Table of Contents Author Guidelines Submit a Manuscript
Security and Communication Networks
Volume 2017, Article ID 3825373, 12 pages
https://doi.org/10.1155/2017/3825373
Research Article

Neutralizing SQL Injection Attack Using Server Side Code Modification in Web Applications

Department of Computer Science and Engineering, National Institute of Technology Rourkela, Odisha 769 008, India

Correspondence should be addressed to Asish Kumar Dalai; moc.liamg@hsisa.ialad

Received 6 July 2016; Revised 23 September 2016; Accepted 17 October 2016; Published 16 February 2017

Academic Editor: Kim-Kwang R. Choo

Copyright © 2017 Asish Kumar Dalai and Sanjay Kumar Jena. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Linked References

  1. Foundation TO: SQL Injection, https://www.owasp.org/index.php/SQL Injection.
  2. V. Prokhorenko, K.-K. R. Choo, and H. Ashman, “Web application protection techniques: a taxonomy,” Journal of Network and Computer Applications, vol. 60, pp. 95–112, 2016. View at Publisher · View at Google Scholar · View at Scopus
  3. B. D. A. Guimarães, Advanced SQL injection to operating system full control, Black Hat Europe, white paper, 2009.
  4. A. S. Yeole and B. B. Meshram, “Analysis of different technique for detection of SQL injection,” in Proceedings of the International Conference and Workshop on Emerging Trends in Technology (ICWET '11), pp. 963–966, ACM, Mumbai, India, February 2011. View at Publisher · View at Google Scholar · View at Scopus
  5. G. Buehrer, B. W. Weide, and P. A. G. Sivilotti, “Using parse tree validation to prevent SQL injection attacks,” in Proceedings of the 5th International Workshop on Software Engineering and Middleware (SEM '05), pp. 106–113, ACM, Lisbon, Portugal, September 2005. View at Publisher · View at Google Scholar · View at Scopus
  6. E. Al-Khashab, F. S. Al-Anzi, and A. A. Salman, “PSIAQOP: preventing SQL injection attacks based on query optimization process,” in Proceedings of the 2nd Kuwait Conference on e-Services and e-Systems (KCESS '11), pp. 10–18, ACM, Kuwait City, Kuwait, 2011.
  7. A. Liu, Y. Yuan, D. Wijesekera, and A. Stavrou, “SQLProb: a proxy-based architecture towards preventing SQL injection attacks,” in Proceedings of the Annual ACM Symposium on Applied Computing (SAC '09), pp. 2054–2061, New York, NY, USA, March 2009. View at Publisher · View at Google Scholar · View at Scopus
  8. S. W. Boyd, G. S. Kc, M. E. Locasto, A. D. Keromytis, and V. Prevelakis, “On the general applicability of instruction-set randomization,” IEEE Transactions on Dependable and Secure Computing, vol. 7, no. 3, pp. 255–270, 2010. View at Publisher · View at Google Scholar · View at Scopus
  9. K. Elshazly, Y. Fouad, M. Saleh, and A. Sewisy, “A survey of SQL injection attack detection and prevention,” Journal of Computer and Communications, vol. 2, no. 8, pp. 1–9, 2014. View at Publisher · View at Google Scholar
  10. A. Azfar, K.-K. R. Choo, and L. Liu, “A study of ten popular Android mobile VoIP applications: are the communications encrypted?” in Proceedings of the 47th Hawaii International Conference on System Sciences (HICSS '14), pp. 4858–4867, IEEE, Waikoloa, Hawaii, USA, January 2014. View at Publisher · View at Google Scholar · View at Scopus
  11. A. Azfar, K. K. R. Choo, and L. Liu, “Forensic taxonomy of popular Android mHealth apps,” in Proceedings of the 21st Americas Conference on Information Systems (AMCIS '15), San Juan, Puerto Rico, August 2015.
  12. A. Azfar, K. K. R. Choo, and L. Liu, “An android communication app forensic taxonomy,” Journal of Forensic Sciences, vol. 61, no. 5, pp. 1337–1350, 2016. View at Publisher · View at Google Scholar
  13. A. Azfar, K. R. Choo, and L. Liu, “Forensic taxonomy of android productivity apps,” Multimedia Tools and Applications, pp. 1–29, 2019. View at Publisher · View at Google Scholar
  14. A. Azfar, K.-K. R. Choo, and L. Liu, “Android mobile VoIP apps: a survey and examination of their security and privacy,” Electronic Commerce Research, vol. 16, no. 1, pp. 73–111, 2016. View at Publisher · View at Google Scholar · View at Scopus
  15. A. Azfar, K. K. R. Choo, and L. Liu, “An android social app forensics adversary model,” in Proceedings of the 49th Hawaii International Conference on System Sciences (HICSS '16), pp. 5597–5606, IEEE, Koloa, Hawaii, USA, January 2016. View at Publisher · View at Google Scholar
  16. Y. Xie and A. Aiken, “Static detection of security vulnerabilities in scripting languages,” in Proceedings of the 15th Conference on USENIX Security Symposium, pp. 179–192, Vancouver, Canada, 2006.
  17. V. Livshits and M. Lam, “Finding security vulnerabilities in Java applications with static analysis,” in Proceedings of the 14th Conference on USENIX Security Symposium, pp. 18–25, Baltimore, Md, USA, 2005.
  18. M. S. Lam, J. Whaley, V. Benjamin Livshits et al., “Context sensitive program analysis as database queries,” in Proceedings of the 24th ACM SIGMOD-SIGACT-SIGART Symposium on Principles of Database Systems (PODS '05), pp. 1–12, New York, NY, USA, June 2005. View at Scopus
  19. C. Gould, Z. Su, and P. Devanbu, “JDBC checker: a static analysis tool for SQL/JDBC applications,” in Proceedings of the 26th International Conference on Software Engineering (ICSE '04), pp. 697–698, IEEE Computer Society, Edinburgh, UK, May 2004.
  20. G. Wassermann and Z. Su, “An analysis framework for security in Web applications,” in Proceedings of the FSE Workshop on Specification and Verification of Component-Based Systems (SAVCBS '04), pp. 70–78, Citeseer, 2004.
  21. W. G. J. Halfond and A. Orso, “Preventing SQL injection attacks using AMNESIA,” in Proceedings of the 28th International Conference on Software Engineering (ICSE '06), pp. 795–798, Shanghai, China, May 2006. View at Scopus
  22. W. G. J. Halfond and A. Orso, “AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks,” in Proceedings of the 20th IEEE/ACM international Conference on Automated Software Engineering (ASE '05), pp. 174–183, ACM, Long Beach, Calif, USA, 2005.
  23. W. G. J. Halfond and A. Orso, “Combining static analysis and runtime monitoring to counter SQL-injection attacks,” ACM SIGSOFT Software Engineering Notes, vol. 30, no. 4, pp. 1–7, 2005. View at Publisher · View at Google Scholar
  24. V. Prokhorenko, K. R. Choo, and H. Ashman, “Context-oriented web application protection model,” Applied Mathematics and Computation, vol. 285, pp. 59–78, 2016. View at Publisher · View at Google Scholar · View at MathSciNet
  25. V. Prokhorenko, K. R. Choo, and H. Ashman, “Intent-based extensible real-time PHP supervision framework,” IEEE Transactions on Information Forensics and Security, vol. 11, no. 10, pp. 2215–2226, 2016. View at Publisher · View at Google Scholar
  26. D. Scott and R. Sharp, “Abstracting application-level web security,” in Proceedings of the 11th International Conference on World Wide Web (WWW '02), pp. 396–407, ACM, May 2002. View at Publisher · View at Google Scholar · View at Scopus
  27. D. Scott and R. Sharp, “Specifying and enforcing application-level web security policies,” IEEE Transactions on Knowledge and Data Engineering, vol. 15, no. 4, pp. 771–783, 2003. View at Publisher · View at Google Scholar · View at Scopus
  28. C. Brabrand, A. Møller, R. M. Christensen, and M. I. Schwartzbach, “PowerForms: declarative client-side form field validation,” World Wide Web Journal, vol. 7, no. 43, pp. 205–314, 2000. View at Publisher · View at Google Scholar
  29. Sanctum Inc, AppShield 4.0 Whitepaper 2002, http://www.sanctuminc.com.
  30. I. Kavado, InterDo Version 3.0, 2003, http://www.protegrity.com/data-security-platform.
  31. S. Boyd and A. Keromytis, “SQLrand: preventing SQL injection attacks,” in Applied Cryptography and Network Security, pp. 292–302, Springer, Berlin, Germany, 2004. View at Google Scholar
  32. S. Lee, W. Low, and P. Wong, “Learning fingerprints for a database intrusion detection system,” in Computer Security—ESORICS 2002, pp. 264–279, Springer, 2002. View at Google Scholar
  33. F. Valeur, D. Mutz, and G. Vigna, “A learning-based approach to the detection of SQL attacks,” in Proceedings of the 2nd International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA '05), pp. 123–140, Springer, Vienna, Austria, July 2005. View at Publisher · View at Google Scholar
  34. A. Asmawi, Z. M. Sidek, and S. A. Razak, “System architecture for SQL injection and insider misuse detection system for DBMS,” in Proceedings of the International Symposium on Information Technology (ITSim '08), Kuala Lumpur, Malaysia, August 2008. View at Publisher · View at Google Scholar · View at Scopus
  35. C. T. Giménez, A. P. Villegas, and G. Á. Marañón, HTTP DATASET CSIC, 2010.
  36. “TECAPI I: List of Attack Vectors 2015,” http://www.tecapi.com/public/relative-vulnerability-rating-gui.jsp.