International Journal of Advancements in Research & Technology, Volume 3, Issue 1, January-2014
ISSN 2278-7763
An Overview to SQL Injection Attacks and its
Countermeasures.
in database centric web applications [Elia et
al., 2010] because this type of attack can
Vishwajit S. Patil
comprise confidentiality and integrity of
Department of CSE
information in database [Tajpour A et al.,
P.R.M.C.E.A.M Bandera, Amravati
vishwajit55@gmail.com
Dr. G. R. Bamnote
Professor & Head,
Department of CSE
P.R.M.I.T.& R. Bandera, Amravati
2010].
Keyword: web application attacks, XSS,
CSRF, SQLIA, and SQLIV.
Literature survey of SQL injection
grbamnote@rediffmail.com
Abstract:
22
Web
applications are those
applications which run in web browser.
These applications are accept some data and
send it to database for further processing.
SQL injection is the attacks related
to backend database results in unauthorized
acess to private or confidential information
stored [Kiani M et al., 2008]. Also attacker
intrudes to the web application data base to
IJOART
There are number of attacks on web
acess the data [Tajpour & JorJor Zade,
application like cross site scripting, cross
2010].
site request forgery but SQL injection
vulnerability ( SQLIV) through successful
attacks are the most prominent. Number of
attacks might results in authentication
papers in literature has been projected ways
bypassing, leaking of private information etc
to avoid SQL injection attacks by examining
[Shahriar, H & Zulkernine, M]. SQL
dynamic SQL query semantics at runtime in
injection attacks are very harmful as they
the application layer. This paper contains the
targets interactive web application that
study
employs
of
SQLIA
and
its prevention
Exploitation of
database
SQL
injection
[Wei
services.
&
techniques. SQL injection attacks on web
Muthuprasanna, 2006]. The SQL injection
application have become one of the most
attacks allow an attacker to access the
important information security concerns
underlying
database,
[Pinzo’n C et al., 2010]. These SQL
commands
at
injection attacks are extremely widespread
dynamically generated output [Kosuga et
and posses a serius security threat [Khoury
al., 2007].
et al., 2011]. In today’ s world SQL injection
I f web application containing vulnerability
is one of the most dangerous security threats
can allows malicious users to obtain
Copyright © 2014 SciResPub.
intent
execute
and
arbitrary
receive
a
IJOART
International Journal of Advancements in Research & Technology, Volume 3, Issue 1, January-2014
ISSN 2278-7763
and
black box testing is used. According to
information.This mechanism
author sql injection is the most critical web
unrestricted
confidential
23
access
to
private
used by hackers to steal
data from
application
vulnerability.
Author
also
organization. It allows a hacker to gain
mentioned that black box scanners are
control over the database of an application
having some weaknesses. It is not good
and consequently hackers may be able to
enough to identify vulnerable program that
alter data [Shanmughaneethi et al., 2009].
An attacker can inject in the original SQL
query and obtain, change or view data.
An overview of prevention techniques.
1. AIIDA- SQL
browses world wide web in a methodical,
automated manner called as web crawling ,
user login etc. the black box testing tool had
poor
detection
rate
so
that
author
proposed a set of recommendation that
could enhance the rate of detection
[Khoury et al., 2011].
IJOART
This prevention techniques works against
SQL injection attacks and proposed by the
author. They mentioned that SQL injection
attacks are the most critical attacks from
the web application. The techniques against
SQLIA called Adaptive Intelligent Intrusion
Detector Agent (AIIDA- SQL) According to
author; the experimental results using this
technique are good in real practice [Pinzo’n
C et al., 2010].
3. Augmented attack tree modeling
SQL injection attacks are classified into
seven types [J. Viegas et al.,2006]
a. Tautologies
b. Legal/Logical Incorrect queries
c. UNION query
d. Piggy – Backed Queries
e. Stored procedures
f. Inference and alternate encoding
There are two types of attack tree modeling
2. Black Box Web Application Security
Scanner
Standards security features are not enough
to protect web application form hacking,
threats, SQL injection, XSS, CSRF and hence
Copyright © 2014 SciResPub.
[Jie Wang et al., 2010]
i.
Conventional Attack trees
ii.
Augmented Attack tree
These attack tree model not only applicable
to SQLIA but also Cross Site Request Forgery
IJOART
International Journal of Advancements in Research & Technology, Volume 3, Issue 1, January-2014
ISSN 2278-7763
24
Attacks (CSRF). The method presented by
The author used anomaly based approach
author is generic and hence it can be
to detect SQL injection attacks and it is
applicable to other kinds of web based
superior to existing model which works
attacks.
against SQLIV [Kiani M et al., 2008]. VIPER
4. Automated fix generator
tool
for
penetration
[Angelo
testing
SQL injection is example of taint based
Ciampa] .
vulnerability that has been responsible for a
According to authors, they have suggested a
large number of security failure to perform
tool called VIPER to perform penetration
some promised act or obligation in recent
testing of web applications. This tool relies
years. Untrusted data from the user is
on a knowledge base of heuristics that
tracked when it flows unsafely into a
guides the generation of the SQL queries.
security
This tool first identifies the hyperlink
critical
operation
and
hence
vulnerability is flagged. In SQL injection the
structure and its input form.
IJOART
user can add some additional conditions or
5. Hidden web crawling [Xin et al.,
commands to a database query, thus
2010].
allowing the user to bypass authentication
prominent issues in today’s World
or alter data. Automated fix generator
Wide
detects and fix sql queries that contains SQL
vulnerability scanners are available
injection vulnerability (SQLIV). For testing
but they are unable to fulfill the
purpose author used phpBB v2.0 [Dysart &
requirements. Author proposed a
Sherriff, 2008]. Anomaly Based Character
mechanism based on hidden web
Distribution Models
crawling to achieve the goal. The
The anomaly detection process uses a
authors also compare their tool with
number of different models to identify
other
anomalous state for each basic block of a
tested on the public web sites. The
web application. A model is a set of
results show that the proposed tool
procedure used to evaluate a certain
is good over the traditional web
features of a state variable associated with
scanners.
SQLIV
Web.
are
Many
traditional
the
most
traditional
scanners
and
the block.
Copyright © 2014 SciResPub.
IJOART
International Journal of Advancements in Research & Technology, Volume 3, Issue 1, January-2014
ISSN 2278-7763
6. High interaction Honeypot System
[Jiao Ma et al., 2011]
25
Vulnerability checking proposed by the
author which is good enough to protects
Honeypots are a very original approach to
such types of attacks which is not address
computer security. The honeypot are
by the existing testing approaches. The
classified in two categories
discovered vulnerabilities can be fixed and
a. Low interaction : fake services
the losses incurred by end user can be
b. High interaction : complete access
prevented.
Here authors proposed a high interaction
honeypot system against SQLIV. They used
two approaches.
stored procedures
This prevention mechanism proposed
a. Modifying PHP extension for mysql
to intercept data based request
b. Adopting
8. Preventing SQL injection attacks in
exception
based
by the authors. According to authors
stored procedures acts as a medication
and
against SQL injection attacks. A stored
detection
procedure is nothing but a subroutine
IJOART
signature
based
techniques.
available to application that accesses a
The results show that this system is very
relational
efficient against SQLIV.
techniques proposed in this paper by
7. MUSIC
database
system.
The
author to eliminate the occurrence of
Many vulnerability are discovered after the
such attacks are a permutation of static
deployment of software implementation
application code analysis with runtime
such as buffer overflows, sql injection and
validation
format string bug are the most commonly
Conclusion
occurring
software
9. SQL injection is most powerful and
implementation [Shahriar, H & Zulkernine,
easiest attack method on web
M].
service
application [Pinzo’n C et al., 2010].
exploitation alone cost more than 26 million
The effects of these attacks may
dollar in financial losses to business
turn into loss of private and vital
organization [L. Gordon et al., 2004].
information. From this paper we
MUSIC –mutation based SQL injection
have studied that different authors
In
security
2004
the
flaws
denial
Copyright © 2014 SciResPub.
in
of
IJOART
International Journal of Advancements in Research & Technology, Volume 3, Issue 1, January-2014
ISSN 2278-7763
proposed
a
number
of
26
Injection Detection
Tools
Using
countermeasures against SQLIV and
Attack Injection: An Experimental
SQLIA. The VIPER tools performs the
Study,"
penetration testing[Angelo et al.] by
Engineering (ISSRE), 2010 IEEE 21st
using SQL injection AIIDA-SQL tool,
International Symposium on, vol.,
black box scanners, augmented
no., pp.289-298, 1-4
attack tree modeling, automated fix
[J. Viegas et al., 2006] J. Viegas, W.
generator, hidden web crawling etc.
Halfond,
From this paper we can conclude
Classification
that several solutions are exists to
Attacks and Countermeasures. In
prevent SQL injection attacks but no
International Symposium on Secure
concrete solution is presents.
Software Engineering, 2006.
References
[Jiao Ma et al., 2011] Jiao Ma; Kun
[Angelo et al.] Angelo Ciampa,
Chai; Yao Xiao; Tian Lan; Wei Huang;
Corrado
, "High-Interaction Honeypot System
Software
and
A.
of
IJOART
Aaron
Visaggio,
Reliability
Orso.
A
SQL-Injection
Massimiliano Di Penta :”A heuristic-
for
based approach for detecting SQL-
Information Technology, Computer
injection
Engineering
vulnerabilities
in
Web
SQL
Injection
and
Analysis,"
Management
applications”.
Sciences (ICM), 2011 International
[Dysart & Sherriff, 2008] Dysart, F.;
Conference on , vol.3, no., pp.274-
Sherriff, M.; , "Automated Fix
277, 24-25 Sept. 2011
Generator
for
Injection
[Jie Wang et al., 2010] Jie Wang;
Attacks,"
Software
Reliability
Phan, R.C.-W.; Whitley, J.N.; Parish,
Engineering, 2008. ISSRE 2008. 19th
D.J.; , "Augmented attack tree
International Symposium on, vol.,
modeling of SQL injection attacks,"
no., pp.311-312, 10-14 Nov. 2008
Information
SQL
Management
and
Engineering (ICIME), 2010 The 2nd
[Elia et al., 2010] Elia, I.A.; Fonseca,
IEEE International Conference on ,
J.; Vieira, M.; "Comparing SQL
Copyright © 2014 SciResPub.
IJOART
International Journal of Advancements in Research & Technology, Volume 3, Issue 1, January-2014
ISSN 2278-7763
27
vol., no., pp.182-186, 16-18 April
Automated Testing
2010
Injection,"
[Khoury et al., 2011] Khoury, N.;
Applications
Zavarsky, P.; Lindskog, D.; Ruhl, R.; ,
ACSAC 2007. Twenty-Third Annual ,
"An Analysis of Black-Box Web
vol., no., pp.107-117, 10-14 Dec.
Application
2007
against
Security
Stored
SQL
Scanners
Injection,"
against
Computer
SQL
Security
Conference,
2007.
[L. Gordon et al., 2004] L. Gordon,
Privacy,
M. Loeb, W. Lucyshyn, and R.
security, risk and trust (passat), 2011
Richardson.,
ieee third international conference
computer
on and 2011 ieee third international
survey”, Technical Report RL32331,
conference on social computing
C.S.I. Computer
(socialcom) , vol., no., pp.1095-1101,
Security Institute, 2004. Accessed
9-11 Oct. 2011
from
[Kiani M et al., 2008] Kiani, M.;
www.theiia.org/iia/download.cfm?fi
Clark, A.; Mohay, G.; , "Evaluation of
le=9732 (January 2008).
Anomaly
Character
[Pinzo’n C et al., 2010] Pinzo´n, C.;
Distribution Models in the Detection
De Paz, J.F.; Bajo, J.; Herrero, A.;
of
Corchado, E.; , "AIIDA-SQL: An
“Ninth
crime
CSI/FBI
and
security
IJOART
SQL
Based
Injection
Attacks,"
Availability,
Adaptive
Reliability and Security, 2008. ARES
Detector Agent for detecting SQL
08. Third International Conference
Injection
on , vol., no., pp.47-55, 4-7 March
attacks," Hybrid Intelligent Systems
2008
(HIS),
Intelligent
2010
10th
Intrusion
International
Conference on , vol., no., pp.73-78,
[Kosuga et al., 2007] Kosuga, Y.;
23-25 Aug. 2010
Kernel, K.; Hanaoka, M.; Hishiyama,
[Shahriar, H & Zulkernine, M]
M.;
"Sania:
Shahriar,
Syntactic and Semantic Analysis for
"MUSIC:
Takahama,
Yu.;
Copyright © 2014 SciResPub.
,
H.;
Zulkernine, M.;
Mutation-based
,
SQL
IJOART
International Journal of Advancements in Research & Technology, Volume 3, Issue 1, January-2014
ISSN 2278-7763
28
Injection Vulnerability Checking,"
Intelligence,
Quality Software, 2008. QSIC '08.
Systems and Networks (CICSyN),
The Eighth International Conference
2010
on , vol., no., pp.77-86, 12-13 Aug.
Conference on , vol., no., pp.216-
2008
221, 28-30 July 2010
[Shanmughaneethi et al., 2009]
[Wei & Muthuprasanna, 2006] Wei,
Shanmughaneethi,
K.;
S.V.;
Shyni,
Communication
Second
Muthuprasanna,
International
M.;
Suraj
S.C.E.; Swamynathan, S.; , "SBSQLID:
Kothari; , "Preventing SQL injection
Securing Web Applications with
attacks
Service
Injection
Software Engineering Conference,
Detection," Advances in Computing,
2006. Australian, vol., no., pp. 8 pp.,
Control,
Telecommunication
18-21 April 2006
2009.
'09.
[Xin et al., 2010 ] Xin Wang; Luhua
International Conference on, vol.,
Wang; Gengyu Wei; Dongmei Zhang;
no., pp.702-704, 28-29 Dec. 2009
Yixian Yang; , "Hidden web crawling
Based
&
Technologies,
SQL
ACT
in
stored
IJOART
for
SQL
injection
procedures,"
detection,"
[Tajpour A et al., 2010] Tajpour, A.;
Broadband Network and Multimedia
Massrum, M.; Heydari, M.Z.; ,
Technology (IC-BNMT), 2010 3rd
"Comparison
of
IEEE International Conference on ,
detection
and
SQL
injection
prevention
vol., no., pp.14-18, 26-28 Oct. 2010
techniques," Education Technology
and Computer (ICETC), 2010 2nd
International Conference on , vol.5,
no., pp.V5-174-V5-179, 22-24 June
2010[Tajpour & JorJor Zade, 2010]
Tajpour, A.; JorJor Zade Shooshtari,
M.; , "Evaluation of SQL Injection
Detection
and
Techniques,"
Copyright © 2014 SciResPub.
Prevention
Computational
IJOART