Top

International Journal of Information Security

Published in:

07-11-2017 | Regular Contribution

Defeating SQL injection attack in authentication security: an experimental study

Authors: Debasish Das, Utpal Sharma, D. K. Bhattacharyya

Published in: International Journal of Information Security | Issue 1/2019

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Whenever web-application executes dynamic SQL statements it may come under SQL injection attack. To evaluate the existing practices of its detection, we consider two different security scenarios for the web-application authentication that generates dynamic SQL query with the user input data. Accordingly, we generate two different datasets by considering all possible vulnerabilities in the run-time queries. We present proposed approach based on edit-distance to classify a dynamic SQL query as normal or malicious using web-profile prepared with the dynamic SQL queries during training phase. We evaluate the dataset using proposed approach and some well-known supervised classification approaches. Our proposed method is found more effective in detecting SQL injection attack under both the scenarios of authentication security.

next article Design and implementation of Negative Authentication System

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Available only for authorised users

MITRE/SANS: A vulnerability report. In: Top 25 most Dangerous Software Errors, MITRE Corporation Inc. (2011)

CISCO: SQL injection attacks a growing menace. In: CISCO Worldwide Reports, SPAM fighter Products 2003-2011. http://www.spamfighter.com/News-15078-SQL-Injection-Attacks-A-Growing-Menace.htm (2010)

Shar, L., Tan, H.B.K.: Defeating SQL injection. IEEE Comput. J. Mag. 46(3), 69–77 (2013)CrossRef

Su, Z., Wassermann, G.: The essence of command injection attacks in web application. In: In the 33rd Annual Symposium on Principles of Programming Languages, pp. 372–382 (2006)

Bisht, P., Madhusudan, P., Venkatakrishnan, V.N.: Dynamic candidate evaluations for automatic prevention of SQL injection attacks. ACM Trans. Inf. Syst. Secur. 13(14), 14–38 (2010)

Liu, A., Yuan, Y., Wijesekera, D., Stavrou, A.: SQLProb: A proxy-based architecture towards preventing SQL injection attacks. In: Proceedings of the 2009 ACM Symposium on Applied Computing. http://dl.acm.org/citation.cfm?id=1529737, ACM Digital Library, pp. 2054–2061 (2009)

Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting web application vulnerabilities. In: IEEE Symposium on Security and Privacy. http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=1624016, IEEE Explore, pp. 263–268 (2006)

Martin, M., Livshits, B., Lam, M.S.: Finding application errors and security flaws using PQL: a program query language. In: OPSLA ’05 Proceedings of the 20th Annual ACM SIGPLAN conference. http://dl.acm.org/ftgateway.cfm?id=1094840&type=pdf&CFID=268059182&CFTOKEN=41307654. ACM Digital Library (2005)

Le, H.T., Loh, P.K.K.: Identification of performance issues in contemporary black-box web application scanners in SQLI. In: Latest Advances in Information Science and Applications. Computer Security Laboratory, Nanyang Technological University, Singapore. http://www.wseas.us/e-library/conferences/2012/Singapore/ACCIDS/ACCIDS-34.pdf

10.

Pietraszek, T., Berghe, D.V.: Defending against injection attack through contex-sensitive string evaluation. In: Proceedings of Recent Advances in Intrusion Detection. http://link.springer.com/chapter/10.1007/11663812-7. LNCS, pp. 124–145

11.

Halfond, W.G., Orso, A., Manolios, P.: Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In: SIGSOFT’06/FSE-14, Portland Oregon, USA, ACM Digital Library, pp. 175–185 (2006)

12.

Levenshtein, V.I.: Binary codes capable of correcting deletions, insertions, and reversals. In: Soviet Physics Doklady. Volume 10. The Smithsonian/NASA Astrophysics Data System. http://www.scribd.com/doc/18654513/levenshtein

13.

Pop, I.: An approach of the Naive Bayes classifier for the document classification. Gen. Math. 14(4), 135138 (2006)MathSciNet

14.

John, G.H., Langley, P.: Estimating continuous distributions in Bayesian classifiers. In: UAI’95 Proceedings of the Eleventh Conference on Uncertainty in Artificial Intelligence (1995)

15.

Cortes, C., Vapnik, V.: Support-vector networks. Mach. Learn. 20, 273–297 (1995)MATH

16.

MathWorks-India: Classify using support vector machine-matlab. http://www.mathworks.in/help/bioinfo/ref/svmclassify.html (2008)

17.

Soot:: A java optimization framework. http://www.sable.mcgill.ca/soot/

18.

Kang, J., Kim, J., Park, C., Park, H., Lee, J.: A multi channel architecture for high-performance nand flash-based storage system. J. Syst. Arch. 53(9), 644–658 (2007)

Title: Defeating SQL injection attack in authentication security: an experimental study
Authors: Debasish Das
Utpal Sharma
D. K. Bhattacharyya
Publication date: 07-11-2017
Publisher: Springer Berlin Heidelberg
Published in: International Journal of Information Security / Issue 1/2019
Print ISSN: 1615-5262
Electronic ISSN: 1615-5270
DOI: https://doi.org/10.1007/s10207-017-0393-x

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 1/2019

Differential audio analysis: a new side-channel attack on PIN pads

Commix: automating evaluation and exploitation of command injection vulnerabilities in Web applications

Reverse engineering Java Card and vulnerability exploitation: a shortcut to ROM

Deployment and performance evaluation of mobile multicoupon solutions

Design and implementation of Negative Authentication System

Premium Partner