In these years SQL injection attacks became a major threat for both small and large web sites. This special kind of injection attack exploits vulnerabilities in the web applications that interact with a backend database. In this paper we analyze the SQL injection attack patterns and the previously proposed defense methods. We found that most of the existing researches are able to detect most of the attacks, but they do not consider the complexity involved in using the defense system and the eventual cost of modification of the original program. The proposed method requires no modification of the web application code, and can be adapted to different usage scenarios, involving also different operating systems and server applications. The proposed method is able to detect all the known injection points for the test application. We compare the results achieved with a published paper under the same testing conditions.

In these years SQL injection attacks became a major threat for both small and large web sites. This special kind of injection attack exploits vulnerabilities in the web applications that interact with a backend database. In this paper we analyze the SQL injection attack patterns and the previously proposed defense methods. We found that most of the existing researches are able to detect most of the attacks, but they do not consider the complexity involved in using the defense system and the eventual cost of modification of the original program. The proposed method requires no modification of the web application code, and can be adapted to different usage scenarios, involving also different operating systems and server applications. The proposed method is able to detect all the known injection points for the test application. We compare the results achieved with a published paper under the same testing conditions.

[1] NSTISSC, "National Information Systems Security (INFOSEC) Glossary", http://security.isu.edu/pdf/4009.pdf
[2] J. Vollbrecht, P. Calhoun, S. Farrell, L. Gommans, G. Gross , B. de Bruijn, C. de Laat, M. Holdrege, and D. Spence, AAA Framework, IETF RFC 2904, 2000; http://www.ietf.org/rfc/rfc2904.txt
[3] NIST, Risk Management Guide for Information Technology Systems, 2001;
[4] M. E. Whitman, "Enemy at the gate: threats to information security", Communications of the ACM, vol. 46, pp. 91-95, 2003.
[5] N. Yeager and R. McGrath, Web server technology: Morgan Kaufmann, 1996.
[6] Netcraft, "Internet Research, Anti-Phishing and PCI Security Services", http://news.netcraft.com/
[7] M. Schauer, "DBMS market shares from 1990 to 2007", white paper, JoinVision E-Services GmbH, 2007; http://www.joinvision.com/jv/ext/infow/itfacts/200710/itfacts200710_en.pdf
[8] OWASP Foundation, "OWASP Foundation's website", http://www.owasp.org
[9] J. Grossman, "The Impending Threat and the Best Defense", white paper, http://net-security.org/dl/articles/WHXSSThreats.pdf
[10] Z. Su and G. Wassermann, "The essence of command injection attacks in web applications", in Symposium on Principles of Programming Languages, 2006, pp. 372-382.
[11] Oracle, "Oracle Database PL/SQL Language Reference - Using Dynamic SQL", http://download.oracle.com/docs/cd/B28359_01/appdev.111/b28370/dynamic.htm
[12] T. Berners-Lee, R. Fielding, U. Irvine, and L. Masinter, Uniform Resource Identifiers (URI): Generic Syntax, IETF RFC 2396, 1998; http://www.ietf.org/rfc/rfc2396.txt
[13] S. Kals, E. Kirda, C. Kruegel, and N. Jovanovic, "SecuBat: a web vulnerability scanner", in Proceedings of the 15th international conference on World Wide Web, 2006, pp. 247-256.
[14] B. Damele, "sqlmap, a SQL Injection Tool", 2009; http://sqlmap.sourceforge.net/
[15] O. Maor and A. Shulman, "Sql injection signatures evasion", white paper, http://www.imperva.com/resources/adc/sql_injection_signatures_evasion.html
[16] W. Halfond, J. Viegas, and A. Orso, "A classification of SQL-injection attacks and countermeasures", in Proceedings of the IEEE International Symposium on Secure Software Engineering, 2006.
[17] W. Halfond, A. Orso, and P. Manolios, "WASP: Protecting Web applications using positive tainting and syntax-aware evaluation", IEEE Transactions on Software Engineering, vol. 34, pp. 65-81, 2008.
[18] MySQL AB "Mysql Information Functions", http://dev.mysql.com/doc/refman/4.1/en/information-functions.html#function_current-user
[19] "PHP: Magic Quotes", 2009; http://www.php.net/magic_quotes
[20] C. Schiflett, "addslashes() Versus mysql_real_escape_string()", blog, 22 Jan. 2006; http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
[21] C. Anley, "(more) Advanced SQL Injection", white paper, http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf
[22] Y. Kosuga, K. Kernel, M. Hanaoka, M. Hishiyama, and Y. Takahama, "Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection", in Computer Security Applications Conference, 2007, pp. 107-117.
[23] C. Gould, Z. Su, and P. Devanbu, "JDBC checker: A static analysis tool for SQL/JDBC applications", in Proceedings of the 26th International Conference on Software Engineering, 2004, pp. 697-698.
[24] G. Wassermann and Z. Su, "An analysis framework for security in Web applications", in Proceedings of the FSE Workshop on Specification and Verification of Component-Based Systems, 2004, pp. 70?8.
[25] Paros, "Parosproxy.org - Web Application Security", 2009; http://www.parosproxy.org/
[26] Y. Huang, S. Huang, T. Lin, and C. Tsai, "Web application security assessment by fault injection and behavior monitoring", in Proceedings of the 12th international conference on World Wide Web, 2003, pp. 148-159.
[27] G. Buehrer, B. W. Weide, and P. A. G. Sivilotti, "Using parse tree validation to prevent SQL injection attacks", in Proceedings of the 5th international workshop on Software engineering and middleware, 2005, pp. 106-113.
[28] W. Halfond and A. Orso, "AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks", in Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering, 2005, pp. 174-183.
[29] V. Livshits and M. Lam, "Finding security vulnerabilities in Java applications with static analysis", in Proceedings of the 14th Usenix Security Symposium, 2005, pp. 271-286.
[30] CPAN, "perlsec - Perl Security", http://search.cpan.org/~nwclark/perl-5.8.9/pod/perlsec.pod
[31] T. Pietraszek and C. V. Berghe, "Defending against injection attacks through context-sensitive string evaluation", in Eighth International Symposium on Recent Advances in Intrusion Detection, 2005, pp. 124-145.
[32] S. W. Boyd and A. D. Keromytis, "SQLrand: Preventing SQL injection attacks", in Proceedings of the 2nd Applied Cryptography and Network Security (ACNS) Conference, 2004, pp. 292-302.
[33] R. McClure and I. Kruger, "SQL DOM: compile time checking of dynamic SQL statements", in Proceedings of the 27th international conference on Software engineering, 2005, pp. 88-96.
[34] A. Nguyen-Tuong, S. Guarnieri, D. Greene, and D. Evans, "Automatically hardening web applications using precise tainting", in 20th IFIP International Information Security Conference Makuhari-Messe, Chiba, Japan, 2005, pp. 296-307.
[35] F. Valeur, D. Mutz, and G. Vigna, "A learning-based approach to the detection of sql attacks", 2003.
[36] P. M. Hallam-Baker and B. Behlendorf, Extended Log File Format World Wide Web Consortium (W3C) recommendation, 1996; http://www.w3.org/TR/WD-logfile
[37] MySQL AB, "MySQL 5.1 Reference Manual - The General Query Log", 2009; http://dev.mysql.com/doc/refman/5.1/en/query-log.html
[38] InterSect Alliance, "Snare Epilog for Windows", http://www.intersectalliance.com/projects/EpilogWindows/
[39] M. Owens, The definitive guide to SQLite: Apress, 2006.
[40] SecurityFocus, "PHP-Nuke Multiple Module SQL Injection Vulnerabilities", http://www.securityfocus.com/bid/9544/info