ABSTRACT
After more than a decade of research, web application security continues to be a challenge and the backend database the most appetizing target. The paper proposes preventing injection attacks against the database management system (DBMS) behind web applications by embedding protections in the DBMS itself. The motivation is twofold. First, the approach of embedding protections in operating systems and applications running on top of them has been effective to protect this software. Second, there is a semantic mismatch between how SQL queries are believed to be executed by the DBMS and how they are actually executed, leading to subtle vulnerabilities in prevention mechanisms. The approach -- SEPTIC -- was implemented in MySQL and evaluated experimentally with web applications written in PHP and Java/Spring. In the evaluation SEPTIC has shown neither false negatives nor false positives, on the contrary of alternative approaches, causing also a low performance overhead in the order of 2.2%.
- Spring framework, 2014. http://spring.io/.Google Scholar
- B. Ahuja, A. Jana, A. Swarnkar, and R. Halder. On preventing SQL injection attacks. Advanced Computing and Systems for Security, 395:49--64, 2015.Google ScholarCross Ref
- S. Bandhakavi, P. Bisht, P. Madhusudan, and V. N. Venkatakrishnan. CANDID: preventing SQL injection attacks using dynamic candidate evaluations. In Proceedings of the 14th ACM Conference on Computer and Communications Security, pages 12--24, Oct. 2007. Google ScholarDigital Library
- BBC Technology. Millions of websites hit by Drupal hack attack, Oct. 2014. http://www.bbc.com/news/technology-29846539.Google Scholar
- T. Berners-Lee, R. Fielding, and L. Masinter. Uniform resource identifier (URI): Generic syntax. IETF Request for Comments: RFC 3986, Jan. 2005.Google Scholar
- S. W. Boyd and A. D. Keromytis. SQLrand: Preventing SQL injection attacks. In Proceedings of the 2nd Applied Cryptography and Network Security Conference, pages 292--302, 2004.Google ScholarCross Ref
- G. T. Buehrer, B. W. Weide, and P. Sivilotti. Using parse tree validation to prevent SQL injection attacks. In Proceedings of the 5th International Workshop on Software Engineering and Middleware, pages 106--113, Sept. 2005. Google ScholarDigital Library
- E. Cecchet, V. Udayabhanu, T. Wood, and P. Shenoy. Benchlab: An open testbed for realistic benchmarking of web applications. In Proceedings of the 2nd USENIX Conference on Web Application Development, 2011. Google ScholarDigital Library
- J. Clarke. SQL Injection Attacks and Defense. Syngress, 2009. Google ScholarDigital Library
- CVE. http://cve.mitre.org.Google Scholar
- A. Douglen. SQL smuggling or, the attack that wasn't there. Technical report, COMSEC Consulting, Information Security, 2007.Google Scholar
- M. Dowd, J. Mcdonald, and J. Schuh. Art of Software Security Assessment. Pearson Professional Education, 2006. Google ScholarDigital Library
- W. Halfond and A. Orso. AMNESIA: analysis and monitoring for neutralizing SQL-injection attacks. In Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, pages 174--183, Nov. 2005. Google ScholarDigital Library
- W. Halfond, A. Orso, and P. Manolios. WASP: protecting web applications using positive tainting and syntax-aware evaluation. IEEE Transactions on Software Engineering, 34(1):65--81, 2008. Google ScholarDigital Library
- M. Howard and D. LeBlanc. Writing Secure Code for Windows Vista. Microsoft Press, 1st edition, 2007. Google ScholarDigital Library
- ICS-CERT. Incident response/vulnerability coordination in 2014. ICS-CERT Monitor, Set.-Feb. 2015.Google Scholar
- Imperva. Hacker intelligence initiative, monthly trend report#8. Apr. 2012.Google Scholar
- JSoup. http://jsoup.org.Google Scholar
- M. Koschany. Debian hardening, 2013. https://wiki.debian.org/ Hardening.Google Scholar
- W. Masri and S. Sleiman. SQLPIL: SQL injection prevention by input labeling. Security and Communication Networks, 8(15):2545--2560, 2015.Google ScholarDigital Library
- Measureit. https://code.google.com/p/measureit/.Google Scholar
- I. Medeiros, N. F. Neves, and M. Correia. Automatic detection and correction of web application vulnerabilities using data mining to predict false positives. In Proceedings of the International World Wide Web Conference, pages 63--74, Apr. 2014. Google ScholarDigital Library
- G. Modelo-Howard, C. Gutierrezand, F. Arshad, S. Bagchi, and Y. Qi. Psigene: Webcrawling to generalize SQL injection signatures. In Proceedings of the 44th IEEE/IFIP International Conference on Dependable Systems and Networks, June 2014. Google ScholarDigital Library
- OSVDB. http://osvdb.org.Google Scholar
- PHP Address Book. http://php-addressbook.sourceforge.net.Google Scholar
- T. Pietraszek and C. V. Berghe. Defending against injection attacks through context-sensitive string evaluation. In Proceedings of the 8th International Conference on Recent Advances in Intrusion Detection, pages 124--145, 2005. Google ScholarDigital Library
- D. Ray and J. Ligatti. Defining code-injection attacks. In Proceedings of the 39th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 179--190, 2012. Google ScholarDigital Library
- refbase. http://http://www.refbase.net.Google Scholar
- Search Security TechTarget. Wordpress vulnerable to stored XSS, Apr. 2015. http://searchsecurity.techtarget.com/news/4500245137/ WordPress-vulnerable-to-stored-XSS-researchers-find.Google Scholar
- SolidIT. DB-Engines Ranking. http://db-engines.com/en/ranking, accessed Aug. 10th, 2015.Google Scholar
- S. Son, K. S. McKinley, and V. Shmatikov. Diglossia: detecting code injection attacks with precision and efficiency. In Proceedings of the 20th ACM Conference on Computer and Communications Security, pages 1181--1192, 2013. Google ScholarDigital Library
- Spring. http://docs.spring.io/spring/docs/2.5.4/reference/aop.html.Google Scholar
- sqlmap. https://github.com/sqlmapproject/testenv/tree/master/mysql.Google Scholar
- Z. Su and G. Wassermann. The essence of command injection attacks in web applications. In Proceedings of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 372--382, Jan. 2006. Google ScholarDigital Library
- Trustwave SpiderLabs. ModSecurity - Open Source Web Application Firewall. http://www.modsecurity.org.Google Scholar
- WebChess. http://sourceforge.net/projects/webchess/.Google Scholar
- J. Williams and D. Wichers. OWASP Top 10: The ten most critical web application security risks. Technical report, OWASP Foundation, 2013.Google Scholar
- W. Xu, S. Bhatkar, and R. Sekar. Practical dynamic taint analysis for countering input validation attacks on web applications. Technical Report SECLAB-05-04, Department of Computer Science, Stony Brook University, 2005.Google Scholar
- ZeroCMS. Content management system built using PHP and MySQL. http://www.aas9.in/zerocms/.Google Scholar
Index Terms
- Hacking the DBMS to Prevent Injection Attacks
Recommendations
Defending against injection attacks through context-sensitive string evaluation
RAID'05: Proceedings of the 8th international conference on Recent Advances in Intrusion DetectionInjection vulnerabilities pose a major threat to application-level security. Some of the more common types are SQL injection, cross-site scripting and shell injection vulnerabilities. Existing methods for defending against injection attacks, that is, ...
A comparative analysis and performance evaluation of web application protection techniques against injection attacks
Nowadays, most animation activities are based on internet-enabled applications. But, the majority of web developers have ignored the privacy and security aspects of each application, turning them into attractive targets for security issues and therefore ...
Mitigation of SQL Injection Attacks using Threat Modeling
Day after day, SQL Injection (SQLI) attack is consistently proliferating across the globe. According to Open Web Application Security Project (OWASP) Top Ten Cheat Sheet-2014, SQLI is at top in the list of online attacks. The cause of spread of SQLI is ...
Comments