New Strategy for Mitigating of SQL Injection Attack

  title={New Strategy for Mitigating of SQL Injection Attack},
  author={Ammar Alazab and Ansam Khresiat},
  journal={International Journal of Computer Applications},
SQL injection attack (SQLIA) is a serious threat to web applications. A successful SQLIAs can have serious consequences to the victimized organization that include financial lose, reputation lose, compliance and regulatory breach. Therefore, developing approaches for mitigating SQLIA is paramount important. To this end, we propose an approach based on negative tainting along with SQL keyword analysis for detecting and preventing SQLIA. We have tested our proposed approach on all types of SQLIAs… Expand

Topics from this paper

SQL Injection Detection and Prevention Techniques in ASP.NET Web Application
Injection in SQL (structure query language) is one of the threats to web-based apps, mobile apps and even desktop applications associated to the database. An effective SQL Injection Attacks (SQLIA)Expand
Detection and Prevention of SQL Injection Attack: A Survey
SQL (structure query language) injection is one of threats to the applications, which are Web-based application, Mobile application and even desktop application, which are connected to the database.Expand
A Method to Prevent SQL Injection Attack using an Improved Parameterized Stored Procedure
Structured Query Language (SQL) injection is one of the critical threats to database security. The effects of SQL injection attacks cause the data contained in the database to be at risk of beingExpand
A Secure Methodology to Detect and Prevent Ddos and Sql Injection Attacks
The proposed solution, provides high security against firewall attacks namely denial of firewall and SQL injection securing the data owner files and preventing compromising of firewall. Expand
GMSA: Gathering Multiple Signatures Approach to Defend Against Code Injection Attacks
A tool called GMSA, developed to detect a variety of CIAs, which is more comprehensive than other research techniques that are restricted to only two major types of CIA, namely, SQL injection and XSS attacks. Expand
Detection and Prevention of SQLI Attacks inside the DBMS
An attempt has been made to develop an online shop that allows users to check for different clothing stuff and all the user details will be encrypted using AES algorithm and then stored in MySQL database. Expand
A Two-Phase Pattern Matching-parse Tree Validation Approach for Efficient SQL Injection Attacks Detection
An algorithm was proposed that is based on the combination of two of the existing detection algorithms: pattern matching algorithm using Aho-Corasick (AC) and PT that guarantees high accuracy and reasonable time. Expand
Survey of intrusion detection systems: techniques, datasets and challenges
A taxonomy of contemporary IDS is presented, a comprehensive review of notable recent works, and an overview of the datasets commonly used for evaluation purposes are presented, and evasion techniques used by attackers to avoid detection are presented. Expand
A Comprehensive Study on SQL Injection Attacks, Their Mode, Detection and Prevention


Web application protection against SQL injection attack
A novel concept of negative tainting along with SQL keyword analysis for preventing SQLIA is proposed and implemented and the results show that the model protects against 100% of tested attacks before even reaching the database layer. Expand
An Approach to Detect and Prevent SQL Injection Attacks in Database Using Web Service
This paper proposes a novel specification-based methodology for the prevention of SQL injection attacks by generating functions of two filtration models that are Active Guard and Service Detector of application scripts additionally allowing seamless integration with currently-deployed systems. Expand
A novel method for SQL injection attack detection based on removing SQL query attribute values
A very simple and effective detection method for SQL injection attacks that removes the value of an SQL query attribute of web pages when parameters are submitted and then compares it with a predetermined one. Expand
Using positive tainting and syntax-aware evaluation to counter SQL injection attacks
A new, highly automated approach for protecting existing Web applications against SQL injection, based on the novel idea of positive tainting and the concept of syntax-aware evaluation is proposed. Expand
An Approach to Detection of SQL Injection Vulnerabilities Based on Dynamic Query Matching
This paper has tried to classify the SQL Injection attack based on their vulnerabilities in web applications and reported the approaches and how implemented in recent years by some of the researcher’s in their methodologies for detection and protection of SQL Injections. Expand
CANDID: preventing sql injection attacks using dynamic candidate evaluations
This work exhibits a novel and powerful scheme for automatically transforming web applications to render them safe against all SQL injection attacks, and proposes a simple and novel mechanism, called C<scp>ANDID</scp>, for mining programmer intended queries by dynamically evaluating runs over benign candidate inputs. Expand
CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks
A novel and powerful scheme for automatically transforming Web applications to render them safe against all SQL injection attacks, and a simple and novel mechanism, called Candid, for mining programmer intended queries by dynamically evaluating runs over benign candidate inputs. Expand
Using Automated Fix Generation to Secure SQL Statements
  • Stephen Thomas, L. Williams
  • Computer Science, Environmental Science
  • Third International Workshop on Software Engineering for Secure Systems (SESS'07: ICSE Workshops 2007)
  • 2007
This paper proposes an automated method for removing SQL injection vulnerabilities from Java code by converting plain text SQL statements into prepared statements, which allows developers to remove vulnerable code by replacing vulnerable code with generated secure code. Expand
Using parse tree validation to prevent SQL injection attacks
A technique to prevent this kind of manipulation and hence eliminate SQL injection vulnerabilities is described, based on comparing, at run time, the parse tree of the SQL statement before inclusion of user input with that resulting after inclusion of input. Expand
A Case Study on Asprox Infection Dynamics
It is found that the malware-propagation infrastructure in Asprox is aggressively provisioned to resist take-down efforts, combined with the easy availability of vulnerable user machines and web servers whose administrators are probably constrained in time and resources necessary to fix the problem. Expand