File(s) under permanent embargo
Web application protection against SQL injection attack
conference contribution
posted on 2011-01-01, 00:00 authored by A Alazab, Moutaz Alazab, Jemal AbawajyJemal Abawajy, Michael HobbsMichael HobbsSQL injection vulnerabilities poses a severe threat to web applications as an SQL Injection Attack (SQLIA) could adopt new obfuscation techniques to evade and thwart countermeasures such as Intrusion Detection Systems (IDS). SQLIA gains access to the back-end database of vulnerable websites, allowing hackers to execute SQL commands in a web application resulting in financial fraud and website defacement. The lack of existing models in providing protections against SQL injection has motivated this paper to present a new and enhanced model against web database intrusions that use SQLIA techniques. In this paper, we propose a novel concept of negative tainting along with SQL keyword analysis for preventing SQLIA and described our that we implemented. We have tested our proposed model on all types of SQLIA techniques by generating SQL queries containing legitimate SQL commands and SQL Injection Attack. Evaluations have been performed using three different applications. The results show that our model protects against 100% of tested attacks before even reaching the database layer.
History
Event
International Conference on Information Technology and Applications (7th : 2011 : Sydney, N.S.W.)Pagination
1 - 7Publisher
[IEEE]Location
Sydney, N.S.W.Place of publication
[Sydney, N.S.W]Start date
2011-11-21End date
2011-11-24ISBN-13
9780980326741Language
engPublication classification
E1 Full written paper - refereedCopyright notice
2011, IEEETitle of proceedings
ICITA 2011 : Proceedings of the 7th International Conference on Information Technology and Applications ICITA 2011Usage metrics
Categories
No categories selectedLicence
Exports
RefWorks
BibTeX
Ref. manager
Endnote
DataCite
NLM
DC