Long Zhang,Donghong Zhang,Chenghong Wang,Jing Zhao,Zhenyu Zhang

DOI: https://doi.org/10.1109/TR.2019.2910285

IF: 5.883

2019-01-01

IEEE Transactions on Reliability

Abstract:SQL injection (SQLi) is one of the chief threats to the security of database-driven Web applications. It can cause serious security issues such as authentication bypassing, privacy leakage, and arbitrary code execution. Dynamic testing techniques are used in SQLi vulnerability discovery, which de-facto approach is to maintain a collection of elaborately designed user inputs (aka. attack payloads) and based on it to compose malicious SQL queries to Web applications. Such techniques are effective to reveal SQLi threats before an application is released, thus reducing the cost of manual analysis, monitoring or postdeployment of other defensive mechanisms. However, because of the diversity of SQLi attacks and the difficulty of SQLi discovery, the process to execute payloads can be costly, time-consuming, and even risky. In this paper, we approach from a test case prioritization perspective to give a more effective SQLi discovery proposal, which is based on adaptive random testing with the aim to successfully trigger an SQLi within limited attempts. To evaluate our method, we conduct an experiment using three extensively adopted open source vulnerable benchmarks. The experiment results indicate that our method ART4SQLi can effectively improve the conventional random testing approach on three common benchmarks by more than 26% in reducing the number of SQLi attempts before accomplishing a successful injection.

Muhammad Saidu Aliero,Imran Ghani,Kashif Naseer Qureshi,Mohd Fo’ad Rohani

DOI: https://doi.org/10.1007/s12652-019-01235-z

IF: 3.662

2019-02-07

Journal of Ambient Intelligence and Humanized Computing

Abstract:SQL Injection Attack (SQLIA) is one of the most severe attack that can be used against web database-driven applications. Attackers use SQLIA to obtain unauthorized access and perform unauthorized data modifications due to initial improper input validation by the web application developer. Various studies have shown that, on average, 64% of web applications worldwide are vulnerable to SQLIA due to improper input. To mitigate the devastating problem of SQLIA, this research proposes an automatic black box testing for SQL Injection Vulnerability (SQLIV). This acts to automate an SQLIV assessment in SQLIA. In addition, recent studies have shown that there is a need for improving the effectiveness of existing SQLIVS in order to reduce the cost of manual inspection of vulnerabilities and the risk of being attacked due to inaccurate false negative and false positive results. This research focuses on improving the effectiveness of SQLIVS by proposing an object-oriented approach in its development in order to help and minimize the incidence of false positive and false negative results, as well as to provide room for improving a proposed scanner by potential researchers. To test and validate the accuracy of research work, three vulnerable web applications were developed. Each possesses a different type of vulnerabilities and an experimental evaluation was used to validate the proposed scanner. In addition, an analytical evaluation is used to compare the proposed scanner with the existing academic scanners. The result of the experimental analysis shows significant improvement by achieving high accuracy compared to existing studies. Similarly, the analytical evaluations showed that the proposed scanner is capable of analyzing attacked page response using four different techniques.

computer science, information systems,telecommunications, artificial intelligence

Alex Zhu,Wei Qi Yan

DOI: https://doi.org/10.4018/ijdcf.2017100106

2017-01-01

International Journal of Digital Crime and Forensics

Abstract:SQLIA is adopted to attack websites with and without confidential information. Hackers utilized the compromised website as intermediate proxy to attack others for avoiding being committed of cyber-criminal and also enlarging the scale of Distributed Denial of Service Attack DDoS. The DDoS is that hackers maliciously turn down a website and make network resources unavailable to web users. It is extremely difficult to effectively detect and prevent SQLIA because hackers adopt various evading SQLIA Intrusion Detection System techniques. Victims may not be even aware of that their confidential data has been compromised for a long time. In this paper, our contribution is that we evaluate several most popular open source SQLIA tools and SQLIA prevention tools with both qualitative and quantitative assessments.

ZHOU Jing-Li,WANG Xiao-Feng,YU Sheng-Sheng,XIA Hong-Tao

DOI: https://doi.org/10.3969/j.issn.1002-137X.2006.11.019

2006-01-01

Computer Science

Abstract:SQL injection, which is a popular and easy to carry out method of remote attacks, poses a major thread to application level security. In this paper, we introduce Pre-analysis of SQL syntax, a fire-new policy to detect and prevent SQL injection attacks. First, all SQL injection attacks are categorized into some classes and for each class a specified syntagma is abstracted and recorded. Then, the user input is picked up and embedded into prepared SQL sentences. Finally, these embedded SQL sentences are syntactically checked. Any find of underlying syntagma recorded as SQL injection tells a SQL injection attack. The implementation of new policy needs neither modification to Web program codes nor any patch to software of server platform. Experiments prove that new policy provides close to perfect detection rate and avoids the conflict between low false positive rate and low false negative rate.

Bing Zhang,Rong Ren,Jia Liu,Mingcai Jiang,Jiadong Ren,Jingyue Li

DOI: https://doi.org/10.1109/tse.2024.3400404

IF: 7.4

2024-07-19

IEEE Transactions on Software Engineering

Abstract:Due to well-hidden and stage-triggered properties of second-order SQL injections in web applications, current approaches are ineffective in addressing them and still report high false negatives and false positives. To reduce false results, we propose a Proxy-based static analysis and dynamic execution mechanism towards detecting, locating and preventing second-order SQL injections (SQLPsdem). The static analysis first locates SQL statements in web applications and identifies all data sources and injection points (e.g., Post, Sessions, Database, File names) that injection attacks can exploit. After that, we reconstruct the SQL statements and use attack engines to jointly generate attacks to cover all the state-of-the-art attack patterns so as to exploit these applications. We then use proxy-based dynamic execution to capture the data transmitted between web applications and their databases. The data are the reconstructed SQL statements with variable values from the attack payloads. If a web application is vulnerable, the data will contain malicious attacks on the database. We match the data with rules formulated by attack patterns to detect first and second-order SQL injection vulnerabilities in web applications, particularly the second-order ones. We use a representative and complete coverage of attack patterns and precise matching rules to reduce false results. By escaping and truncating malicious payloads in the data transmitted from the web application to the database, we can eliminate the possible negative impact of the data on the database. In the evaluation, by generating 52,771 SQL injection attacks using four attack generators, SQLPsdem successfully detects 26 second-order (including 13 newly discovered ones) and 375 first-order SQL injection vulnerabilities in 12 open-source web applications. SQLPsdem can also 100% eliminate the malicious impact of the data with negligible overhead.

engineering, electrical & electronic,computer science, software engineering

DING Xiang,QIU Yin,ZHENG Tao

DOI: https://doi.org/10.3969/j.issn.1000.3842.2011.11.052

2011-01-01

Abstract:The wide-spread use of PHP in Web application development makes PHP Web application become the target of many malicious attackers.On the basis of this,through the modification of PHP interpreter and runtime libraries,the PHP Web applications can prevent SQL injection attack without the modification of the original applications.Different from traditional preventing method based on dynamic tainting,this paper uses the tainting mechanism based on trusted input tainting and SQL dialect-aware check method,solves many existing problems of traditional preventing methods.As a result,this method improves the preciseness of traditional preventing method,without any false positives.Experimental result shows that the method is precise and highly efficient,has little overhead for the PHP Web applications.

Yonghee Shin,L. Williams,Tao Xie

2006-01-01

Abstract:More than half of all of the vulnerabilities reported can be classified as input manipulation, such as SQL injection, cross site scripting, and buffer overflows. Increasingly, automated static analysis tools are being used to identify input manipulation vulnerabilities. However, these tools cannot detect the presence or the effectiveness of black or white list input filters and, therefore, may have a high false positive rate. Our research objective is to facilitate the identification of true input manipulation vulnerabilities via the combination of static analysis, runtime detection, and automatic testing. We propose an approach for SQL injection vulnerability detection, automated by a prototype tool SQLUnitGen. We performed case studies on two small web applications for the evaluation of our approach compared to static analysis for identifying true SQL injection vulnerabilities. In our case study, SQLUnitGen had no false positives, but had a small number of false negatives while the static analysis tool had a false positive for every vulnerability that was actually protected by a white or black list. Future work will focus on removing false negatives from SQLUnitGen and at generalizing the approach for other types of input manipulation vulnerabilities.

Bernhard Garn,Jovan Zivanovic,Manuel Leithner,Dimitris E. Simos

DOI: https://doi.org/10.1002/stvr.1826

2022-07-04

Software Testing Verification and Reliability

Abstract:This work presents a gray‐box combinatorial security testing methodology for detecting SQL injection vulnerabilities in web applications. New attack grammars modelling SQL injections are proposed. This combinatorial security testing approach performs equally well or better when compared to existing state‐of‐the‐art SQL injection security testing tools. Summary This work presents an extended and enhanced gray‐box combinatorial security testing methodology for SQL injection vulnerabilities in web applications. We propose multiple new attack grammars modelling SQLi attacks against MySQL‐compatible databases, each one targeting a different injection context. Additionally, these grammars are also dynamically refined at the beginning of each attack against an endpoint of a web application, as a further optimization of the used attack model by taking into account the specifics of the generated query of that endpoint. Our goal is to enhance existing combinatorial approaches for detecting SQL injection vulnerabilities. The newly developed methodology is implemented in a prototype security testing tool called SQLInjector+, which is an extension of an earlier prototype developed by us in prior work. This improved tool can attack (i.e. test) any web application that uses a MySQL‐compatible database management system. We evaluate our revised approach and improved prototype tool in a case study comprising of different kinds of web applications to which SQLi is a potential security threat. The case study contains the well‐known verification framework WAVSEP among other five real‐world web applications and one web application firewall. Our generated attack vectors, constructed via combinatorial methods applied to our improved and dynamically optimized attack grammars, are capable of injecting every known vulnerable endpoint in WAVSEP and also of finding new vulnerable parameters in some of the real‐world applications investigated in this paper. Our approach performs equally well or better when compared with existing state‐of‐art of SQL injection security testing tools (sqlmap, w3af, wapiti and fuzzdb) across all tested web applications in the case study.

computer science, software engineering

Muhammad Saidu Aliero,Kashif Naseer Qureshi,Muhammad Fermi Pasha,Awais Ahmad,Gwanggil Jeon

DOI: https://doi.org/10.1002/cpe.5936

2020-07-22

Concurrency and Computation: Practice and Experience

Abstract:<p>Structure Query Language Injection Attack is among the top 10‐security threats that can be used on the web application to cause severe damage or gain unauthorized data access to the application server. Many reports have indicated an average of 64% of global websites are at risk of being attack by SQL injection, and many of the top companies have experienced thousands of attacks attempts through SQL injection. The current trend shows the increasing number of attacks factor as a result of the daily deployment of these applications without security detection and prevention mechanism is placed. To overcome this challenge, researches in academia and industry presented a proposal that automates SQL injection vulnerabilities assessment on the tested application. Current studies show the need to enhance techniques of these proposals to reduce the false alarms. In this study, we propose a component‐based technique to minimize the incidence of inaccurate results, as well as enable the ease of improving the proposed solution. The study uses three costumed applications as tested to evaluate the accuracy of the proposed solution. Each of these testbed consists of several vulnerabilities where the experimental evaluation performs to test the proposed tool. An empirical evaluation is carried out on three vulnerable custom websites to evaluate the effectiveness of the proposed study. The experiment results indicated significant results in terms of high accuracy. On the other hand, the proposed solution also has better capabilities to analyze page response based on four different techniques. Moreover, the proposed solution is the only solution that performs stored procedure attacks SQL and bypass login authentication even if the returned records are limited restriction is applied.</p>

Jianjun Yang

2012-01-01

Abstract:Programmers fail to judge the legitimacy of the user input data when they write code.In that case,the user can submit a database query code,according to the results of the program returns to get some data he would like to know.This paper introduces the principle and SQL injection vulnerability checking methods,attempts at source level on the SQL injection principle and scanning method for deep analysis,puts forward two kinds of SQL injection prevention solution.

Haiyan Wu,Guozhu Gao,Chunyu Miao

DOI: https://doi.org/10.1109/ICCSNT.2011.6182115

2012-01-01

Abstract:SQL injection, known as a popular attack against web applications, has become a serious security risk. However, traditional penetration test methods are insufficient to test SQL injection vulnerabilities (SQLIVs) in web applications. This paper presents a new test method called SMART, which automatically tests SQLIVs in web applications. SMART analyzes the SQL queries generated by web applications and uses a structure matching validation mechanism to determine whether SQLIVs exist. Comprehensive experiments show that SMART is effective in finding SQLIVs. Testing the web applications with SMART, the security against SQL injection can be greatly improved.

George S. Oreku

DOI: https://doi.org/10.9734/ajrcos/2022/v14i4304

2022-12-17

Asian Journal of Research in Computer Science

Abstract:SQL injection attack is one of the most serious security vulnerabilities in many Databases Managements systems. Most of these vulnerabilities are caused by lack of input validation and SQL parameters used particularity at this time of technology revolution. The results of a SQL injection attack (SQLIA) are unpleasant because the attacker could wipe the entire contents of the victim's database or shut it down. As such, SQLIA can be used as important weapons in cyber warfare. As an attempt of breaching of number of application data bases systems two SQL injection techniques were used to successful locating vulnerable points during this research which are Blind Text Injection Differential and Error based Exploitation. The motivations behind were to find out where the databases systems are most likely to face an attack and proactively shore up those weaknesses before exploitation by hackers. The success of both techniques is a result of poor web server (online database server) design especially in the selection of error messages (or answers) they display to website users if something goes wrong. The approach through examination of error messages (error codes) did enable to precisely know the backend Database Management System (DBMS) type and version and what exactly are parameters (variables) which can allow “illegally” injecting codes (a SQL query). Additionally, the paper presents SQLIA cases and their impact in Tanzania cyber space as well as it suggests the possible mitigation ways while reflecting the collected data with what currently existing in cyberworld as far as SQL injection attack is concern to present the reality.

Yonghee Shin,Laurie Williams,Tao Xie

2006-01-01

Abstract:This paper proposes an approach to facilitate the identification of actual input manipulation vulnerabilities via automated testing based on static analysis. We implemented a prototype of a SQL injection vulnerability detection tool, SQLUnitGen, which we compared to a static analysis tool, FindBugs. The evaluation results show that our approach can be used to locate precise vulnerable locations of source code and help to identify false positives that are caused by static analysis tools.

Federico De Meo,Marco Rocchetto,Luca Viganò

DOI: https://doi.org/10.48550/arXiv.1605.00358

2016-08-10

Abstract:We present a formal approach that exploits attacks related to SQL Injection (SQLi) searching for security flaws in a web application. We give a formal representation of web applications and databases, and show that our formalization effectively exploits SQLi attacks. We implemented our approach in a prototype tool called SQLfast and we show its efficiency on real-world case studies, including the discovery of an attack on Joomla! that no other tool can find.

Cryptography and Security

Zhenqing Qu,Xiang Ling,Ting Wang,Xiang Chen,Shouling Ji,Chunming Wu

DOI: https://doi.org/10.1109/TIFS.2024.3350911

2024-01-09

Abstract:As the first defensive layer that attacks would hit, the web application firewall (WAF) plays an indispensable role in defending against malicious web attacks like SQL injection (SQLi). With the development of cloud computing, WAF-as-a-service, as one kind of Security-as-a-service, has been proposed to facilitate the deployment, configuration, and update of WAFs in the cloud. Despite its tremendous popularity, the security vulnerabilities of WAF-as-a-service are still largely unknown, which is highly concerning given its massive usage. In this paper, we propose a general and extendable attack framework, namely AdvSQLi, in which a minimal series of transformations are performed on the hierarchical tree representation of the original SQLi payload, such that the generated SQLi payloads can not only bypass WAF-as-a-service under black-box settings but also keep the same functionality and maliciousness as the original payload. With AdvSQLi, we make it feasible to inspect and understand the security vulnerabilities of WAFs automatically, helping vendors make products more secure. To evaluate the attack effectiveness and efficiency of AdvSQLi, we first employ two public datasets to generate adversarial SQLi payloads, leading to a maximum attack success rate of 100% against state-of-the-art ML-based SQLi detectors. Furthermore, to demonstrate the immediate security threats caused by AdvSQLi, we evaluate the attack effectiveness against 7 WAF-as-a-service solutions from mainstream vendors and find all of them are vulnerable to AdvSQLi. For instance, AdvSQLi achieves an attack success rate of over 79% against the F5 WAF. Through in-depth analysis of the evaluation results, we further condense out several general yet severe flaws of these vendors that cannot be easily patched.

Cryptography and Security

Xin Liu,Yuanyuan Huang,Tianyi Wang,Song Li,Weina Niu,Jun Shen,Qingguo Zhou,Xiaokang Zhou

DOI: https://doi.org/10.1145/3698038.3698569

2024-01-01

Abstract:SQL injection is a significant and persistent threat to web services. Most existing protections against SQL injections rely on traffic-level anomaly detection, which often results in high false-positive rates and can be easily bypassed by attackers. This paper introduces SQLStateGuard, the world's first middleware-driven statement-level SQL injection defense approach, to address these issues. The SQLStateGuard uses a custom SQL middleware based on the idea of Runtime Application Self-Protection to capture raw SQL statements. These statements are then analyzed by SQLSG-Net, a database-oriented detection network based on gated linear units. If SQLSG-Net detects malicious SQL statements, the SQL middleware will block them. Experiments show that the detection accuracy of SQLStateGuard exceeds 99%, outperforming existing approaches, and it can identify the type of a specific SQL injection. Additionally, SQLStateGuard has no fingerprint and does not respond to SQL syntax errors, making it more challenging for attackers to gather information. This paper also presents a novel dataset generation process for SQLStateGuard and shares two statement-level SQL injection datasets with the research community, including over 145,000 malicious SQL statements categorized by the type of SQL injection.

Asish Kumar Dalai,Sanjay Kumar Jena

DOI: https://doi.org/10.1155/2017/3825373

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:Reports on web application security risks show that SQL injection is the top most vulnerability. The journey of static to dynamic web pages leads to the use of database in web applications. Due to the lack of secure coding techniques, SQL injection vulnerability prevails in a large set of web applications. A successful SQL injection attack imposes a serious threat to the database, web application, and the entire web server. In this article, the authors have proposed a novel method for prevention of SQL injection attack. The classification of SQL injection attacks has been done based on the methods used to exploit this vulnerability. The proposed method proves to be efficient in the context of its ability to prevent all types of SQL injection attacks. Some popular SQL injection attack tools and web application security datasets have been used to validate the model. The results obtained are promising with a high accuracy rate for detection of SQL injection attack.

computer science, information systems,telecommunications

Haibin Hu

DOI: https://doi.org/10.1063/1.4982570

2017-01-01

AIP Conference Proceedings

Abstract:Among numerous WEB security issues, SQL injection is the most notable and dangerous. In this study, characteristics and procedures of SQL injection are analyzed, and the method for detecting the SQL injection attack is illustrated. The defense resistance and remedy model of SQL injection attack is established from the perspective of non-intrusive SQL injection attack and defense. Moreover, the ability of resisting the SQL injection attack of the server has been comprehensively improved through the security strategies on operation system, IIS and database, etc.. Corresponding codes are realized. The method is well applied in the actual projects.

Juanjuan Zhao,Changhua Liu

DOI: https://doi.org/10.1088/1742-6596/1575/1/012094

2020-06-01

Journal of Physics: Conference Series

Abstract:Abstract According to the “Top Ten Security Vulnerabilities List” (OWASPTop 10) released by OWASP in 2017, SQL injection attacks are still at the top of the list, and there are many ways of SQL injection attacks, which cause great harm. Although there are many vulnerability scanning tools, there is still a high rate of false negatives. Aiming at the current problems of SQL injection vulnerability detection, this paper proposes a scanning tool for SQL injection vulnerabilities. First, use the crawler framework scrapy to obtain the URL associated with the form and the a tag, and segment the URL based on the improved simhash algorithm. Deduplicate the link, then analyze the injection point to modify the URL parameter value injection test, and determine whether there is a vulnerability based on the response result of the server. The experimental results show that the detection method achieves a 96.50% URL deduplication rate in the crawler module, which greatly reduces the rate of false negatives. It is more suitable for detecting whether a website has a SQL injection vulnerability.