IJSER Home >> Journal >> IJSER
International Journal of Scientific and Engineering Research
ISSN Online 2229-5518
ISSN Print: 2229-5518 3    
Website: http://www.ijser.org
scirp IJSER >> Volume 3,Issue 3,March 2012
An Effective Approach for Protecting Web from SQL Injection Attacks
Full Text(PDF, )  PP.26-30  
Author(s)
Veera Venkateswaramma P
KEYWORDS
SQL Injection, Security, Syntax- aware, Positive tainting, Character level tainting.
ABSTRACT
The databases that underlie web applications were facing issues like, unauthorized access, so many security threats in recent years. Many software systems have evolved to include a Web-based component that makes them available to the public via the Internet and can expose them to a variety of Web-based attacks. One of these attacks is SQL injection, which can give attackers unrestricted access to the databases and has become frequent and serious threat to them. Successful injection attack can give attackers access to and even control of the databases that underlay Web applications, which may contain sensitive or confidential information. This paper presents a new highly automated approach for protecting Web applications against SQL injection that has both conceptual and practical advantages over most existing techniques. From a practical standpoint, our technique is precise and efficient, has minimal deployment requirements, and incurs a very low performance overhead in most cases. We have implemented this technique (Injection preventer), which we used to perform an empirical evaluation on a wide range of Web applications that we subjected to a large and varied set of attacks and legitimate accesses.
References
[1]. Christina Yip Chung, "DEMIDS: A Misuse Detection System for Database Systems", Integrity and internal control information systems, Pages: 159 - 178, ACM, 2008.

[2]. David Geer (2008), "Malicious Bots Threaten Network Security".

[3]. G.T. Buehrer, B.W. Weide, and P.A.G. Sivilotti, (2005) “Using Parse Tree Validation to Prevent SQL Injection Attacks,” Proc. Fifth Int‟l Workshop Software Eng. and Middleware, pp. 106-113.

[4]. J. Clause, W. Li, and A. Orso (2007) “Dytan: A Generic Dynamic Taint Analysis Framework,” Proc. Int‟l Symp.Software Testing and Analysis, pp. 196-206.

[5]. Marco Cova, Davide Balzarotti, Viktoria Felmetsger, and Giovanni vigna (2007), " Swaddler: An approach for the anamoly based character distribution models in the detection of SQL Injection attacks", Recent Advances in Intrusion Detection System, Pages 63-86.

[6]. Nguyen-tuong, S. Guarnieri, D. Greene, J.Shirley, and D. Evans (2005),” Automatically hardening web applications using Precise Tainting", In Twentieth IFIP Intl, Information security conference.

[7]. R.Ezumalai, G.Aghila (2009) “A Combinatorial Approach for Preventing SQL Injection Attacks” IEEE International Advance Computing Conference 2009.

[8]. S.W. Boyd and A.D. Keromytis (June 2004), “SQLrand: Preventing SQL Injection Attacks,” Proc. Second Int‟l Conf. Applied Cryptography and Network Security, pp. 292-302.

[9]. SruthiBandhakavi (ACM, 2007), "CANDID: Preventing SQL Injection Attacks using Dynamic Candidate Evaluations".

[10]. W.G. J. Halfond and A. Orso (2005), "Combining Static Analysis and Runtime monitoring to counter SQL Injection attacks", 3rd International workshop on Dynamic Analysis, St. Louis, Missouri.

Untitled Page