Browse > Article
http://dx.doi.org/10.3837/tiis.2020.06.014

A Reusable SQL Injection Detection Method for Java Web Applications  

He, Chengwan (School of Computer Science and Engineering, Wuhan Institute of Technology)
He, Yue (School of Information Engineering, Wuhan University of Technology)
Publication Information
KSII Transactions on Internet and Information Systems (TIIS) / v.14, no.6, 2020 , pp. 2576-2590 More about this Journal
Abstract
The fundamental reason why most SQL injection detection methods are difficult to use in practice is the low reusability of the implementation code. This paper presents a reusable SQL injection detection method for Java Web applications based on AOP (Aspect-Oriented Programming) and dynamic taint analysis, which encapsulates the dynamic taint analysis processes into different aspects and establishes aspect library to realize the large-grained reuse of the code for detecting SQL injection attacks. A metamodel of aspect library is proposed, and a management tool for the aspect library is implemented. Experiments show that this method can effectively detect 7 known types of SQL injection attack such as tautologies, logically incorrect queries, union query, piggy-backed queries, stored procedures, inference query, alternate encodings and so on, and support the large-grained reuse of the code for detecting SQL injection attacks.
Keywords
SQL injection attack; aspect-oriented programming; taint analysis; aspect library; metamodel;
Citations & Related Records
연도 인용수 순위
  • Reference
1 W. G. J. Halfond, J. Viegas, and A. Orso, "A classification of SQL injection attacks and countermeasures," in Proc. of the International Symposium on Secure Software Engineering, Washington, USA, pp. 13-15, 2006.
2 W. G. J. Halfond, A. Orso, P. Manolios, "WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation," IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, vol.34, no.1, PP. 65-81, 2008.   DOI
3 M. Sridharan, S. Artzi, M. Pistoia, S. Guarnieri, O. Tripp, and R. Berg, "F4F: Taint analysis of framework-based Web applications," ACM SIGPLAN Notices, vol. 46, no. 10, pp. 1053−1068, 2011.   DOI
4 I. Papagiannis, M. Migliavacca, and P. Pietzuch, "PHP ASPIS: Using partial taint tracking to protect against injection attacks," in Proc. of the Usenix Conf. on Web Application Development, pp. 1-8, Feb. 2011.
5 WANG Yi, LI Zhou-jun, and GUO Tao, "Literal tainting method for preventing code injection attack in web application," Journal of Computer Research and Development, vol. 49, no.11, pp. 2414-2423, 2012.
6 V. B. Livshits, and M. S. Lam, "Finding security vulnerabilities in java applications with static analysis," in Proc. of the 14th Conference on USENIX Security Symposium, California, USA, pp. 18-18, 2005.
7 N. Jovanovic, C. Kruegel, and E. Kirda E, "Pixy: a static analysis tool for detecting web application vulnerabilities," in Proc. of IEEE Symposium on Security and Privacy, pp. 258-263, Berkeley, USA, 2006.
8 G. Kiczales, J. Lamping, A. Mendhekar, et al, "Aspect-oriented programming," in Proc. of the European Conference on Object-Oriented Programming, Jyvaskyla, Finland, pp. 220-242, 1997.
9 ZHANG Hui-lin, DING Yu, ZHANG Li-hua, et al, "SQL injection prevention based on sensitive characters," Journal of Computer Research and Development, vol. 53, no. 10, pp. 2262-2276, 2016.
10 WANG Lei, LI Feng, LI Lian, et al, "Principle and practice of taint analysis," Journal of Software, vol. 28, no. 4, pp. 860-882, 2017.
11 HE Cheng-wan, YE Zhi-peng, "SQL Injection Behavior Detection Method Based on AOP and Dynamic Taint Analysis." Acta Electronica Sinica, vol.47, no.11, pp.2413-2419, 2019.
12 Y. Shin, L. Williams, T. Xie, "SQLUnitGen: Test Case Generation for SQL Injection Detection," North Carolina State University, 2006.
13 A. Naderi-Afooshteh, A. Nguyen-Tuong, M. Bagheri-Marzijarani, et al, "Joza: Hybrid taint inference for defeating web application SQL injection attacks," in Proc. of IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 172-183, Rio de Janeiro, Brazil.
14 Y. Minamide, "Static approximation of dynamically generated Web pages," in Proc. of the International Conference on the World Wide Web, pp. 432-441, 2005.
15 G. Wassermann, and Zhendong Su, "Sound and precise analysis of web applications for injection vulnerabilities," in Proc. of PLDI '07: Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 32-41, 2007.
16 G.Wassermann, Zhendong Su, "Static detection of cross-site scripting vulnerabilities," in Proc. of ACM/IEEE International Conference on Software Engineering, pp. 171-180, 2008.
17 E. J. Schwartz, T. Avgerinos, and D. Brumley, "All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask)," in Proc. of IEEE international Conference on Security and Privacy, pp. 317-331, 2010.
18 M. S. Lam, M. Martin, J. Whaley, et al, "Securing web applications with static and dynamic information flow tracking," in Proc. of ACM Sigplan Symposium on Partial Evaluation and Semantics-Based Program Manipulation, San Francisco, CA, USA, pp.3-12, 2008.
19 P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, G. Vigna, "Cross site scripting prevention with dynamic data tainting and static analysis," in Proc. of the Network and Distributed System Security Symposium, San Diego, California, USA, Feb. 2007.
20 ZHOU Ying, FANG Yong, HUANG Cheng, et al, "Detection of SQL injection behaviors for PHP applications," Journal of Computer Applications, vol. 38, no. 1, pp. 201-206, 2018.
21 MA Jin-xin, LI Zhou-jun, ZHANG Tao, et al, "Taint analysis method based on offline indices of instruction trace," Journal of Software, vol. 28, no. 9, pp. 2388-2401, 2017.
22 A. guyen-Tuong, S. Guarnieri, D. Greene, et al, "Automatically hardening web applications using precise tainting," in Proc. of IFIP 20th International Information Security Conference, Chiba, Japan, pp. 295-307, 2005.
23 M. Martin, M. S. Lam, "Automatic Generation of XSS and SQL Injection Attacks with Goal-directed Model Checking," in Proc. of USENIX Security Symposium, pp. 31-44, 2008.
24 T. Pietraszek, C. V. Berghe, "Defending against injection attacks through context-sensitive string evaluation," in Proc. of International Conference on Recent Advances in Intrusion Detection, Seattle, WA, USA, pp. 124-145, 2005.
25 A. Kieyzun, P. J. Guo, K. Jayaraman, et al, "Automatic creation of SQL Injection and cross-site scripting attacks," in Proc. of IEEE International Conference on Software Engineering, Vancouver, BC, Canada , pp. 199-209, 2009.
26 S. W. Boyd, and A. D. Keromytis, "SQLrand: Preventing SQL Injection Attacks," in Proc. of 2ndInternational Conference on Applied Cryptography and Network Security, Yellow Mountain, China, pp. 292-302, 2004.
27 IBM Security. "Five Steps to Achieve Risk-Based Application Security Management," Thought Leadership White Paper, Jul. 2015.
28 ZHAO Yu-fei, XIONG Gang, HE Long-tao, et al, "Approach to detecting SQL injection behaviors in network environment," Journal on Communications, vol. 37, no. 2, pp. 89-98, 2016.
29 ShayChen, "TheWebApplicationVulnerability Scanner Evaluation Project," 2019.
30 OWASP, "WebGoat," 2019. [Online]. Available: https://github.com/WebGoat/WebGoat,
31 L. K. Shar, H. B. K. Tan, "Defeating SQL injection," Computer, vol. 46, no. 3, pp. 69-77, 2013.   DOI