Skip to main content
SpringerLink
Log in

SQL Injection Attacks and Mitigation Strategies: The Latest Comprehension

  • Chapter
  • First Online:
Advances in Cybersecurity Management

  • 2295 Accesses

Abstract

Cybersecurity management involves securing data, privileges, and integrity while being accessed over the Internet. Web application vulnerability is taking newer forms in terms of attacking methods. The most common and simple attack that is more vulnerable in the category of web application attacks is the SQL (Structured Query Language) injection attack. The background and various types of SQL injection attacks are given with a focus on mitigation strategies.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
eBook
USD 16.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 99.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Retrieved November 11, 2020, from https://owasp.org/

  2. Retrieved November 11, 2020, from https://owasp.org/www-project-webgoat/

  3. Retrieved November 11, 2020, from https://github.com/WebGoat/WebGoat

  4. Retrieved November 11, 2020, from https://portswigger.net/burp/documentation/desktop/getting-started/proxy-setup/browser

  5. Ma, L., Gao, Y., Zhao, D., & Zhao, C. (2019). In Research on SQL Injection Attack and Prevention Technology Based on Web 2019 International Conference on Computer Network, Electronic and Automation (ICCNEA).

    Google Scholar 

  6. Kumar, N., & Sharma, K (2013). Study of web application attacks & their countermeasures. In Proc. of Int. Conf. on Advances in Computer Science and Application 2013 (ACEEE-13).

    Google Scholar 

  7. Som, S., Sinha, S., & Kataria, R. (2016). Study on SQL injection attacks: Mode, detection and prevention. International Journal of Engineering Applied Sciences and Technology, 1(8), 23–29. ISSN No. 2455-2143.

    Google Scholar 

  8. Alwan, Z. S., & Younis, M. F. (2017, August). Detection and prevention of SQL injection attack: A survey. International Journal of Computer Science and Mobile Computing, IJCSMC, 6(8), 5–17.

    Google Scholar 

  9. Nithya, V., Regan, R., & Vijayaraghavan, J. (2013, April). A survey on SQL injection attacks, their detection and prevention techniques. International Journal of Engineering and Computer Science (IJECS), 2(4), 886–905.

    Google Scholar 

  10. Alazab, A., & Khresiat, A. (2016, November). New strategy for mitigating of SQL injection attack. International Journal of Computer Applications (IJCA), 154, Paper No. 11.

    Google Scholar 

  11. Singh, J. P. (2016). Analysis of SQL injection detection techniques. Theoretical and Applied Informatics (TAAI), 28(1–2), 37–55.

    Google Scholar 

  12. Retrieved November 11, 2020, from https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html

  13. Gupta, M. K., Govil, M. C., & Singh, G. (2014). An approach to minimize false positive in SQLI vulnerabilities detection techniques through data mining. In 2014 International Conference on Signal Propagation and Computer Technology (ICSPCT 2014) (pp. 407–410). Ajmer.

    Google Scholar 

  14. Li, P., & Cui, B. (2010, December 17–19). A comparative study on software vulnerability static analysis techniques and tools. In IEEE International Conference on Information Theory and Information Security (ICITIS).

    Google Scholar 

  15. Bingchang, L., Shi, L., & Cai, Z. (2012). Software vulnerability discovery techniques: A survey. In Fourth International Conference on Multimedia Information Networking and Security (MINES) (pp. 152–156)

    Google Scholar 

  16. Huang, Y.-W., Yu, F., Hang, C., Tsai, C.-H., Lee, D, & Kuo, S.-Y. (2004). Securing web application code by static analysis and runtime protection. In Proceedings of the 13th International World Wide Web Conference.

    Google Scholar 

  17. Scholte, T. Robertson, W., Balzarotti, D., & Kirda, E. (2012, 16–20 July). Preventing input validation vulnerabilities in web applications through automated type analysis. In IEEE 36th Annual Computer Software and Applications Conference (COMPSAC).

    Google Scholar 

  18. Jovanovic, N., Kruegel, C., & Kirda, E. (2006, May). Pixy: A static analysis tool for detecting web application vulnerabilities. In Proc. of the IEEE Symposium on Security and Privacy.

    Google Scholar 

  19. Zhang, X.-H., & Wang, Z. (2010, May 22–23). A static analysis tool for detecting web application injection vulnerabilities for ASP program. In 2nd International Conference on e-Business and Information System Security (EBISS).

    Google Scholar 

  20. Agosta, G., Barenghi, A., Parata, A., & Pelosi, G. (2012, 16–18 April). Automated security analysis of dynamic web applications through symbolic code execution. In Ninth International Conference on Information Technology: New Generations (ITNG).

    Google Scholar 

  21. Huang, Y. W., Yu, F., Hang, C., Tsai, C. H., Lee, D. T., Kuo, S. Y. (2004, May). Securing web application code by static analysis and runtime protection. In Proceedings of the 13th international conference on World Wide Web.. New York, USA.

    Google Scholar 

  22. Halfond, W. G. J., & Orso, A. (2006, May 20–28). Preventing SQL injection attacks using AMNESIA. In Presented at the Proceedings of the 28th international conference on Software engineering (ICSE) (pp. 795–798). ACM, Shanghai, China.

    Google Scholar 

  23. Kim, J.-G. (2011). Injection attack detection using removal of sql query attribute values. IEEE.

    Google Scholar 

  24. Huang, Y.-W., Yu, F., Hang, C., Tsai, C.-H., Lee, D.-T., & Kuo, S.-Y. (2004). Securing web application code by static analysis and runtime protection. In WWW ‘04: Proceedings of the 13th international conference on World Wide WebMay (pp. 40–52).

    Google Scholar 

  25. Benjamin Livshits, V., & Lam, M. S. (2005, July). Finding security vulnerabilities in java applications with static analysis. In Proceedings of the 14th conference on USENIX Security Symposium (SSYM-05) (Vol. 14, p. 18).

    Google Scholar 

  26. Pietraszek, T., & Berghe, C. V. (2005, September). Defending against injection attacks through context-sensitive string evaluation. In Proc. of Recent Advances in Intrusion Detection (RAID2005).

    Google Scholar 

  27. Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., & Evans, D. (2005). Automatically hardening web applications using precise tainting. In R. Sasaki, S. Qing, E. Okamoto, & H. Yoshiura (Eds.), Security and privacy in the age of ubiquitous computing. SEC 2005. IFIP advances in information and communication technology (Vol. 181). Boston, MA: Springer.

    Google Scholar 

  28. Haldar, V., Chandra, D., & Franz, M.(2005, December). Dynamic taint propagation for Java. In Proceedings of the 21st Annual Computer Security Applications Conference (pp. 303–311).

    Google Scholar 

  29. McClure, A., & Kruger, I. H. (2005, May). SQL DOM: Compile time checking of dynamic SQL statements. In International Conference of Software Engineering (pp. 88–96), ACM.

    Google Scholar 

  30. Park, Y. J., & Park, J. C. (2008). Web application intrusion detection system for input validation attack. In Third 2008 International Conference On Convergence And Hybrid Information Technology (pp. 498–504). IEEE.

    Google Scholar 

  31. Lin, J.-C., Chen, J.-M., & Liu, C. H. (2008). An automatic mechanism for sanitizing malicious injection. In The 9th International Conference For Young Computer Scientists (pp. 1470–1475). IEEE.

    Google Scholar 

  32. Liu, A., & Yuan, Y. (2009, March). SQLProb: A Proxy based Architecture towards preventing SQL injection attacks (pp. 2054–2061). ACM.

    Google Scholar 

  33. Meijunjin. (2009). An approach for Sql injection vulnerability detection. In 2009 Sixth International Conference On Information Technology: New Generations IEEE (pp. 1411–1414).

    Google Scholar 

  34. Razzaq, A., Hur, A., & Haider, N. (2009). Multi layer defense against web application. In 2009 Sixth International Conference On Information Technology: New Generations, IEEE (pp. 492–497).

    Google Scholar 

  35. Wenguuang, C., Chunhui, T., & Yuting, D. (2011). Research of intelligent intrusion detection system based on web data mining technology. In IEEE 4th International Conference On Business Intelligence And Financial Engineering (pp. 14–17).

    Google Scholar 

  36. Alazab, A., & Khresiat, A. (2016, November). New strategy for mitigating SQL injection attack. International Journal of Computer Applications (IJCA), 154, paper No. 11.

    Google Scholar 

  37. Fu, X., Lu, X., Peltsverger, B., Chen, S., Southwestern, G., Qian, K., & Polytechnic, S. (2007). A static analysis framework for detecting SQL injection vulnerabilities. In 31st Annual International Computer Software and Applications Conference(COMPSAC 2007) (pp. 1–8). IEEE, China. ISSN: 0730-3157.

    Google Scholar 

  38. Halfond, W. G. J., Orso, A., & Society, I. C. (2008). WASP: Protecting web applications using positive tainting and syntax-aware evaluation. IEEE Transactions on Software Engineering, 34(1), 65–81.

    Article  Google Scholar 

  39. Medhane, M. H. A. S. P. (2013, April). R-WASP: Real time-web application sql injection detection and prevention. International Journal of Innovative Technology and Exploring Engineering (IJITEE), 2(5), 327–330. ISSN: 2278-3075.

    Google Scholar 

  40. Ali, N. S., & Shibghatullah, A. (2016, September). Protection web applications using real-time technique to detect structured query language injection attacks. International Journal of Computer Applications (IJCA), 149, paper No: 6.

    Google Scholar 

  41. Manmadhan, S, & Manesh, T. (2012, November). A method of detecting SQL injection attack to secure web applications. International Journal of Distributed and Parallel Systems (IJDPS), 3(6).

    Google Scholar 

  42. Gould, C., Su, Z., Devanbu, P., & JDBC Checker. (2004). A static analysis tool for SQL/JDBC applications. In Proceedings of the 26th International Conference on Software Engineering (ICSE04) Formal Demos, ACM (pp. 697–698). ISBN: 0-7695-2163-0.

    Google Scholar 

  43. Bisht, P., Madhusudan, P., & Venkatakrishnan, V. N. (2010). CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks. In ACM Transaction on information System Security (pp. 1–39).

    Google Scholar 

  44. Cova, M., & Balzarotti, D. (2007). Swaddler: An approach for the anomaly-based detection of state violations in web applications. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID) (pp. 63–86).

    Google Scholar 

  45. Roichman, A., & Gudes, E. (2008). DIWeDa—Detecting intrusions in web databases. In Proceeding of the 22nd annual IFIP WG 11.3 working conference on Data and Applications Security (Vol. 5094, pp. 313–329). Springer, Heidelberg.

    Google Scholar 

  46. Halfond, W. G., & Orso, A. (2006). Using positive tainting and syntax aware evaluation to counter SQL injection attacks. In 14th ACM SIGSOFT international symposium on Foundations of software engineering (pp. 175–185). ACM.

    Google Scholar 

  47. Grazie, P. (2008). SQL Prevent thesis. University of British Columbia (UBC) Vancouver, Canada.

    Google Scholar 

  48. Junjin, M. (2009, April). An approach for SQL injection vulnerability detection. In Proceedings of the 2009 Sixth International Conference on Information Technology: New Generations. IEEE computer society, Las Vegas.

    Google Scholar 

  49. Ali, S., Shahzad, S. K., & Javed, H. (2009). SQLIPA: An authentication mechanism against SQL injection. European Journal of Scientific Research, 38(4), 604–611.

    Google Scholar 

  50. Thomas, S., & Williams, L. (2007, May). Using Automated Fix Generation to Secure SQL Statements. In Proceedings of the Third International Workshop on Software Engineering for Secure Systems (SESS ‘07) (p. 9).

    Google Scholar 

  51. Sendiang, M., Polii, A., & Mappadang, J. (2016, November). Minimization of SQL injection in scheduling application development. In International Conference on Knowledge Creation and Intelligent Computing (KCIC). IEEE, Indonesia.

    Google Scholar 

  52. Caglayan, A., Toothaker, M., Drapeau, D., Burke, D., & Eaton, G. (2009). Real-time detection of fast flux service networks. In Conference For Homeland Security, 2009. CATCH ‘09. Cybersecurity Applications & Technology (pp. 285–292). IEEE.

    Google Scholar 

  53. Stalmans, E., & Irwin, B. (2011). A framework for DNS based detection and mitigation of malware infections on a network. In IEEE Information Security South Africa, Johannesburg (pp. 1–8).

    Google Scholar 

  54. Stampar, M. (2013). Data retrieval over DNS in SQL injection attacks. Retrieved from http://arxiv.org/abs/1303.3047

  55. Singh, S. P., Tripathi, U. N., & Mishra, M. (2014, September). Detection and prevention of SQL injection attack using hashing technique. International Journal of Modern Communication Technologies & Research (IJMCTR), 2(9).

    Google Scholar 

  56. Kirda, E., Kruegel, C., Vigna, G., & Jovanovic, N. (2006). Noxes: A client-side solution for mitigating cross-site scripting attacks. In Proceedings of the 2006 ACM symposium on Applied computing (pp. 330–337). ACM.

    Google Scholar 

  57. Kieyzun, A., Guo, P. J., Jayaraman, K., & Ernst, M. D. (2009). Automatic creation of SQL injection and cross-site scripting attacks. In Software Engineering, 2009. ICSE 2009. IEEE 31st International Conference on (pp. 199–209). IEEE.

    Google Scholar 

  58. Nikiforakis, N., Meert, W., Younan, Y., Johns, M., & Joosen, W. (2011). Session shield: Lightweight protection against session hijacking. In International Symposium on Engineering Secure Software and Systems (Vol. 6542, pp. 87–100). Springer.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Information Technology, National Institute of Technology Karnataka (NITK) Surathkal, Mangalore, Karnataka, India

    Neelima Bayyapu

Authors
  1. Neelima Bayyapu
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. University of Detroit Mercy, Detroit, MI, USA

    Kevin Daimi

  2. Ulster University, Newtownabbey, UK

    Cathryn Peoples

Rights and permissions

Reprints and permissions

Copyright information

© 2021 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Bayyapu, N. (2021). SQL Injection Attacks and Mitigation Strategies: The Latest Comprehension. In: Daimi, K., Peoples, C. (eds) Advances in Cybersecurity Management. Springer, Cham. https://doi.org/10.1007/978-3-030-71381-2_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-71381-2_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-71380-5

  • Online ISBN: 978-3-030-71381-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation