research-article

SQL-IDS: a specification-based approach for SQL-injection detection

Authors:

Konstantinos Kemalis,

Theodores TzouramanisAuthors Info & Claims

SAC '08: Proceedings of the 2008 ACM symposium on Applied computing

Pages 2153 - 2158

https://doi.org/10.1145/1363686.1364201

Published: 16 March 2008 Publication History

Abstract

Vulnerabilities in web applications allow malicious users to obtain unrestricted access to private and confidential information. SQL injection attacks rank at the top of the list of threats directed at any database-driven application written for the Web. An attacker can take advantages of web application programming security flaws and pass unexpected malicious SQL statements through a web application for execution by the back-end database. This paper proposes a novel specification-based methodology for the detection of exploitations of SQL injection vulnerabilities. The new approach on the one hand utilizes specifications that define the intended syntactic structure of SQL queries that are produced and executed by the web application and on the other hand monitors the application for executing queries that are in violation of the specification.

The three most important advantages of the new approach against existing analogous mechanisms are that, first, it prevents all forms of SQL injection attacks; second, its effectiveness is independent of any particular target system, application environment, or DBMS; and, third, there is no need to modify the source code of existing web applications to apply the new protection scheme to them.

We developed a prototype SQL injection detection system (SQL-IDS) that implements the proposed algorithm. The system monitors Java-based applications and detects SQL injection attacks in real time. We report some preliminary experimental results over several SQL injection attacks that show that the proposed query-specific detection allows the system to perform focused analysis at negligible computational overhead without producing false positives or false negatives. Therefore, the new approach is very efficient in practice.

References

[1]

C. Andrews, D. Litchfield, B. Grindlay and NGS Software: SQL Server Security, McGraw-Hill/Osborne, 2003.

[2]

V. Anupam and A. Mayer: "Security of Web Browser Scripting Languages: Vulnerabilities, Attacks, and Remedies", In Proceedings of the 7th USENIX Security Symposium, pp. 187--200, 1998.

Digital Library

[3]

S. Boyd and A. Keromytis: "SQLrand: Preventing SQL Injection Attacks", In Proceeding of the 2nd International Conference on Applied Cryptography and Network Security, China, June 2004.

[4]

G. Buehrer, B. Weide, and P. Sivilotti: "Using Parse Tree Validation to Prevent SQL Injection Attacks", In Proceedings of the 5th International Workshop on Software Engineering and Middleware, Lisbon, Portugal, September 2005.

Digital Library

[5]

E. Dash: "Lost Credit Data Improperly Kept, Company Admits", The New York Times, June 20, 2005.

[6]

W. Halfond and A. Orso: "AMNESIA: Analysis and Monitoring for NEutralizing SQL Injection Attacks", In Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, Long Beach, California, November 2005.

Digital Library

[7]

Y. W. Huang, F. Yu, C. Hang, C. H. Tsai, D. T. Lee, S. Y. Kuo: "Securing Web Application Code by Static Analysis and Runtime Protection", In Proceedings of the 13th international conference on World Wide Web, New York, USA, May 2004.

Digital Library

[8]

ISO/IEC: "Information Technology - Database Language SQL", July 1992.

[9]

ISO/IEC: "Information Technology - Database Languages -SQL - Part 2: Foundation (SQL/Foundation)", September 1999.

[10]

ISO/IEC: "Information technology - Database Languages -SQL - Part 2: Foundation (SQL/Foundation)", August 2003.

[11]

E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic: "Noxes: a client-side solution for mitigating cross-site scripting attacks", In Proceedings of the ACM Symposium on Applied Computing, pp. 330--337, 2006.

Digital Library

[12]

M. Khosrow-Pour (ed.): Encyclopedia of E-Commerce, E-Government, and Mobile Commerce, Idea Group Reference, 2006.

Digital Library

[13]

V. Kodaganallur: "Incorporating Language Processing into Java Applications: A JavaCC Tutorial", IEEE Software, Volume 21, Issue 4, pp 70--77, July-Aug. 2004.

Digital Library

[14]

D. Litchfield: "Web Application Disassembly with ODBC Error Messages", 2001. Address for download: http://www.nextgenss.com/papers/webappdis.doc

[15]

B. Livshits and M. Lam: "Finding Security Errors in Java Programs with Static Analysis", In Proceedings of the 14th Usenix Security Symposium, Baltimore, USA, Aug. 2005.

Digital Library

[16]

A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, D. Evans: "Automatically Hardening Web Applications Using Precise Tainting", In Proceedings of the 20th IFIP International Information Security Conference, Chiba, Japan, 2005.

[17]

Open Web Application Security Project Foundation (OW ASP Foundation): "The Ten Most Critical Web Application Security Vulnerabilities - 2007 Update", 2007. Address for download: http://www.owasp.org/images/c/c7/OWASP_Top_10_2007_RC1.pdf

[18]

K. Spett: "SQL Injection: Is Your Web Applications Vulnerable?", Technical Report, SPI Dynamics Inc., 2002.

[19]

Z. Su and G. Wassermann: "The Essence of Command Injection Attacks in Web Applications", In Proceedings of the 33rd Symposium on Principles of Programming Languages, Charleston, South Carolina, January 2006.

Digital Library

[20]

F. Valeur, D. Mutz, and G. Vigna: "A Learning-Based Approach to the Detection of SQL Attacks", In Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Vienna, Austria, July 2005.

Digital Library

[21]

G. Wassermann and Z. Su: "An Analysis Framework for Security in Web Applications", In Proceedings of the Specification and Verification of Component-Based Systems Workshop, Newport Beach, California, October 2004.

[22]

N. Wirth: "What can we do about the unnecessary diversity of notation for syntactic definitions? ", Communications of the ACM, Vol. 20, Issue 11, pp. 822--823, November 1977. Address for download the International standard (ISO 14977) that defines the EBNF: http://standards.iso.org/ittf/PubliclyAvailableStandards/s026153_ ISO_IEC_14977_1996(E).zip

Digital Library

Cited By

Liu XHuang YWang TLi SNiu WShen JZhou QZhou X(2024)SQLStateGuard: Statement-Level SQL Injection Defense Based on Learning-Driven MiddlewareProceedings of the 2024 ACM Symposium on Cloud Computing10.1145/3698038.3698569(69-82)Online publication date: 20-Nov-2024
https://dl.acm.org/doi/10.1145/3698038.3698569
Zhang BRen RLiu JJiang MRen JLi J(2024)SQLPsdem: A Proxy-based Mechanism towards Detecting, Locating and Preventing Second-Order SQL InjectionsIEEE Transactions on Software Engineering10.1109/TSE.2024.3400404(1-20)Online publication date: 2024
https://doi.org/10.1109/TSE.2024.3400404
Bajantri GC N(2024)Machine Learning Algorithms for Robust Software Vulnerability Detection2024 International Conference on Innovation and Novelty in Engineering and Technology (INNOVA)10.1109/INNOVA63080.2024.10846984(1-7)Online publication date: 20-Dec-2024
https://doi.org/10.1109/INNOVA63080.2024.10846984
Show More Cited By

Index Terms

SQL-IDS: a specification-based approach for SQL-injection detection

Recommendations

Retrofitting Existing Web Applications with Effective Dynamic Protection Against SQL Injection Attacks

This article presents an approach for retrofitting existing Web applications with run-time protection against known, as well as unseen, SQL injection attacks SQLIAs without the involvement of application developers. The precision of the approach is also ...
SQL-IDS: evaluation of SQLi attack detection and classification based on machine learning techniques
SIN '15: Proceedings of the 8th International Conference on Security of Information and Networks

Structured Query Language injection (SQLi) attack is a code injection technique where malicious SQL statements are inserted into a given SQL database by simply using a web browser. Injected SQL commands can alter the database and thus compromise the ...
Evaluation of SQL Injection Detection and Prevention Techniques
CICSYN '10: Proceedings of the 2010 2nd International Conference on Computational Intelligence, Communication Systems and Networks

Database driven web application are threaten by SQL Injection Attacks (SQLIAs) because this type of attack can compromise confidentiality and integrity of information in databases. Actually, an attacker intrudes to the web application database and ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SAC '08: Proceedings of the 2008 ACM symposium on Applied computing

March 2008

2586 pages

ISBN:9781595937537

DOI:10.1145/1363686

Conference Chairs:
Roger L. Wainwright
University of Tulsa
,
Hisham M. Haddad
Kennesaw State University

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGAPP: ACM Special Interest Group on Applied Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 March 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SAC '08

Sponsor:

SIGAPP

SAC '08: The 2008 ACM Symposium on Applied Computing

March 16 - 20, 2008

Fortaleza, Ceara, Brazil

Acceptance Rates

Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Upcoming Conference

SAC '25

Sponsor:
sigapp

The 40th ACM/SIGAPP Symposium on Applied Computing

March 31 - April 4, 2025

Catania , Italy

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

57
Total Citations
View Citations
2,223
Total Downloads

Downloads (Last 12 months)68
Downloads (Last 6 weeks)10

Reflects downloads up to 12 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Liu XHuang YWang TLi SNiu WShen JZhou QZhou X(2024)SQLStateGuard: Statement-Level SQL Injection Defense Based on Learning-Driven MiddlewareProceedings of the 2024 ACM Symposium on Cloud Computing10.1145/3698038.3698569(69-82)Online publication date: 20-Nov-2024
https://dl.acm.org/doi/10.1145/3698038.3698569
Zhang BRen RLiu JJiang MRen JLi J(2024)SQLPsdem: A Proxy-based Mechanism towards Detecting, Locating and Preventing Second-Order SQL InjectionsIEEE Transactions on Software Engineering10.1109/TSE.2024.3400404(1-20)Online publication date: 2024
https://doi.org/10.1109/TSE.2024.3400404
Bajantri GC N(2024)Machine Learning Algorithms for Robust Software Vulnerability Detection2024 International Conference on Innovation and Novelty in Engineering and Technology (INNOVA)10.1109/INNOVA63080.2024.10846984(1-7)Online publication date: 20-Dec-2024
https://doi.org/10.1109/INNOVA63080.2024.10846984
Sidana SThakur SSinha AIndhumathi NRaj PAl-Khayyat AModi VMishra AKumari A(2024)Enhancing Cloud Virtualization Security with a Z-Score Based Conjugate Self-Organizing Migration ML Model2024 15th International Conference on Computing Communication and Networking Technologies (ICCCNT)10.1109/ICCCNT61001.2024.10725114(1-7)Online publication date: 24-Jun-2024
https://doi.org/10.1109/ICCCNT61001.2024.10725114
Alian ASobhy BNasser MHani L(2023)Backslash map: An Automated Vulnerability Scanner2023 Eleventh International Conference on Intelligent Computing and Information Systems (ICICIS)10.1109/ICICIS58388.2023.10391153(476-482)Online publication date: 21-Nov-2023
https://doi.org/10.1109/ICICIS58388.2023.10391153
Pahuja VDubey RSharma I(2023)Machine Learning-Based Detection and Mitigation of XML SQL Injection Attacks2023 Global Conference on Information Technologies and Communications (GCITC)10.1109/GCITC60406.2023.10426458(1-6)Online publication date: 1-Dec-2023
https://doi.org/10.1109/GCITC60406.2023.10426458
Potluri TShi YShahriar HLo DParizi RChi HQian K(2023)Secure Software Development in Google Colab2023 IEEE World AI IoT Congress (AIIoT)10.1109/AIIoT58121.2023.10174336(0398-0402)Online publication date: 7-Jun-2023
https://doi.org/10.1109/AIIoT58121.2023.10174336
Ismail MAlrabaee SHarous SChoo K(2023)Empirical Evaluations of Machine Learning Effectiveness in Detecting Web Application AttacksFuture Access Enablers for Ubiquitous and Intelligent Infrastructures10.1007/978-3-031-50051-0_8(99-116)Online publication date: 15-Dec-2023
https://doi.org/10.1007/978-3-031-50051-0_8
Alazmi SDe Leon D(2022)A Systematic Literature Review on the Characteristics and Effectiveness of Web Application Vulnerability ScannersIEEE Access10.1109/ACCESS.2022.316152210(33200-33219)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3161522
Wen PHe CXiong WLiu J(2021)SQL Injection Detection Technology Based on BiLSTM-Attention2021 4th International Conference on Robotics, Control and Automation Engineering (RCAE)10.1109/RCAE53607.2021.9638837(165-170)Online publication date: 4-Nov-2021
https://doi.org/10.1109/RCAE53607.2021.9638837
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten