Abstract
Cybersecurity management involves securing data, privileges, and integrity while being accessed over the Internet. Web application vulnerability is taking newer forms in terms of attacking methods. The most common and simple attack that is more vulnerable in the category of web application attacks is the SQL (Structured Query Language) injection attack. The background and various types of SQL injection attacks are given with a focus on mitigation strategies.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Retrieved November 11, 2020, from https://owasp.org/
Retrieved November 11, 2020, from https://owasp.org/www-project-webgoat/
Retrieved November 11, 2020, from https://github.com/WebGoat/WebGoat
Retrieved November 11, 2020, from https://portswigger.net/burp/documentation/desktop/getting-started/proxy-setup/browser
Ma, L., Gao, Y., Zhao, D., & Zhao, C. (2019). In Research on SQL Injection Attack and Prevention Technology Based on Web 2019 International Conference on Computer Network, Electronic and Automation (ICCNEA).
Kumar, N., & Sharma, K (2013). Study of web application attacks & their countermeasures. In Proc. of Int. Conf. on Advances in Computer Science and Application 2013 (ACEEE-13).
Som, S., Sinha, S., & Kataria, R. (2016). Study on SQL injection attacks: Mode, detection and prevention. International Journal of Engineering Applied Sciences and Technology, 1(8), 23–29. ISSN No. 2455-2143.
Alwan, Z. S., & Younis, M. F. (2017, August). Detection and prevention of SQL injection attack: A survey. International Journal of Computer Science and Mobile Computing, IJCSMC, 6(8), 5–17.
Nithya, V., Regan, R., & Vijayaraghavan, J. (2013, April). A survey on SQL injection attacks, their detection and prevention techniques. International Journal of Engineering and Computer Science (IJECS), 2(4), 886–905.
Alazab, A., & Khresiat, A. (2016, November). New strategy for mitigating of SQL injection attack. International Journal of Computer Applications (IJCA), 154, Paper No. 11.
Singh, J. P. (2016). Analysis of SQL injection detection techniques. Theoretical and Applied Informatics (TAAI), 28(1–2), 37–55.
Retrieved November 11, 2020, from https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
Gupta, M. K., Govil, M. C., & Singh, G. (2014). An approach to minimize false positive in SQLI vulnerabilities detection techniques through data mining. In 2014 International Conference on Signal Propagation and Computer Technology (ICSPCT 2014) (pp. 407–410). Ajmer.
Li, P., & Cui, B. (2010, December 17–19). A comparative study on software vulnerability static analysis techniques and tools. In IEEE International Conference on Information Theory and Information Security (ICITIS).
Bingchang, L., Shi, L., & Cai, Z. (2012). Software vulnerability discovery techniques: A survey. In Fourth International Conference on Multimedia Information Networking and Security (MINES) (pp. 152–156)
Huang, Y.-W., Yu, F., Hang, C., Tsai, C.-H., Lee, D, & Kuo, S.-Y. (2004). Securing web application code by static analysis and runtime protection. In Proceedings of the 13th International World Wide Web Conference.
Scholte, T. Robertson, W., Balzarotti, D., & Kirda, E. (2012, 16–20 July). Preventing input validation vulnerabilities in web applications through automated type analysis. In IEEE 36th Annual Computer Software and Applications Conference (COMPSAC).
Jovanovic, N., Kruegel, C., & Kirda, E. (2006, May). Pixy: A static analysis tool for detecting web application vulnerabilities. In Proc. of the IEEE Symposium on Security and Privacy.
Zhang, X.-H., & Wang, Z. (2010, May 22–23). A static analysis tool for detecting web application injection vulnerabilities for ASP program. In 2nd International Conference on e-Business and Information System Security (EBISS).
Agosta, G., Barenghi, A., Parata, A., & Pelosi, G. (2012, 16–18 April). Automated security analysis of dynamic web applications through symbolic code execution. In Ninth International Conference on Information Technology: New Generations (ITNG).
Huang, Y. W., Yu, F., Hang, C., Tsai, C. H., Lee, D. T., Kuo, S. Y. (2004, May). Securing web application code by static analysis and runtime protection. In Proceedings of the 13th international conference on World Wide Web.. New York, USA.
Halfond, W. G. J., & Orso, A. (2006, May 20–28). Preventing SQL injection attacks using AMNESIA. In Presented at the Proceedings of the 28th international conference on Software engineering (ICSE) (pp. 795–798). ACM, Shanghai, China.
Kim, J.-G. (2011). Injection attack detection using removal of sql query attribute values. IEEE.
Huang, Y.-W., Yu, F., Hang, C., Tsai, C.-H., Lee, D.-T., & Kuo, S.-Y. (2004). Securing web application code by static analysis and runtime protection. In WWW ‘04: Proceedings of the 13th international conference on World Wide WebMay (pp. 40–52).
Benjamin Livshits, V., & Lam, M. S. (2005, July). Finding security vulnerabilities in java applications with static analysis. In Proceedings of the 14th conference on USENIX Security Symposium (SSYM-05) (Vol. 14, p. 18).
Pietraszek, T., & Berghe, C. V. (2005, September). Defending against injection attacks through context-sensitive string evaluation. In Proc. of Recent Advances in Intrusion Detection (RAID2005).
Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., & Evans, D. (2005). Automatically hardening web applications using precise tainting. In R. Sasaki, S. Qing, E. Okamoto, & H. Yoshiura (Eds.), Security and privacy in the age of ubiquitous computing. SEC 2005. IFIP advances in information and communication technology (Vol. 181). Boston, MA: Springer.
Haldar, V., Chandra, D., & Franz, M.(2005, December). Dynamic taint propagation for Java. In Proceedings of the 21st Annual Computer Security Applications Conference (pp. 303–311).
McClure, A., & Kruger, I. H. (2005, May). SQL DOM: Compile time checking of dynamic SQL statements. In International Conference of Software Engineering (pp. 88–96), ACM.
Park, Y. J., & Park, J. C. (2008). Web application intrusion detection system for input validation attack. In Third 2008 International Conference On Convergence And Hybrid Information Technology (pp. 498–504). IEEE.
Lin, J.-C., Chen, J.-M., & Liu, C. H. (2008). An automatic mechanism for sanitizing malicious injection. In The 9th International Conference For Young Computer Scientists (pp. 1470–1475). IEEE.
Liu, A., & Yuan, Y. (2009, March). SQLProb: A Proxy based Architecture towards preventing SQL injection attacks (pp. 2054–2061). ACM.
Meijunjin. (2009). An approach for Sql injection vulnerability detection. In 2009 Sixth International Conference On Information Technology: New Generations IEEE (pp. 1411–1414).
Razzaq, A., Hur, A., & Haider, N. (2009). Multi layer defense against web application. In 2009 Sixth International Conference On Information Technology: New Generations, IEEE (pp. 492–497).
Wenguuang, C., Chunhui, T., & Yuting, D. (2011). Research of intelligent intrusion detection system based on web data mining technology. In IEEE 4th International Conference On Business Intelligence And Financial Engineering (pp. 14–17).
Alazab, A., & Khresiat, A. (2016, November). New strategy for mitigating SQL injection attack. International Journal of Computer Applications (IJCA), 154, paper No. 11.
Fu, X., Lu, X., Peltsverger, B., Chen, S., Southwestern, G., Qian, K., & Polytechnic, S. (2007). A static analysis framework for detecting SQL injection vulnerabilities. In 31st Annual International Computer Software and Applications Conference(COMPSAC 2007) (pp. 1–8). IEEE, China. ISSN: 0730-3157.
Halfond, W. G. J., Orso, A., & Society, I. C. (2008). WASP: Protecting web applications using positive tainting and syntax-aware evaluation. IEEE Transactions on Software Engineering, 34(1), 65–81.
Medhane, M. H. A. S. P. (2013, April). R-WASP: Real time-web application sql injection detection and prevention. International Journal of Innovative Technology and Exploring Engineering (IJITEE), 2(5), 327–330. ISSN: 2278-3075.
Ali, N. S., & Shibghatullah, A. (2016, September). Protection web applications using real-time technique to detect structured query language injection attacks. International Journal of Computer Applications (IJCA), 149, paper No: 6.
Manmadhan, S, & Manesh, T. (2012, November). A method of detecting SQL injection attack to secure web applications. International Journal of Distributed and Parallel Systems (IJDPS), 3(6).
Gould, C., Su, Z., Devanbu, P., & JDBC Checker. (2004). A static analysis tool for SQL/JDBC applications. In Proceedings of the 26th International Conference on Software Engineering (ICSE04) Formal Demos, ACM (pp. 697–698). ISBN: 0-7695-2163-0.
Bisht, P., Madhusudan, P., & Venkatakrishnan, V. N. (2010). CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks. In ACM Transaction on information System Security (pp. 1–39).
Cova, M., & Balzarotti, D. (2007). Swaddler: An approach for the anomaly-based detection of state violations in web applications. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID) (pp. 63–86).
Roichman, A., & Gudes, E. (2008). DIWeDa—Detecting intrusions in web databases. In Proceeding of the 22nd annual IFIP WG 11.3 working conference on Data and Applications Security (Vol. 5094, pp. 313–329). Springer, Heidelberg.
Halfond, W. G., & Orso, A. (2006). Using positive tainting and syntax aware evaluation to counter SQL injection attacks. In 14th ACM SIGSOFT international symposium on Foundations of software engineering (pp. 175–185). ACM.
Grazie, P. (2008). SQL Prevent thesis. University of British Columbia (UBC) Vancouver, Canada.
Junjin, M. (2009, April). An approach for SQL injection vulnerability detection. In Proceedings of the 2009 Sixth International Conference on Information Technology: New Generations. IEEE computer society, Las Vegas.
Ali, S., Shahzad, S. K., & Javed, H. (2009). SQLIPA: An authentication mechanism against SQL injection. European Journal of Scientific Research, 38(4), 604–611.
Thomas, S., & Williams, L. (2007, May). Using Automated Fix Generation to Secure SQL Statements. In Proceedings of the Third International Workshop on Software Engineering for Secure Systems (SESS ‘07) (p. 9).
Sendiang, M., Polii, A., & Mappadang, J. (2016, November). Minimization of SQL injection in scheduling application development. In International Conference on Knowledge Creation and Intelligent Computing (KCIC). IEEE, Indonesia.
Caglayan, A., Toothaker, M., Drapeau, D., Burke, D., & Eaton, G. (2009). Real-time detection of fast flux service networks. In Conference For Homeland Security, 2009. CATCH ‘09. Cybersecurity Applications & Technology (pp. 285–292). IEEE.
Stalmans, E., & Irwin, B. (2011). A framework for DNS based detection and mitigation of malware infections on a network. In IEEE Information Security South Africa, Johannesburg (pp. 1–8).
Stampar, M. (2013). Data retrieval over DNS in SQL injection attacks. Retrieved from http://arxiv.org/abs/1303.3047
Singh, S. P., Tripathi, U. N., & Mishra, M. (2014, September). Detection and prevention of SQL injection attack using hashing technique. International Journal of Modern Communication Technologies & Research (IJMCTR), 2(9).
Kirda, E., Kruegel, C., Vigna, G., & Jovanovic, N. (2006). Noxes: A client-side solution for mitigating cross-site scripting attacks. In Proceedings of the 2006 ACM symposium on Applied computing (pp. 330–337). ACM.
Kieyzun, A., Guo, P. J., Jayaraman, K., & Ernst, M. D. (2009). Automatic creation of SQL injection and cross-site scripting attacks. In Software Engineering, 2009. ICSE 2009. IEEE 31st International Conference on (pp. 199–209). IEEE.
Nikiforakis, N., Meert, W., Younan, Y., Johns, M., & Joosen, W. (2011). Session shield: Lightweight protection against session hijacking. In International Symposium on Engineering Secure Software and Systems (Vol. 6542, pp. 87–100). Springer.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Bayyapu, N. (2021). SQL Injection Attacks and Mitigation Strategies: The Latest Comprehension. In: Daimi, K., Peoples, C. (eds) Advances in Cybersecurity Management. Springer, Cham. https://doi.org/10.1007/978-3-030-71381-2_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-71381-2_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-71380-5
Online ISBN: 978-3-030-71381-2
eBook Packages: Computer ScienceComputer Science (R0)