Cited By
View all- Kim KKim IKim CKwon YZheng YZhang XXu DBarrett RCummings RAgichtein EGabrilovich E(2017)J-ForceProceedings of the 26th International Conference on World Wide Web10.1145/3038912.3052674(897-906)Online publication date: 3-Apr-2017
Model based hybrid approach to prevent SQL injection attacks in PHP
Abstract
SQL Injection vulnerability is ranked 1st in the OWASP1 top 10 vulnerability list and has resulted in massive attacks on a number of websites in the past few years. Inspite of preventive measures like educating developers about safe coding practices, statistics shows that these vulnerabilities are still dominating the top. Various static and dynamic approaches have been proposed to mitigate this vulnerability. In this paper, we present a hybrid approach to prevent SQL injection attacks in PHP, a popular server side scripting language. This technique is more effective to prevent SQL injection attack in a dynamic web content environment without use of complex string analyzer logic. Initially, we construct a Query model for each hotspot by running the application in safe mode. In the production environment, dynamically generated queries are validated with it. The results and analysis shows the proposed approach is simple and effective to prevent common SQL injection vulnerabilities.
References
[1]
Halfond, W.G., Orso, A.: Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks. In: Proc. of the Third Intern. ICSE Workshop on Dynamic Analysis (WODA 2005), pp. 22-28 (May 2005).
[2]
Halfond, W., Orso, A.: AMNESIA: Analysis and Monitoring for NEutralizing SQL Injection Attacks. In: Proc. 20th IEEE and ACM Int'l Conf. Automated Software Eng., pp. 174-183 (2005).
[3]
Halfond, W.G., Orso, A.: Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks. In: Proceedings of the Third International ICSE Workshop on Dynamic Analysis (WODA 2005), St. Louis, MO, USA, pp. 22-28 (May 2005).
[4]
Boyd, S.W., Keromytis, A.D.: SQLrand: Preventing SQL injection attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 292-302. Springer, Heidelberg (2004).
[5]
Buehrer, G.T., Weide, B.W., Sivilotti, P.A.G.: Using Parse Tree Validation to Prevent SQL Injection Attacks. In: International Workshop on Software Engineering and Middleware, SEM (2005).
[6]
Su, Z., Wassermann, G.: The Essence of Command Injection Attacks inWeb Applications. In: The 33rd Annual Symposium on Principles of Programming Languages, POPL 2006 (January 2006).
[7]
McClure, R., Kruger, I.: SQL DOM: Compile Time Checking of Dynamic SQL Statements. In: Proceedings of the 27th International Conference on Software Engineering (ICSE 2005), pp. 88-96 (2005).
[8]
Christensen, A.S., Møller, A., Schwartzbach, M.I.: Precise Analysis of String Expressions. In: Cousot, R. (ed.) SAS 2003. LNCS, vol. 2694, pp. 1-18. Springer, Heidelberg (2003).
[9]
Gould, C., Su, Z., Devanbu, P.: JDBC Checker: A Static Analysis Tool for SQL/JDBC Applications. In: Proceedings of the 26th International Conference on Software Engineering (ICSE 2004) Formal Demos, pp. 697-698 (2004).
[10]
Monticelli, F.: PhD SQLPrevent thesis. University of British Columbia (UBC) Vancouver, Canada (2008).
[11]
Owasp, O. W.: Top ten most critical web application vulnerabilities (2010), http://www.owasp.org/index.php/Top_10_2010-Main
[12]
PHP usage statistics, http://www.php.net/usage.php
[13]
Wikipedia, http://en.wikipedia.org/wiki/PHP
[14]
System Administration, Networking, and Security Institute (SANS), http://www.sans.org/
[15]
Cook, W.R., Rai, S.: Safe Query Objects: Statically Typed Objects as Remotely Executable Queries. In: Proc. 27th Intl Conf. Software Eng., pp. 97-106 (May 2005).
[16]
Amirtahmasebi, K., et al.: A survey of SQL injection defense mechanisms. In: Int. Conf. for Internet Technology and Secured Trans., ICITST 2009, pp. 1-8 (November 2009).
[17]
PHP Open source web applications, http://www.goto.com
Recommendations
A Survey on Web Application Vulnerabilities (SQLIA, XSS) Exploitation and Security Engine for SQL Injection
CSNT '12: Proceedings of the 2012 International Conference on Communication Systems and Network TechnologiesToday almost all organizations have improved their performance through allowing more information exchange within their organization as well as between their distributers, suppliers, and customers using web support. Databases are central to the modern ...
Exploring Defense of SQL Injection Attack in Penetration Testing
SQLIA is adopted to attack websites with and without confidential information. Hackers utilized the compromised website as intermediate proxy to attack others for avoiding being committed of cyber-criminal and also enlarging the scale of Distributed ...
Moving Target Defense Against Injection Attacks
Algorithms and Architectures for Parallel ProcessingAbstractWith the development of network technology, web services become more convenient and popular. However, web services are also facing serious security threats, especially SQL injection attack(SQLIA). Due to the diversity of attack techniques and the ...
Comments
Information & Contributors
Information
Published In
Publisher
Springer-Verlag
Berlin, Heidelberg
Publication History
Published: 19 October 2011
Author Tags
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 06 Feb 2025
Other Metrics
Citations
Cited By
View all- Kim KKim IKim CKwon YZheng YZhang XXu DBarrett RCummings RAgichtein EGabrilovich E(2017)J-ForceProceedings of the 26th International Conference on World Wide Web10.1145/3038912.3052674(897-906)Online publication date: 3-Apr-2017