A systematic review of detection and prevention techniques of SQL injection attacks

2021 ◽  
pp. 1-14
Author(s):  
Mohammed Nasereddin ◽  
Ashaar ALKhamaiseh ◽  
Malik Qasaimeh ◽  
Raad Al-Qassas
Keyword(s):  
Systematic Review ◽  
Sql Injection ◽  
Injection Attacks ◽  
Prevention Techniques ◽  
Sql Injection Attacks

SQL Injection Attacks Countermeasures

2012 ◽  
pp. 194-213
Author(s):  
Kasra Amirtahmasebi ◽  
Seyed Reza Jalalinia
Keyword(s):  
Web Application ◽  
Web Applications ◽  
Confidential Information ◽  
Sql Injection ◽  
Unauthorized Access ◽  
Injection Attacks ◽  
Prevention Techniques ◽  
Sql Injection Attack ◽  
Sql Injection Attacks ◽  
The Web

Due to the huge growth in the need for using Web applications worldwide, there have been huge efforts from programmers to develop and implement new Web applications to be used by companies. Since a number of these applications lack proper security considerations, malicious users will be able to gain unauthorized access to confidential information of organizations. A concept called SQL Injection Attack (SQLIA) is a prevalent method used by attackers to extract the confidential information from organizations’ databases. They work by injecting malicious SQL codes through the web application, and they cause unexpected behavior from the database. There are a number of SQL Injection detection/prevention techniques that must be used in order to prevent unauthorized access to databases.

scholarly journals Retrofitting Existing Web Applications with Effective Dynamic Protection Against SQL Injection Attacks

2010 ◽  
Vol 1 (1) ◽  
pp. 20-40 ◽  
Author(s):  
San-Tsai Sun ◽  
Konstantin Beznosov
Keyword(s):  
Web Applications ◽  
False Positives ◽  
Sql Injection ◽  
Injection Attacks ◽  
Track Parameter ◽  
Effective Dynamic ◽  
Protection Mechanisms ◽  
Sql Injection Attacks ◽  
Application Developers ◽  
Parameter Values

This article presents an approach for retrofitting existing Web applications with run-time protection against known, as well as unseen, SQL injection attacks (SQLIAs) without the involvement of application developers. The precision of the approach is also enhanced with a method for reducing the rate of false positives in the SQLIA detection logic, via runtime discovery of the developers’ intention for individual SQL statements made by Web applications. The proposed approach is implemented in the form of protection mechanisms for J2EE, ASP.NET, and ASP applications. Named SQLPrevent, these mechanisms intercept HTTP requests and SQL statements, mark and track parameter values originating from HTTP requests, and perform SQLIA detection and prevention on the intercepted SQL statements. The AMNESIA testbed is extended to contain false-positive testing traces, and is used to evaluate SQLPrevent. In our experiments, SQLPrevent produced no false positives or false negatives, and imposed a maximum 3.6% performance overhead with 30 milliseconds response time for the tested applications.

Sign in / Sign up

Export Citation Format

Share Document