javier Aguiar,
General Chairs:
K. Gopalan
Purdue University Calumet
,
Sabu M. Thampi
Indian Institute of Information Technology and Management - Kerala, India

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 August 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ICACCI '12

Sponsor:

ISCA
RPS

ICACCI '12: 2012 International Conference on Advances in Computing, Communications and Informatics

August 3 - 5, 2012

Chennai, India

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
899
Total Downloads

Downloads (Last 12 months)66
Downloads (Last 6 weeks)0

Reflects downloads up to 24 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Demilie WDeriba F(2022)Detection and prevention of SQLI attacks and developing compressive framework using machine learning and hybrid techniquesJournal of Big Data10.1186/s40537-022-00678-09:1Online publication date: 30-Dec-2022
https://doi.org/10.1186/s40537-022-00678-0
Roobini MSrividhya SSugnaya Vennela KNikhila G(2022)Detection of SQL Injection Attack Using Adaptive Deep Forest2022 International Conference on Communication, Computing and Internet of Things (IC3IoT)10.1109/IC3IOT53935.2022.9767878(1-6)Online publication date: 10-Mar-2022
https://doi.org/10.1109/IC3IOT53935.2022.9767878
Haq IKhan T(2021)Penetration Frameworks and Development Issues in Secure Mobile Application Development: A Systematic Literature ReviewIEEE Access10.1109/ACCESS.2021.30882299(87806-87825)Online publication date: 2021
https://doi.org/10.1109/ACCESS.2021.3088229
AYDOĞDU DGÜNDÜZ M(2016)Web Uygulama Güvenliği Açıklıkları Ve Güvenlik Çözümleri Üzerine Bir AraştırmaULUSLARARASI BİLGİ GÜVENLİĞİ MÜHENDİSLİĞİ DERGİSİ10.18640/ubgmd.568362:1Online publication date: 30-Jun-2016
https://doi.org/10.18640/ubgmd.56836

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

A Survey on SQL Injection Attacks, Detection and Prevention

You shall not pass: Mitigating SQL Injection Attacks on Legacy Web Applications

Retrofitting Existing Web Applications with Effective Dynamic Protection Against SQL Injection Attacks