Abstract

While using internet for proposing online services is increasing every day, security threats in the web also increased dramatically. One of the most serious and dangerous web application vulnerabilities is SQL injection. SQL injection attack took place by inserting a portion of malicious SQL query through a non-validated input from the user into the legitimate query statement. Consequently database management system will execute these commands and it leads to SQL injection. A successful SQL injection attack interfere Confidentiality, Integrity and availability of information in the database. Based on the statistical researches this type of attack had a high impact on business. Finding the proper solution to stop or mitigate the SQL injection is necessary. To address this problem security researchers introduce different techniques to develop secure codes, prevent SQL injection attacks and detect them. In this paper the authors present a comprehensive review of different types of SQL injection and various aspects related to SQL injection attacks. Such a structural classification would further help other researchers to choose the right technique for the further studies.

References

• Wikipedia, “information security” http://en.wikipedia.org/wiki/Information_security
• (OWASP), “O.W.A.S.P. Top 10 Vulnerabilities.”; Available from:https://www.owasp.org/index.php/Top_10 2013
• Wikipedia, “web application”, http://en.wikipedia.org/wiki/Web_application
• https://www.cvedetails.com/vulnerabilities-by-types.php
• Wikipedia, “SQL injection” http://en.wikipedia.org/wiki/SQL_injection
• secerno.com,” SQL Injection Attack: A Security Threat”,http://www.secerno.com/?pg=SQL-Injection#2
• IBM, IBM Internet Security SystemsX-Force 2008 Trend & Risk Report, Jan 2009,http://www935.ibm.com/services/us/iss/xforce/trendreports/xforce-2008-annual-report.pdf
• W. Halfond, J. Viegas, and A. Orso. A Classification of SQL-Injection Attacks and Countermeasures. Proceedings of the IEEE International Symposium on Secure Software Engineering (ISSSE), 2006.
• Stephen Thomas, Laurie Williams. Using Automated Fix Generation to Secure SQL Statements. Third International Workshop on Software Engineering for Secure Systems (SESS'07), pages 9-9,May 2007.
• G. Wassermann and Z. Su. An Analysis Framework for Security in Web Applications. In Proceedings of the FSE Workshop on Specification and Verification of Component-Based Systems (SAVCBS), pages 70–78, 2004.
• F. Valeur, D. Mutz, and G. Vigna. A Learning-Based Approach to the Detection of SQL Attacks. In Proceedings of the Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), pages 123–140, 2005.
• S. Boyd and A. Keromytis. SQLrand: Preventing SQL injection attacks. In Proceedings of the Applied Cryptography and Network Security (ACNS), pages 292–304, 2004.
• T. Pietraszek and C. Vanden Berghe. Defending against Injection Attacks through Context-Sensitive String Evaluation. In Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID), pages 124–145, 2005.
• Z. Su and G. Wassermann. The Essence of Command Injection Attacks in Web Applications. Annual Symposium on Principles of Programming Languages (POPL), pages 372–382, 2006.
• G. Buehrer, B. W. Weide, and P. A. G. Sivilotti, "Using Parse Tree Validation to Prevent SQL Injection Attacks," 5th International Workshop on Software Engineering and Middleware, pages 106-113, 2005
• W. Halfond and A. Orso. AMNESIA: Analysis and Monitoring for NEutralizing SQLInjection Attacks. In Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering (ASE), pages 174–183, 2005.
• William G.J. Halfond and Alessandro Orso. Preventing SQL Injection Attacks Using AMNESIA. Proceedings of the 28th international conference on Software engineering. Pages 795-798, May 2006
• William G. J. Halfond, Alessandro Orso. Combining Static Analysis & Runtime Monitoring to Counter SQL-Injection Attacks. SIGSOFT Software Engineering Notes Volume 30 Issue 4. July 2005.