Journal of Web Engineering & Technology

With the rise of the Internet, web applications have become one of the most important communication channels between various kinds of service providers and clients on the Internet. The use of web-based services (such as online banking, online shopping, web-based email etc.) has become a wide-spread routine in today’s economic and social life. SQL injection attacks are the dominating type of attack on web based applications. It is the act of passing abysmal SQL query into interactive web applications that employ in database services. The attackers can get the entire schema of the original database and can also corrupt it. This paper presents novel framework aimed at the detection of such vulnerabilities, and at the protection of web server and database server against SQL injection attacks. The proposed framework is identifying the SQL injection vulnerabilities on basis of SQL injection grammar.

Keywords: SQLID framework, Filter, SSDM, HSDM, Parser, SQL query analyzer

Cite this Article
Khaleel Ahmad, Jayant Shekhar. A Potential Framework to Secure Web Application and Database against SQL Injection Attacks. Journal of Web Engineering & Technology. 2016; 3(1): 27–34p.

Thomas, Laurie Williams Stephen. Using Automated Fix Generation to Secure SQL Statements. Dept. of Computer Science, North Carolina State University, Raleigh, NC, USA.

NIST. National Vulnerability Database. 2007. http://nvd.nist.gov/

Sagar Joshi. SQL Injection Attack and Defense: Web Application and SQL Injection. 2005. http://www.securitydocs.com/library/3587.

Halfond William GJ, Jeremy Viegas, Alessandro Orso. A Classification of SQL Injection Attacks and Countermeasures. IEEE Conference. 2006.

San-Tsai Sun, Ting Han Wei, Stephen Liu, et al. Classification of SQL Injection Attacks. Electrical and Computer Engineering, University of British Columbia.

Anley C. Advanced SQL Injection in SQL Server Applications. White Paper, Next Generation Security Software Ltd.; 2002.

Khaleel Ahmad, Jayant Shekhar, Yadav KP. Classification of SQL Injection Attacks. VSRD-TNTJ International Journal. 2010; I(4): 235–242p. ISSN No: 0976-7967.

Khaleel Ahmad, Jayant Shekhar, Yadav KP. Coalesce Techniques to Secure Web Applications and Database against SQL Injection Attacks. Electronic Journal of Computer Science and Information Technology (eJCSIT), Malaysia. 2011; 3(1): 26–30p. ISSN No: 1985-7721.

Top Ten Most Critical Web Application Vulnerabilities. OWASP Foundation. http://www.owasp.org/documentation/topten.html, 2005.

Craig Ulmer, Maya Gokhale, Brian Gallagher, et al. Massively Parallel Acceleration of a Document-Similarity Classifier to Detect Web Attacks. J Parallel Distrib Comput. 2010; 225–235p. www.elsevier.com/locate/jpdc.

Khaleel Ahmad, Jayant Shekhar, Yadav KP, et al. Combinational Approach to Mitigate SQL Injection Attacks. International Conference on Graphics & Multimedia Symposium, Malaysia (GMS’ 2010). 2010; 9–11p. ISBN- 978-967-5770-09-8.

https://www.owasp.org/index.php/SQL_Injection

Khaleel Ahmad, Shikha Verma, Nitish Kumar, et al. Classification of Internet Security Attacks. 5th National Conference on Computing for Nation Development INDIACom-2011, BVICAM, New Delhi, India. 10–11 Mar 2011; 229, 230, 234p. Copy Right INDIACom-2011 ISSN 0973-7529, ISBN 978-93-80544-00-7.

http://msdn.microsoft.com/en-us/library/ms161953.aspx

http://www.acunetix.com/websitesecurity/sql-injection.htm

http://www.imperva.com/resources/glossary/sql_injection.html

Sushila Madan, Supriya Madan. Security Standards Perspective to Fortify Web Database Applications from Code Injection Attacks. IEEE International Conference on Intelligent Systems, Modelling and Simulation. 2010; 226–230p.

Prithvi Bisht, Madhusudan P, Venkatakrishnan VN. CANDID: Dynamic Candidate Evaluations for Automatic Prevention of SQL Injection Attacks. ACM Trans Inform System Security. Feb 2010; 13(2).

Prithvi Bisht, Prasad Sistla A, Venkatakrishnan VN. Automatically Preparing Safe SQL Queries. Springer-Verlag Berlin Heidelberg LNCS 6052. 2010; 272–288p.

Toan Huynh, James Miller. An Empirical Investigation in to Open Source Web

Applications’ Implementation Vulnerabilities. Empir Software Eng Journal, Springer. May 2010; 556–576p.

Halfond William GJ, Alessandro Orso, Panagiotis Manolio. WASP: Protecting Positive Tainting and Syntax-Aware Evaluation. IEEE Trans Softw Eng. Jan–Feb 2008; 34(1).

Kiani M, Clark A, Mohay G. Evaluation of Anomaly Based Character Distribution Models in the Detection of SQL Injection Attacks. The Third International Conference on Availability, Reliability, and Security, IEEE Computer Society. 2008.

Kosuga Y, Kono K, Hanaoka M, et al. Sania: Syntactic and Semantic Analysis For Automated Testing against SQL Injection. 23rd Annual Computer Security Applications Conference, IEEE Computer Society. 2007.

Angelos D and Keromyns. Randomized Instruction Sets and Runtime Environments. IEEE Security & Privacy, IEEE Computer Society. 2009.

Lin JC, Chen JM, Liu CH. An Automatic Mechanism for Sanitizing Malicious Injection. The 9th International Conference for Young Computer Scientists, IEEE Computer Society. 2008.

MeiJunjin. An Approach for SQL Injection Vulnerability Detection. IEEE Sixth International Conference on Information Technology: New Generations. 2009; 1411–1414p.

Ankit Anchlia, Sheela Jain. A Novel Injection Aware Approach for the Testing of Database Applications. IEEE International Conference on Recent Trends in Information, Telecommunication and Computing. 2010; 311–313p.

Cristian Pinzón, Álvaro Herrero, De Paz Juan F, et al. CBRid4SQL: A CBR Intrusion Detector for SQL Injection Attacks. Springer-Verlag Berlin Heidelberg 2010, LNAI 6077. 2010; 510–519p.

Jaroslaw Skaruz, Jerzy Pawel Nowacki, Aldona Drabik, et al. Soft Computing Techniques for Intrusion Detection of SQL-Based Attacks. Springer-Verlag Berlin Heidelberg 2010, LNAI 5990. 2010; 33–42p.

Xu Ruzhi, Guo Jian, Deng Liwu. A Database Security Gateway to the Detection of SQL Attacks. IEEE 3rd International Conference on Advanced Computer Theory and Engineering (ICACTE). 2010; V3-537–V3-540p.

Angelo Ciampa, Corrado Aaron Visaggio, Massimiliano Di Penta. A Heuristic-Based Approach for Detecting SQL-Injection Vulnerabilities in Web Applications. ACM SESS’10, Cape Town, South Africa. May 2, 2010; 43–49p.

Ankit Anchlia, Sheela Jain. A Novel Injection Aware Approach for the Testing of Database Applications. IEEE International Conference on Recent Trends in Information, Telecommunication and Computing. 2010; 311–313p.

Ezumalai R, Aaghila G. Combinatorial Approach for Preventing SQL Injection Attacks. 2009 IEEE International Advance Computing Conference (IACC 2009), Patiala, India. 2010; 1212–1217p.

Shanmughaneethi V, Emilin Shyni C, Swamynathan S. SBSQLID: Securing Web Applications with Service Based SQL Injection Detection. IEEE International Conference on Advances in Computing, Control, and Telecommunication Technologies. 2009; 702–704p.

Zhefei Zhang, Qinghua Zheng, Xiaohong Guan, et al. A Method for Detecting Code Security Vulnerability Based on Variables Tracking with Validated-Tree. Higher Education Press and Springer-Verlag; 2008; 162–166p.

José Fonseca, Marco Vieira, Henrique Madeira. Detecting Malicious SQL. Springer-Verlag Berlin Heidelberg 2007, LNCS 4657. 2007; 259–268p.

Khaleel Ahmad, Jayant Shekhar, Shiwani Sharma, et al. A Coalesce Model for Secure Database. IEEE 3rd International Conference on Electronics Computer Technology (ICECT 2011). 8–10 Apr 2011; V5-379–V5-382p. 978-1-4244-8679-3/11/$26.00.

http://publib.boulder.ibm.com/infocenter/wsdoc400/v6r0/index.jsp?topic=/com.ibm.websphere.iseries.doc/info/ae/ae/tjpx_createps.html