CFP last date
20 December 2024
Call for Paper
January Edition
IJCA solicits high quality original research papers for the upcoming January edition of the journal. The last date of research paper submission is 20 December 2024

Submit your paper
Know more
The week's pick
Responsive image
SFLA-Based Line Balancing and Task Optimization in Master-Slave Controlled Hanger Transportation Systems for Garment Production

Duc Hoang Nguyen
Random Articles
Reseach Article

An Approach to Detection of SQL Injection Attack Based on Dynamic Query Matching

by Debasish Das, Utpal Sharma, D.K. Bhattacharyya
journal cover thumbnail

International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Volume 1 - Number 25
Year of Publication: 2010
Authors: Debasish Das, Utpal Sharma, D.K. Bhattacharyya
10.5120/462-766

Debasish Das, Utpal Sharma, D.K. Bhattacharyya . An Approach to Detection of SQL Injection Attack Based on Dynamic Query Matching. International Journal of Computer Applications. 1, 25 ( February 2010), 28-34. DOI=10.5120/462-766

@article{ 10.5120/462-766,
author = { Debasish Das, Utpal Sharma, D.K. Bhattacharyya },
title = { An Approach to Detection of SQL Injection Attack Based on Dynamic Query Matching },
journal = { International Journal of Computer Applications },
issue_date = { February 2010 },
volume = { 1 },
number = { 25 },
month = { February },
year = { 2010 },
issn = { 0975-8887 },
pages = { 28-34 },
numpages = {9},
url = { https://ijcaonline.org/archives/volume1/number25/462-766/ },
doi = { 10.5120/462-766 },
publisher = {Foundation of Computer Science (FCS), NY, USA},
address = {New York, USA}
}
%0 Journal Article
%1 2024-02-06T19:48:31.885604+05:30
%A Debasish Das
%A Utpal Sharma
%A D.K. Bhattacharyya
%T An Approach to Detection of SQL Injection Attack Based on Dynamic Query Matching
%J International Journal of Computer Applications
%@ 0975-8887
%V 1
%N 25
%P 28-34
%D 2010
%I Foundation of Computer Science (FCS), NY, USA
Abstract

Web is one of the most popular internet services in today’s world. In today’s world, web servers and web based applications are the popular corporate applications and become the targets of the attackers. A Large number of Web applications, especially those deployed for companies to ebusiness operation involve high reliability, efficiency and confidentiality. Such applications are written in script languages like PHP embedded in HTML allowing establish the connection to databases, retrieving data and putting them in WWW site. In order to detect known attacks, misuse detection of web based attacks consists of attack rules and descriptions. Misuse detection considers predefined signatures for intrusion detection. One of the most common in web application attack is SQL Injections. Here an attacker exploits with faulty input strings so that the dynamic queries generate by the web application changes the structure designed by the developer. Thus, the SQL injected query generated becomes maliciously crafted queries. In this paper we have tried to classify the SQL Injection attack based on their vulnerabilities in web applications. We have also reported the approaches and how implemented in recent years by some of the researcher’s in their methodologies for detection and protection of SQL Injection attacks. Our technique of classification has avoided the developer’s dependent approaches adopted by the researchers such as – initialization of syntactical rule, valid trusted string database, static or pre generated program code checking etc. Our approach based on dynamic query matching with SQL signature, successfully detected SQL injection vulnerabilities with a very low false positive rate. It is also easy to implement in real-world scenario. SQL signature updates adaptively.

References
  1. [Z.Su and G. Wassermann. The Essence of Command Injection Attacks in Web Application. In the 33rd Annual Symposium on Principles of Programming languages, pages 372-382, Jan. 2006.
  2. C Anley. Advanced SQL Injection in SQL Server Applications. White Paper Next Generation Security Software Ltd., 2002
  3. S.McDoland. SQL Injection. Modes of Attack, defence and why it matters. White paper, GovernmentSecurity.org, April 2002
  4. S.Labs SQL Injection. White Paper, SPI Dynamics, Inc.,2002. http://www.spidynamics.com/assets/documents/WhitepaperSQLInjection.pdf
  5. M. Howard and D Le Blane. Writing Secure Code. Microsoft Press, Redmond, Washington, second edition, 2003.
  6. D. Litchfield. Wep Application Dissembly with ODBC Error Messages. Technical document, @Stake,Inc.,2002.
  7. F. Bouma. Stored Proceduresare Bad, O’Kay? TechnicalReport. Asp.Net Weblogs, November 2003. http://weblogs.asp.net/fbouma/archive/2003/11/18/38178.aspx.
  8. E. M. Fayo. Advanced SQL Injection in Oracle Databases. Technical Report, Agencies Information Security, Balck Hat Briefings, Black hat U.S.A., 2005
  9. P. Finnigan. SQL Injection and Oracle – Part 1 and Part 2. Technical Report, Security Focus, November 2002.
  10. Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks. William G.J. Halfond, Alessandro Orso and Panagiotis Manolios. SIGSOFT’06/FSE-14, November 5-11, 2006, Portland, Oregon, USA.
  11. Defending against Injection Attacks through Context-Sensitive String Evaluation. Tadeusz Pietraszek and Dhris Vanden Berghe . Proceedings of Recent Advances in Intrusion Detection (RAID2005).
  12. K. Krithivasan and R. Sitalakshmi, “Efficient Two imensional Pattern Matching in the Presence of Errors”, Information Sciences, Vol. 43, 1987, pp. 169-184.
  13. Finding Application Errors and Security Flaws Using PQL: a Program Query Language. OPSLA’05, October 16-20, 2005, San Diego, California, USA
  14. Steve Christey. Vulnerability Type Distributions in CVE, October 2006. http://cwe.mitre.org/documents/vuln-trends.html
  15. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities by Nenad Jovanovic , Christopher Kruegel , Engin Kirda, IN 2006 IEEE SYMPOSIUM ON SECURITY AND PRIVACY
Index Terms

Computer Science
Information Sciences

Keywords

web php sql injection classification DTD

Powered by PhDFocusTM