Journal of Information Processing Systems

  • 제13권4호
  • /
  • Pages.689-702
  • /
  • 2017
  • /
  • 1976-913X(pISSN)
  • /
  • 2092-805X(eISSN)
한국정보처리학회 (Korea Information Processing Society)
권호 표지
DOI QR코드

DOI QR Code

A Survey on the Detection of SQL Injection Attacks and Their Countermeasures

  • 투고 : 2013.10.22
  • 심사 : 2013.12.04
  • 발행 : 2017.08.31
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

The Structured Query Language (SQL) Injection continues to be one of greatest security risks in the world according to the Open Web Application Security Project's (OWASP) [1] Top 10 Security vulnerabilities 2013. The ease of exploitability and severe impact puts this attack at the top. As the countermeasures become more sophisticated, SOL Injection Attacks also continue to evolve, thus thwarting the attempt to eliminate this attack completely. The vulnerable data is a source of worry for government and financial institutions. In this paper, a detailed survey of different types of SQL Injection and proposed methods and theories are presented, along with various tools and their efficiency in intercepting and preventing SQL attacks.

키워드

참고문헌

  1. The Open Web Application Security Project, "OWASP Top ten project" https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project.
  2. P. Sharma, R. Johari, and S. S. Sarma, "Integrated approach to prevent SQL injection attack and reflected cross site scripting attack," International Journal of System Assurance Engineering and Management, vol. 3, no. 4, pp. 343-351, 2012. https://doi.org/10.1007/s13198-012-0125-6
  3. G. Jiao, C. M. Xu, and J. Maohua, "SQLIMW: a new mechanism against SQL-Injection," in Proceedings of the International Conference on Computer Science & Service System (CSSS), Nanjing, China, 2012, pp. 1178-1180.
  4. R. Dharam and S. G. Shiva, "Runtime monitors for tautology based SQL injection attacks," in Proceedings of the International Conference on Cyber Security, Cyber Warfare and Digital Forensic (CyberSec), Kuala Lumpur, 2012, pp. 253-258.
  5. R. Dharam and S. G. Shiva, "A framework for development of runtime monitors," in Proceedings of the International Conference on Computer & Information Science (ICCIS), Kuala Lumpur, 2012, pp. 953-957.
  6. I. Balasundaram and E. Ramaraj, "An authentication scheme for preventing SQL injection attack using hybrid encryption (PSQLIA-HBE)," European Journal of Scientific Research, vol. 53, no. 3, pp. 359-368, 2011.
  7. K. X. Zhang, C. J. Lin, S. J. Chen, Y. Hwang, H. L. Huang, and F. H. Hsu, "TransSQL: a translation and validation-based solution for SQL-injection attacks," in Proceedings of the 1st International Conference on Robot, Vision and Signal Processing (RVSP), Kaohsiung, China, 2011, pp. 248-251.
  8. A. Pomeroy and Q. Tan, "Effective SQL Injection attack reconstruction using network recording," in Proceedings of the 11th International Conference on Computer and Information Technology (CIT), Pafos, 2011, pp. 552-556.
  9. J. G. Kim, "Injection attack detection using the removal of SQL query attribute values," in Proceedings of the International Conference on Information Science and Applications (ICISA), Jeju Island, Korea, 2011, pp. 1-7.
  10. P. Bisht, P. Madhusudan, and V. N. Venkatakrishnan, "CANDID: dynamic candidate evaluations for automatic prevention of SQL injection attacks," ACM Transactions on Information and System Security (TISSEC), vol. 13, no. 2, article no. 14, 2010.
  11. R. Halder and A. Cortesi, "Obfuscation-based analysis of SQL injection attacks," in Proceedings of IEEE Symposium on Computers and Communications (ISCC), Riccione, Italy, 2010, pp. 931-938.
  12. M. Ruse, T. Sarkar, and S. Basu, "Analysis & detection of SQL injection vulnerabilities via automatic test case generation of programs," in Proceedings of the 10th IEEE/IPSJ International Symposium on Applications and the Internet (SAINT), Seoul, Korea, 2010, pp. 31-37.
  13. N. Lambert and K. S. Lin, "Use of query tokenization to detect and prevent SQL injection attacks," in Proceedings of the 3rd IEEE International Conference on Computer Science and Information Technology (ICCSIT), Chengdu, China, 2010, pp. 438-440.
  14. X. Wang, L. Wang, G. Wei, D. Zhang, and Y. Yang, "Hidden web crawling for SQL injection detection," in Proceedings of the 3rd IEEE International Conference on Broadband Network and Multimedia Technology (ICBNMT), Beijing, China, 2010, pp. 14-18.
  15. S. Mathew, M. Petropoulos, H. Q. Ngo, and S. Upadhyaya, "A data-centric approach to insider attack detection in database systems," in Proceedings of the 13th International Symposium on Recent Advances in Intrusion Detection (RAID), Ottawa, Canada, 2010, pp. 382-401.
  16. R. Ezumalai and G. Aghila, "Combinatorial approach for preventing SQL injection attacks," in Proceedings of IEEE International Advance Computing Conference (IACC), Patiala, India, 2009, pp. 1212-1217.
  17. M. Junjin, "An approach for SQL injection vulnerability detection," in Proceedings of the 6th International Conference on Information Technology: New Generations (ITNG'09), Las Vegas, NV, 2009, pp. 1411-1414.
  18. S. Thomas, L. Williams, and T. Xie, "On automated prepared statement generation to remove SQL injection vulnerabilities," Information and Software Technology, vol. 51, no. 3, pp. 589-598, 2009. https://doi.org/10.1016/j.infsof.2008.08.002
  19. M. Kiani, A. Clark, and G. Mohay, "Evaluation of anomaly based character distribution models in the detection of SQL injection attacks," in Proceedings of the 3rd International Conference on Availability, Reliability and Security (ARES'08), Barcelona, 2008, pp. 47-55.
  20. K. Wei, M. Muthuprasanna, and S. Kothari, "Preventing SQL injection attacks in stored procedures," in Proceedings of the Australian Software Engineering Conference (ASWEC), Sydney, 2006.
  21. F. Valeur, D. Mutz, and G. Vigna, "A learning-based approach to the detection of SQL attacks," in Proceedings of the 2nd International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), Vienna, Austria, 2005, pp. 123-140.
  22. C. Gould, Z. Su, and P. Devanbu, "JDBC checker: a static analysis tool for SQL/JDBC applications," in Proceedings of the 26th International Conference on Software Engineering (ICSE), Edinburgh, Scotland, 2004, pp. 697-698.
  23. Y. W. Huang, S. K. Huang, T. P. Lin, and C. H. Tsai, "Web application security assessment by fault injection and behavior monitoring," in Proceedings of the 12th International Conference on World Wide Web, Budapest, Hungary, 2003, pp. 148-159.