The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.03 - March (2013 vol.46)
pp: 69-77
Lwin Khin Shar , Nanyang Technological University, Singapore
Hee Beng Kuan Tan , Nanyang Technological University, Singapore
ABSTRACT
The best strategy for combating SQL injection, which has emerged as the most widespread website security risk, calls for integrating defensive coding practices with both vulnerability detection and runtime attack prevention methods.
INDEX TERMS
Database systems, Encoding, Computer security, Web sites, Network security, Internet, Risk management, SQL, Computer viruses, web application security, Databases, Encoding, Security, Runtime, Manuals, Computers, Programming, SQL injection
CITATION
Lwin Khin Shar, Hee Beng Kuan Tan, "Defeating SQL Injection", Computer, vol.46, no. 3, pp. 69-77, March 2013, doi:10.1109/MC.2012.283
REFERENCES
1. C. Anley, “Advanced SQL Injection in SQL Server Applications,” white paper, Next Generation Security Software Ltd., 2002; www.thomascookegypt.com/holidays/pdfpkgs 931.pdf.
2. W.G.J. Halfond, J. Viegas, and A. Orso, “A Classification of SQL Injection Attacks and Countermeasures,” Proc. Int'l Symp. Secure Software Eng. (ISSSE 06), IEEE CS, 2006; www.cc.gatech.edu/fac/Alex.Orso/papershalfond.viegas.orso.ISSSE06.pdf .
3. R.A. McClure and I.H. Krüger, “SQL DOM: Compile Time Checking of Dynamic SQL Statements,” Proc. 27th Int'l Conf. Software Eng. (ICSE 05), ACM, 2005, pp. 88-96.
4. S. Thomas, L. Williams, and T. Xie, “On Automated Prepared Statement Generation to Remove SQL Injection Vulnerabilities,” Information and Software Technology, Mar. 2009, pp. 589-598.
5. Y. Shin, L. Williams, and T. Xie, SQLUnitGen: Test Case Generation for SQL Injection Detection, tech. report TR 2006-21, Computer Science Dept., North Carolina State Univ., 2006.
6. H. Shahriar and M. Zulkernine, “MUSIC: Mutation-Based SQL Injection Vulnerability Checking,” Proc. 8th Int'l Conf. Quality Software (QSIC 08), IEEE CS, 2008, pp. 77-86.
7. J. Fonseca, M. Vieira, and H. Madeira, “Vulnerability & Attack Injection for Web Applications,” Proc. 39th Ann. IEEE/IFIP Int'l Conf. Dependable Systems and Networks (DSN 09), IEEE, 2009, pp. 93-102.
8. X. Fu and C.-C. Li, “A String Constraint Solver for Detecting Web Application Vulnerability,” Proc. 22nd Int'l Conf. Software Eng. and Knowledge Eng. (SEKE 10), Knowledge Systems Institute Graduate School, 2010, pp. 535-542.
9. A. Kiezun et al., “Automatic Creation of SQL Injection and Cross-Site Scripting Attacks,” Proc. 31st Int'l Conf. Software Eng. (ICSE 09), IEEE CS, 2009, pp. 199-209.
10. N. Alshahwan and M. Harman, “Automated Web Application Testing Using Search Based Software Engineering,” Proc. 26th IEEE/ACM Int'l Conference Automated Software Eng. (ASE 11), IEEE, 2011, pp. 3-12.
11. K.J. Biba, Integrity Considerations for Secure Computing Systems, tech. report ESD-TR-76-372, Electronic Systems Division, US Air Force, 1977.
12. V.B. Livshits and M.S. Lam, “Finding Security Vulnerabilities in Java Programs with Static Analysis,” Proc. 14th Conf. Usenix Security Symp. (Usenix-SS 05), Usenix, 2005; http://suif.stanford.edu/papersusenixsec05.pdf .
13. Y. Xie and A. Aiken, “Static Detection of Security Vulnerabilities in Scripting Languages,” Proc. 15th Conf. Usenix Security Symp. (Usenix-SS 06), Usenix, 2006; http://theory.stanford.edu/~aiken/publications/ papersusenix06.pdf.
14. G. Wassermann and Z. Su, “Sound and Precise Analysis of Web Applications for Injection Vulnerabilities,” Proc. ACM SIGPLAN Conf. Programming Language Design and Implementation (PLDI 07), ACM, 2007, pp. 32-41.
15. L.K. Shar and H.B.K. Tan, “Mining Input Sanitization Patterns for Predicting SQL Injection and Cross Site Scripting Vulnerabilities,” Proc. 34th Int'l Conf. Software Eng. (ICSE 12), IEEE, 2012, pp. 1293-1296.
16. S.W. Boyd and A.D. Keromytis, “SQLrand: Preventing SQL Injection Attacks,” Proc. 2nd Conf. Applied Cryptography and Network Security (ACNS 04), LNC S 3089, Springer, 2004, pp. 292-302.
17. K. Kemalis and T. Tzouramanis, “SQL-IDS: A Specification-Based Approach for SQL-Injection Detection,” Proc. ACM Symp. Applied Computing (SAC 08), ACM, 2008, pp. 2153-2158.
18. Y.-W. Huang et al., “Securing Web Application Code by Static Analysis and Runtime Protection,” Proc. 13th Int'l Conf. World Wide Web (WWW 04), ACM, 2004, pp. 40-52.
19. W.G.J. Halfond and A. Orso, “Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks,” Proc. 3rd Int'l Workshop Dynamic Analysis (WODA 05), ACM, 2005; www.cc.gatech.edu/~orso/papershalfond.orso.WODA05.pdf .
20. K. We, M. Muthuprasanna, and S. Kothari, “Preventing SQL Injection Attacks in Stored Procedures,” Proc. Australian Software Eng. Conf. (ASWEC 06), IEEE CS, 2006, pp. 191-198.
21. P. Bisht, P. Madhusudan, and V.N. Venkatakrishnan, “CANDID: Dynamic Candidate Evaluations for Automatic Prevention of SQL Injection Attacks,” ACM Trans. Information and System Security, Feb. 2010; www.cs.illinois.edu/~madhutissec09.pdf.
22. Z. Su and G. Wassermann, “The Essence of Command Injection Attacks in Web Applications,” Proc. 33rd ACM SIGPLAN-SIGACT Symp. Principles of Programming Languages (POPL 06), ACM, 2006, pp. 372-382.
23. W. Halfond, A. Orso, and P. Manolios, “WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation,” IEEE Trans. Software Eng., Jan. 2008, pp. 65-81.
24. A. Liu et al., “SQLProb: A Proxy-Based Architecture towards Preventing SQL Injection Attacks,” Proc. 24th ACM Symp. Applied Computing (SAC 09), ACM, 2009, pp. 2054-2061.
25. M. Vieira, N. Antunes, and H. Madeira, “Using Web Security Scanners to Detect Vulnerabilities in Web Services,” Proc. 39th Ann. IEEE/IFIP Int'l. Conf. Dependable Systems and Networks (DSN 09), IEEE, 2009, pp. 566-571.
9 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool