PowerForms: Declarative client-side form field validation
World Wide Web
Web application security assessment by fault injection and behavior monitoring
WWW '03 Proceedings of the 12th international conference on World Wide Web
Countering code-injection attacks with instruction-set randomization
Proceedings of the 10th ACM conference on Computer and communications security
Securing web application code by static analysis and runtime protection
Proceedings of the 13th international conference on World Wide Web
Static Checking of Dynamically Generated Queries in Database Applications
Proceedings of the 26th International Conference on Software Engineering
JDBC Checker: A Static Analysis Tool for SQL/JDBC Applications
Proceedings of the 26th International Conference on Software Engineering
Combining static analysis and runtime monitoring to counter SQL-injection attacks
WODA '05 Proceedings of the third international workshop on Dynamic analysis
PointguardTM: protecting pointers from buffer overflow vulnerabilities
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Precise analysis of string expressions
SAS'03 Proceedings of the 10th international conference on Static analysis
The essence of command injection attacks in web applications
Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Preventing SQL injection attacks using AMNESIA
Proceedings of the 28th international conference on Software engineering
Using positive tainting and syntax-aware evaluation to counter SQL injection attacks
Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering
Sound and precise analysis of web applications for injection vulnerabilities
Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation
Using Automated Fix Generation to Secure SQL Statements
SESS '07 Proceedings of the Third International Workshop on Software Engineering for Secure Systems
Preventing injection attacks with syntax embeddings
GPCE '07 Proceedings of the 6th international conference on Generative programming and component engineering
CANDID: preventing sql injection attacks using dynamic candidate evaluations
Proceedings of the 14th ACM conference on Computer and communications security
SQL-IDS: a specification-based approach for SQL-injection detection
Proceedings of the 2008 ACM symposium on Applied computing
DIWeDa - Detecting Intrusions in Web Databases
Proceeedings of the 22nd annual IFIP WG 11.3 working conference on Data and Applications Security
On automated prepared statement generation to remove SQL injection vulnerabilities
Information and Software Technology
Enforcing code security in database web applications using libraries and object models
LCSD '07 Proceedings of the 2007 Symposium on Library-Centric Software Design
Journal of Computing Sciences in Colleges
SQLProb: a proxy-based architecture towards preventing SQL injection attacks
Proceedings of the 2009 ACM symposium on Applied Computing
Learning SQL for Database Intrusion Detection Using Context-Sensitive Modelling (Extended Abstract)
DIMVA '09 Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment
CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks
ACM Transactions on Information and System Security (TISSEC)
Preventing injection attacks with syntax embeddings
Science of Computer Programming
An empirical investigation into open source web applications' implementation vulnerabilities
Empirical Software Engineering
Taxonomy and classification of automatic monitoring of program security vulnerability exploitations
Journal of Systems and Software
WebAppArmor: a framework for robust prevention of attacks on web applications
ICISS'10 Proceedings of the 6th international conference on Information systems security
Diesel: applying privilege separation to database access
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Building components with embedded security monitors
Proceedings of the joint ACM SIGSOFT conference -- QoSA and ACM SIGSOFT symposium -- ISARCS on Quality of software architectures -- QoSA and architecting critical systems -- ISARCS
Practical elimination of external interaction vulnerabilities in web applications
Journal of Web Engineering
One approach to the testing of security of proposed database application software
Proceedings of the 15th WSEAS international conference on Computers
Preventing web application injections with complementary character coding
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
Model based hybrid approach to prevent SQL injection attacks in PHP
InfoSecHiComNet'11 Proceedings of the First international conference on Security aspects in information technology
Securing RFID systems from SQLIA
ICA3PP'11 Proceedings of the 11th international conference on Algorithms and architectures for parallel processing - Volume Part II
Defining code-injection attacks
POPL '12 Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
PSIAQOP: preventing SQL injection attacks based on query optimization process
Proceedings of the Second Kuwait Conference on e-Services and e-Systems
Automatically preparing safe SQL queries
FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security
SQL injection attack mechanisms and prevention techniques
ADCONS'11 Proceedings of the 2011 international conference on Advanced Computing, Networking and Security
International Journal of Computer Applications in Technology
SQL injection detection via program tracing and machine learning
IDCS'12 Proceedings of the 5th international conference on Internet and Distributed Computing Systems
Efficient ESL-Event-to-SQL translation
IScIDE'12 Proceedings of the third Sino-foreign-interchange conference on Intelligent Science and Intelligent Data Engineering
Inlined monitors for security policy enforcement in web applications
Proceedings of the 17th Panhellenic Conference on Informatics
Proceedings of the 23rd international conference on World wide web
Detection of cross site scripting attack in wireless networks using n-Gram and SVM
Mobile Information Systems - Advances in Network-Based Information Systems
Automated detection of parameter tampering opportunities and vulnerabilities in web applications
Journal of Computer Security
Hi-index | 0.00 |
An SQL injection attack targets interactive web applications that employ database services. Such applications accept user input, such as form fields, and then include this input in database requests, typically SQL statements. In SQL injection, the attacker provides user input that results in a different database request than was intended by the application programmer. That is, the interpretation of the user input as part of a larger SQL statement, results in an SQL statement of a different form than originally intended. We describe a technique to prevent this kind of manipulation and hence eliminate SQL injection vulnerabilities. The technique is based on comparing, at run time, the parse tree of the SQL statement before inclusion of user input with that resulting after inclusion of input. Our solution is efficient, adding about 3 ms overhead to database query costs. In addition, it is easily adopted by application programmers, having the same syntactic structure as current popular record set retrieval methods. For empirical analysis, we provide a case study of our solution in J2EE. We implement our solution in a simple static Java class, and show its effectiveness and scalability.