• Tidak ada hasil yang ditemukan

SQL Injection Attack Mechanisms and Prevention Techniques

N/A
N/A
Info
Unduh - Bebas
Protected

Academic year: 2024

Membagikan "SQL Injection Attack Mechanisms and Prevention Techniques"

Copied!
2
0
0

Memuat.... (Lihat teks lengkap sekarang)

Unduh sekarang ( 2 Halaman )

Teks penuh

(1)

P.S. Thilagam et al. (Eds.): ADCONS 2011, LNCS 7135, pp. 524–533, 2012.

© Springer-Verlag Berlin Heidelberg 2012

SQL Injection Attack Mechanisms and Prevention Techniques

Roshni Chandrashekhar, Manoj Mardithaya, Santhi Thilagam, and Dipankar Saha

Computer Engineering Department

National Institute of Technology Karnataka, Surathkal, India - 575 025 [email protected], [email protected], [email protected], [email protected]

Abstract. SQL Injection Attacks have been around for over a decade and yet most web applications being deployed today are vulnerable to it. The bottom line is that the web has made it easy for new developers to develop web applications without concerning themselves with the security flaws, and that SQL Injection is thought to be a simple problem with a very simple remedy. To truly bring security to the masses, we propose a classification that not only enumerates but also categorizes the various attack methodologies, and also the testing frameworks and prevention mechanisms. We intend our classification to help understand the state of the art on both sides of the fields to lay the groundwork for all future work in this area.

Keywords: SQL injection.

1 Introduction

SQL injection is a method of hacking in which malformed SQL queries are produced through unsanitized user-input. Though an application can easily prevent SQL injection by validating input, too many avenues for data exchange exist in the current web model and the modes of SQL injection vary broadly. In 2002, the Computer Security Institute and the Federal Bureau of Investigation (United States) conducted a survey that discovered that 60% of online databases are subject to security breaches each year [1]. In particular, SQL Injection attacks have featured at the top of OWASPs (Open Web Application Security Project).

Top Ten Most Critical Web Application Security Risks in both 2007 and 2010 [2].

The first in-depth paper documenting SQL Injection methods was published in January 2002, and new methods and prevention techniques have been proposed every year since [3]. Each new research paper contributes a small treatise towards a literature survey, but no significant classification attempts were made until Halfond, Viegas and Orso [4]. While this paper classifies various attack types by injection mechanism, intent of the attacker and the type, it leaves a classification of evasion techniques out. The classification it does make are also very loosely typed and it does not follow a strict structure of categorization. San-Tsai Sun, Ting Han Wei, Stephen Liu, and Sheung Lau try to address this issue by proposing a more concrete classification model that is mutually exclusive and unambiguous [5]. However, its classification methods of SQL injection are based on Threat Modeling, addressing the

(2)

SQL Injection Attack Mechanisms and Prevention Techniques 525

larger issue of where and how SQL injection correlates with security systems at large.

But its classification of different Attack, Evasion and Countermeasure Techniques are very insufficient, and does not address the various research proposals that have been made. A final consideration is that no significant literature survey has been done in the last three years. To that end, we propose a classification method for SQL Injection Attacks, Prevention Mechanisms, and Vulnerability Testing Suites, and do so by presenting a taxonomy diagram for each.

2 SQL Injection Attacks

First, we propose a classification for SQL Injection Attacks. Such classifications can be found in [4],[5] and [6]. However, we found many injection methodologies missing or misclassified. We also found a difference in classification between academic papers and industrial white papers. To that end, we propose a more complete classification which is in figure 1.

2.1 Injection Avenues

SQL Injection is a type of vulnerability that derives from the larger class of Application Attacks through malicious input. When concerned with web applications with a focus on SQL injection attacks, we find malicious input to be presented through three main avenues. We have also presented a fourth avenue here for the sake of completion to demonstrate that SQL injection is not a vulnerability restricted to just the web application domain.

2.1.1 Injection through Server Variables

This is the most common type of SQL Injection. Server variables are a collection of variables that defines the HTTP Request, environment, and various other network parameters. These include the two most common form submission methods, GET and POST, as well as other more intricate injection avenues such as HTTP header variables and sessions. The bulk of SQL Injection attempts are made through these server variables, either through entering malicious input into the client-end of the application or by crafting their own request to the server.

Fig. 1. SQL injection Attack Avenues and Types

Referensi

Unduh sekarang ( PDF - 2 Halaman - 192.84 KB )

Dokumen terkait

this file 5479 10929 1 PB

There were five distinctive techniques in technical writing used by the respondents: definition, mechanism, process, and partition and classification.. It should be

TRANSLATION TECHNIQUES IN INDONESIAN TRANSLATION OF LEGAL TERMS IN PENAL REFORM AND GENDER (INTERNATIONAL CENTRE FOR PRISON STUDIES) ISSUED BY UNITED NATION - UDiNus Repository

Those are Translations, Legal Text, Classification of Legal Terms, Translation in Legal Text, Translation Techniques, and UN SSR Toolkit.. The reason why the writer uses

ENGLISH DEPARTMENT STUDENTS’ PERCEPTION OF THEIR PREFERRED LEARNING STYLES AND ASSESSMENT TECHNIQUES

The results of the data revealed that the mean score of the students’ perception of their preferred learning styles and assessment techniques was 3,12 and it belongs

Secure MPC/ANN-Based False Data Injection Cyber-Attack Detection and Mitigation in DC

As a result, it can be concluded that the neural network and model predictive controller work properly, and they are successful to estimate the dc-bus voltage and mitigate the FDIA with

Implementation of Visual Cryptography and OCR Techniques for Processing the Enhanced Password Mechanism

Implementation of Visual Cryptography and OCR Techniques for Processing the Enhanced Password Mechanism Hamsalatha J, Alisha Erum K, Janani G S Dept of CSE Dr.TTIT, KGF Abstract-- In

Translation Techniques and Translation Accuracy of English ... - Unp

CONCLUSIONS From 102 data of sentences from tourism brochures in Tanah Datar regency, it is found that there are 8 techniques found the tourism brochures and literal translation is

DDoS Mitigation: A review of Content Delivery Network and its DDoS Defense techniques Mohammed Imthiyas

2016 To determine on DDoS attack and a conceptual cloud mitigation framework using detection and filtering method.. It performs the identification of new attack and shorter

Contact and non-contact heart beat rate measurement techniques: Challenges and issues - UMS INSTITUTIONAL REPOSITORY

Contact and non-contact heart beat rate measurement techniques: Challenges and issues ABSTRACT The heart is the most important organ in the human body as it circulates the blood