Evaluating the Effectiveness of Conventional Fixes for SQL Injection Vulnerability

Conference paper
Part of the Smart Innovation, Systems and Technologies book series (SIST, volume 44)

Abstract

The computer world is definitely familiar with SQL as it plays a major role in the development of web applications. Almost all applications have data to be stored for future reference and most of them use RDBMS. Many applications choose its backend from the SQL variants. Large and important applications like the bank and credit-cards will have highly sensitive data in their databases. With the incredible advancement in technology, almost no data can survive the omniscient eyes of the attackers. The only thing that can be done is to make the attackers work difficult. The conventional fixes help in the prevention of attacks to an extent. However, there is a need for some authentic work about the effectiveness of these fixes. In this paper, we present a study of the popular SQL Injection Attack (SQLIA) techniques and the effectiveness of conventional fixes in reducing them. For addressing the SQLIA’s in depth, a thorough background study was done and the mitigation techniques were evaluated using both automated and manual testing. We took the help of a renowned penetration testing tool, SQLMap, for the automated testing. The results indicate the importance of incorporating these mitigation techniques in the code apart from going for complex fixes that require both effort and time.

Keywords

Web-attacks SQLIA SQL injection 

References

  1. 1.
  2. 2.
  3. 3.
  4. 4.
    Lilupophilupop: Tongue-twister SQL injection attacks pass one million mark: http://www.infosecurity-magazine.com/news/lilupophilupop-tongue-wister-sql-injection/
  5. 5.
  6. 6.
    Kindy, D.A., Pathan, A.K.: A Detailed survey on various aspects of SQL injection in web applications: vulnerabilities, innovative attacks and remedies. In: International Journal of Communication Networks and Information Security, vol. 5, no. 2, pp. 80–92 August 2013Google Scholar
  7. 7.
    Bono, S.C., Domangue, E.: SQL Injection: A Case Study, Whitepaper Oct 2012Google Scholar
  8. 8.
    Shar, L.K., Beng, H., Tan, K.: Defeating SQL Injection. IEEE Comput. Soc. 46(3), 69–77 (2013) (IEEE)Google Scholar
  9. 9.
    Ahmad, K., Shekhar, J., Yadav, K.P.: Classification of SQL injection attacks. In: VSRD-TNTJ, vol. I, no. (4), pp. 235–242(2010)Google Scholar
  10. 10.
    Bisht, P., Madhusudan, P., Venkatakrishnan, V.N.: CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks. In: ACM Transactions on Information and System Security, vol. 13, no. 2, p. 139. ACM (2010)Google Scholar
  11. 11.
    Jane, P.Y., Chaudhari, M.S.: SQLIA: Detection and prevention techniques: a survey. IOSR J. Comput. Eng. 2, 56–60. IOSR J. (2013)Google Scholar
  12. 12.
    Halfond, W.G.J., Orso, A.: AMNESIA: analysis and monitoring for neutralizing SQL injection attacks. In: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, pp. 174–183. ACM, New York (2005)Google Scholar
  13. 13.
    Clarke, J.: SQL Injection Attacks and Defense. Elsevier Inc (2009)Google Scholar
  14. 14.
    Howard, M., LeBlanc, D.: Writing Secure Code, 2nd edn. Microsoft Press, Washington (2003)Google Scholar

Copyright information

© Springer India 2016

Authors and Affiliations

  1. 1.Department of Computer Science and EngineeringAmrita Vishwa VidyapeethamCoimbatoreIndia

Personalised recommendations