Download SQLrand: Preventing SQL Injection Attacks

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
Document related concepts

Computer security wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Mobile security wikipedia , lookup

Cross-site scripting wikipedia , lookup

Transcript 
Hamdi Yesilyurt Riji Jacob
SQLrand: Preventing
SQL Injection Attacks
Many of the Web applications employ database-driven content on the Internet. Yahoo
and Amazon are most prominent examples which applies relational database for their business
transactions and almost all company appear on the Internet uses relational database. Most of the
time, company databases consist sensitive information for both the company and clients.
Nevertheless, the interactive nature of web applications that employ database services consist
vulnerabilities to SQL injection attacks. Web applications receive user inputs via form fields and
then transfer those inputs as database requests, characteristically SQL statements [1]. The
information that is bound to transaction may consist of user name, password and information that
have large amounts of monetary value. The information on the database may be an issue of a
national security and privacy matter, such as social security numbers in the U.S.
SQL injection attacks are widespread and Web applications are vulnerable to SQL
Injection Attacks (SQLIAs). According to Gartner Group “over 300 Internet Web sites has
shown that most of them could be vulnerable to SQLIAs”. Some of the examples of SQLIAs that
successfully attacked prestigious victims are: Travelocity, FTD.com, and Guess Inc [2]. SQL
injection is considered to be a type of code-injection where “data provided by the user is
included in an SQL query in such a way that part of the user’s input is treated as SQL code”[3].
The root cause of such vulnerabilities is that the input data that is accepted by the application is
not validated and send to the relational database as an SQL query [3]. An attacker can send SQL
commands directly to the database by controlling the vulnerabilities. Any web application that
reads input from the users (e.g., through web forms or web APIs) and uses it to make SQL
queries to an underlying database that is exposed SQL injections represents a serious threat [3].
Hamdi Yesilyurt Riji Jacob
This study surveys the mechanism that is suggested Boyd and Keromytis in 2004,
SQLrand: Preventing SQL Injection Attacks. The study presents a functional protection
mechanism to prevent SQL injection attacks that are reachable “through a web front-end, and
take advantage of flaws in the input validation logic of Web components such as CGI scripts”
[4]. SQLrand is the application of “instruction-set randomization to SQL, creating instances of
the language that is unpredictable to the attacker” [4]. The proposed mechanism suggests using
database parser so that queries injected by the attacker can be blocked. To do this, “an
intermediary proxy that translates the random SQL to its standard language” is provided. The
performance of this logic is only a few millisecond losses.
References
[1] Buehrer, G. T., Weide, B. W., & Sivilotti, P. A. G. (2005). Using parse tree validation
to prevent SQL injection attacks. Foundations of Software Engineering, 106 - 113.
[2] Halfond, W. G., Viegas, J., & Orso, A. (2006). A classification of SQL-injection
attacks and countermeasures.
[3] Halfond, W. G. J., & Orso, A. (2005). AMNESIA: analysis and monitoring for
NEutralizing SQL-injection attacks.
[4] Boyd, S. W., & Keromytis, A. D. (2004). SQLrand: Preventing SQL injection attacks.
Lecture notes in computer science, 3089, 292-302.
Related documents
Job Descriptions - Human Resources Department JOB GOAL
Job Descriptions - Human Resources Department JOB GOAL
Business Intelligence and Data Warehousing
Business Intelligence and Data Warehousing
Data Warehouse performance and maintenance
Data Warehouse performance and maintenance
Recruitment Authorisation Form
Recruitment Authorisation Form
mysql> show tables
mysql> show tables
Elements of SQL Data Definition Language
Elements of SQL Data Definition Language
BIS 3204 Database DB Programming
BIS 3204 Database DB Programming
Using Power BI with my DBA Database
Using Power BI with my DBA Database
Implementing and Maintaining Microsoft SQL Server 2008 Analysis
Implementing and Maintaining Microsoft SQL Server 2008 Analysis
Oracle Demo Database Sample Queries
Oracle Demo Database Sample Queries
Day2.3b - ODU Computer Science
Day2.3b - ODU Computer Science
BO26432435
BO26432435