What can we do about the unnecessary diversity of notation for syntactic definitions?
Communications of the ACM
Securing web application code by static analysis and runtime protection
Proceedings of the 13th international conference on World Wide Web
AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks
Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering
Using parse tree validation to prevent SQL injection attacks
SEM '05 Proceedings of the 5th international workshop on Software engineering and middleware
The essence of command injection attacks in web applications
Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Noxes: a client-side solution for mitigating cross-site scripting attacks
Proceedings of the 2006 ACM symposium on Applied computing
Encyclopedia of E-commerce, E-government and Mobile Commerce
Encyclopedia of E-commerce, E-government and Mobile Commerce
Finding security vulnerabilities in java applications with static analysis
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Security of web browser scripting languages: vulnerabilities, attacks, and remedies
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
A learning-based approach to the detection of SQL attacks
DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
CBRid4SQL: a CBR intrusion detector for SQL injection attacks
HAIS'10 Proceedings of the 5th international conference on Hybrid Artificial Intelligence Systems - Volume Part II
Mitigating program security vulnerabilities: Approaches and challenges
ACM Computing Surveys (CSUR)
SQL injection attack mechanisms and prevention techniques
ADCONS'11 Proceedings of the 2011 international conference on Advanced Computing, Networking and Security
Protecting web applications from SQL injection attacks by using framework and database firewall
Proceedings of the International Conference on Advances in Computing, Communications and Informatics
idMAS-SQL: Intrusion Detection Based on MAS to Detect and Block SQL injection through data mining
Information Sciences: an International Journal
| Hi-index | 0.00 |
Vulnerabilities in web applications allow malicious users to obtain unrestricted access to private and confidential information. SQL injection attacks rank at the top of the list of threats directed at any database-driven application written for the Web. An attacker can take advantages of web application programming security flaws and pass unexpected malicious SQL statements through a web application for execution by the back-end database. This paper proposes a novel specification-based methodology for the detection of exploitations of SQL injection vulnerabilities. The new approach on the one hand utilizes specifications that define the intended syntactic structure of SQL queries that are produced and executed by the web application and on the other hand monitors the application for executing queries that are in violation of the specification. The three most important advantages of the new approach against existing analogous mechanisms are that, first, it prevents all forms of SQL injection attacks; second, its effectiveness is independent of any particular target system, application environment, or DBMS; and, third, there is no need to modify the source code of existing web applications to apply the new protection scheme to them. We developed a prototype SQL injection detection system (SQL-IDS) that implements the proposed algorithm. The system monitors Java-based applications and detects SQL injection attacks in real time. We report some preliminary experimental results over several SQL injection attacks that show that the proposed query-specific detection allows the system to perform focused analysis at negligible computational overhead without producing false positives or false negatives. Therefore, the new approach is very efficient in practice.