CFP last date
20 January 2025
Reseach Article

Protection Web Applications using Real-Time Technique to Detect Structured Query Language Injection Attacks

by Nabeel Salih Ali, Abd Samad Shibghatullah
International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Volume 149 - Number 6
Year of Publication: 2016
Authors: Nabeel Salih Ali, Abd Samad Shibghatullah
10.5120/ijca2016911424

Nabeel Salih Ali, Abd Samad Shibghatullah . Protection Web Applications using Real-Time Technique to Detect Structured Query Language Injection Attacks. International Journal of Computer Applications. 149, 6 ( Sep 2016), 26-32. DOI=10.5120/ijca2016911424

@article{ 10.5120/ijca2016911424,
author = { Nabeel Salih Ali, Abd Samad Shibghatullah },
title = { Protection Web Applications using Real-Time Technique to Detect Structured Query Language Injection Attacks },
journal = { International Journal of Computer Applications },
issue_date = { Sep 2016 },
volume = { 149 },
number = { 6 },
month = { Sep },
year = { 2016 },
issn = { 0975-8887 },
pages = { 26-32 },
numpages = {9},
url = { https://ijcaonline.org/archives/volume149/number6/26002-2016911424/ },
doi = { 10.5120/ijca2016911424 },
publisher = {Foundation of Computer Science (FCS), NY, USA},
address = {New York, USA}
}
%0 Journal Article
%1 2024-02-06T23:54:01.033083+05:30
%A Nabeel Salih Ali
%A Abd Samad Shibghatullah
%T Protection Web Applications using Real-Time Technique to Detect Structured Query Language Injection Attacks
%J International Journal of Computer Applications
%@ 0975-8887
%V 149
%N 6
%P 26-32
%D 2016
%I Foundation of Computer Science (FCS), NY, USA
Abstract

At present, Web applications have been used for most of our life activities increasingly, and they affected by Structured Query Language Injection Attacks (SQLIAs). This attack is a method that attackers employ to impose the database in most of the web applications, by manipulate SQL queries, which sent to the Relational Database Management System (RDBMS). Hence, change the behavior of the applications. In This paper, developing Web Application SQLI Protector (WASP) tool in real-time web application to detect SQL injection attacks in stored procedures. Then, evaluated and analyze the developed tool respect to efficiency and effectiveness in practices. The propose technique uses real-time based on positive tainting, accurate and efficiency taint propagation, and syntax aware evaluation of the query strings at the application level to detect illegal queries before they reach at the database by using Microsoft ASP.NET. The developed tool effective due to it capable of detect and stop all SQLI attacks in real-time environment and did not generate any false negative, a few-false positive values in the results and impose minimal deploy requirements.

References
  1. R. Shrivastava, J. Bhattacharyji, and R. Soni, “Sql Injection Attacks In Database Using Web Service : Detection And Prevention – Review,” vol. 6, pp. 162–165, 2012.
  2. M.Prabakar, M.KarthiKeyan, and K. Marimuthu, “An Efficient Technique For Preventing Sql Injection Attack Using Pattern,” 2013 IEEE Int. Conf. Emerg. Trends Comput. Commun. Nanotechnol. (ICECCN 2013) AN, vol. 978–1–4673, no. Iceccn, pp. 503–506, 2013.
  3. W. G. J. Halfond, S. R. Choudhary, and A. Orso, “Improving penetration testing through static and dynamic analysis,” Softw. Testing, Verif. Reliab, vol. 21, no. 3, pp. 195–214, Sep. 2011.
  4. D. A. Kindy and A. K. Pathan, “A Detailed Survey on Various Aspects of SQL Injection in Web Applications : Vulnerabilities, Innovative Attacks, and Remedies,” pp. 1–13, 2012.
  5. N. S. Ali, A. S. Shibghatullah, and M. H. A. L. Attar, “Review Of The Defensive Approaches For Structured Query Language Injection,” vol. 76, no. 2, 2015.
  6. E. Athanasopoulos, A. Krithinakis, and E. P. Markatos, “An Architecture for Enforcing JavaScript Randomization in Web2. 0 Applications,” Springer-Verlag Berlin Heidelb. 2011, vol. M. Burmest, no. ISC 2010, LNCS 6531, pp. 203–209, 2011, pp. 203–209, 2011.
  7. A. K. Baranwal, “Approaches to detect SQL injection and XSS in web applications,” EECE 571B, TERM Surv. Pap. April 2012, no. April, 2012.
  8. S. Srivastava, “A Survey On : Attacks due to SQL injection and their prevention method for web application,” vol. 3, no. 1, pp. 3225–3228, 2012.
  9. OWASP Foundation. Top Ten Risks, 2013. [Online]. From:http://www.owasp.org/index.php/Top_10_2013_Top_10.[Accessed on 24 November 2013].
  10. P. Kumar and R. K. Pateriya, “A Survey on SQL Injection Attacks, Detection and Prevention Techniques,” no. July, 2012.
  11. D. R. Rani, B. S. Kumar, L. T. R. Rao, V. T. S. Jagadish, andM. Pradeep, “Web Security by Preventing SQL Injection Using Encryption in Stored Procedures,” vol. 3, no. 2, pp. 3689–3692, 2012.
  12. W. G. J. Halfond, J. Viegas, and A. Orso, “A Classification of SQL Injection Attacks and Countermeasures,” 2006.
  13. T. Abaas, A. S. Shibghatullah, R. Yusof, and A. Alaameri, “Importance and Significance of Information Sharing in,” Int. Symp. Res. Innov. Sustain. 2014, vol. 2014, no. October, pp. 1719–1725, 2014.
  14. J. Clarke and R. M. Alvarez, SQL Injection Attacks and Defense. 2009.
  15. K. Wei and M. Muthuprasanna, “Preventing SQL injection attacks in stored procedures,” Aust. Softw. Eng. Conf., p. 8 pp.–198, 2006.
  16. X. Lu, B. Peltsverger, S. Chen, G. Southwestern, K. Qian, and S. Polytechnic, “A Static Analysis Framework For Detecting SQL Injection Vulnerabilities,” pp. 1–8.
  17. W. G. J. Halfond, A. Orso, and I. C. Society, “WASP : Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation,” vol. 34, no. 1, pp. 65–81, 2008.
  18. K. Kemalis and T. Tzouramanis, “SQL-IDS : A Specification-based Approach for SQL-Injection Detection,” pp. 2153–2158, 2008.
  19. A. Kie, P. J. Guo, and M. D. Ernst, “Automatic Creation of SQL Injection and Cross-Site Scripting Attacks,” pp. 199–209, 2009.
  20. M. H. A. S. P. Medhane, “R-WASP : Real Time-Web Application SQL Injection Detector and Preventer,” no. 5, pp. 327–330, 2013.
Index Terms

Computer Science
Information Sciences

Keywords

Web applications SQL Injection Detection WASP Techniques