Browse > Article
http://dx.doi.org/10.13089/JKIISC.2008.18.5.135

A Method for SQL Injection Attack Detection using the Removal of SQL Query Attribute Values  

Lee, In-Yong (Graduate School of Information Management and Security, Korea University)
Cho, Jae-Ik (Graduate School of Information Management and Security, Korea University)
Cho, Kyu-Hyung (Graduate School of Information Management and Security, Korea University)
Moon, Jong-Sub (Graduate School of Information Management and Security, Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.18, no.5, 2008 , pp. 135-148 More about this Journal
Abstract
The expansion of the internet has made web applications become a part of everyday lift. As a result the number of incidents which exploit web application vulnerabilities are increasing. A large percentage of these incidents are SQL Injection attacks which are a serious security threat to databases with potentially sensitive information. Therefore, much research has been done to detect and prevent these attacks and it resulted in a decline of SQL Injection attacks. However, there are still methods to bypass them and these methods are too complex to implement in real web applications. This paper proposes a simple and effective SQL Query attribute value removal method which uses Static and Dynamic Analysis and evaluates the efficiency through various experiments.
Keywords
Web Application Security; SQL Injection; Static and Dynamic analysis;
Citations & Related Records
연도 인용수 순위
  • Reference
1 The Open Web Application Security Project, "OWASP TOP 10 Project", http://www.owasp.org/
2 G Wassermann, Z. Su, "An Analysis Framework for Security in Web Applications", In Proceedings of the FSE Workshop on Specification and Verification of Component-Based Systems(SAVCBS), pp. 70-78, 2004
3 Yonghee Shin, "Improving the Identification of Actual Input Manipulation Vulnerabilities", 14th ACM SIGSOFT Symposium on Foundations of Software Engineering ACM, 2006
4 PHP, magic quotes, http://www.php.net/magic_quotes/
5 Huang. Y, Huang. S, Lin. T, Tasi. C, "Web application security assessment by fault injection and behavior monitoring", In Proceedings of the 12th international Conference on World Wide Web, pp 148-159, 2003
6 Apache Struts project, Struts. http://struts.apache.org/
7 Halfond W. G, Orso. A, "AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks", In Proceedings of the 20th IEEE/ACM international Conference on Automated Software Engineering, pp. 174- 183, 2005
8 Kosuga. Y, Kernel. K, Hanaoka. M, Hishiyama. M, Takahama. Yu, "Sania:Syntactic and Semantic Analysis for Automated Testing against SQL Injection", In Proceedings of the Computer Security Applications Conference 2007, pp. 107-117, 2007
9 Wei. K, Muthuprasanna. M, Kothari. S, "Preventing SQL injection attacks in stored procedures", Software Engineering Conference 2006. Australian, pp. 18-21, 2006
10 C. Gould, Z. Su, P. Devanbu, "JDBC Checker :A Static Analysis Tool for SQL/JDBC Applications", In Proceedings of the 26th International Conference on Software Engineering (ICSE), pp. 697-698, 2004
11 F. Valeur, D. Mutz, G. Vigna, "A Learning- Based Approach to the Detection of SQL Attacks", In Proceedings of the Conference on Detection of Intrusions and Malware and Vulnerability Assessment, pp 123-140, 2005
12 Thomas. S, Williams. L, "Using Automated Fix Generation ot Secure SQL Statements", In Proceeding of the 29th international Conference on Software Engineering Workshops (ICSEW. IEEE Computer Society), pp. 54, 2007
13 Z. Su, G. Wassermann, "The Essence of Command Injection Attacks in Web Applications", In Conference Record of the 33rd ACM SIGPLANSIGACT Symposium on Principles of Programming Languages, pp. 372-382, 2006
14 S. Boyd, A. Keromytis, "SQLrand:Preventing SQL injection attacks", Applied Cryptography and Network Security LNCS, Volume 3089, pp. 292-302, 2004
15 Buehrer. G, Weide. B. W, Sivilotti. P A, "Using Parse Tree Validation to Prevent SQL Injection Attacks", In Proceedings of the 5th international Workshop on Software Engineering and Middleware, pp. 105-113, 2005
16 W. G. Halfond, J. Viegas, A. Orso, "A Classification of SQL-Injection Attacks and Countermeasures", In proceeding on International Symposium on Secure Software Engineering Raleigh, NC, USA, pp. 65-81, 2006
17 국가사이버안전센터, "2008 국가 정보보호 백서", 2008
18 Paros. Parosproxy.org, http://www.parosproxy.org/
19 Jae-Chul Park, Bong-Nam Noh, "SQL Injection Attack Detection:Profiling of Web Application Parameter Using the Sequence Pairwise Alignment", Information Security Applications LNCS, Volume 4298, pp. 74-82, 2007
20 GotoCode, http://www.gotocode.com/