SQLrand: Preventing SQL Injection Attacks

Boyd, Stephen; Keromytis, Angelos D.

doi:10.1007/978-3-540-24852-1_21

Cited by 278 publications

(156 citation statements)

References 12 publications

Supporting

Mentioning

154

Contrasting

Unclassified

Order By: Relevance

“…Secure Coding Practices [27,37,50] Lexical Analysis [9,10,49,54] Data-Flow Analysis [17,30] Context Free Grammars [52,53] New APIs [13,36] Learning [15,32,48] Query Modification [4,7,46] Runtime Tainting [22,29,42,56] Data-Flow Analysis [51] Hybrid [24,25,35] Syntax Embeddings [5] Intrusion Set Randomization [3,28,31] The most straightforward and sensible approach is the adoption of secure coding practices [27,50,37], like the ones we mentioned above to prevent sql code injection. However, this does not always happen, as programmers may not be aware of them, or time schedules may be tight, encouraging sloppy practices instead.…”

Section: Static Methods Dynamic Methodsmentioning

confidence: 99%

“…Then, the resulting tokens are associated with vulnerable function calls susceptible to buffer overflows like gets, strcpy and scanf. This approach is taken by security utilities like its4, 4 Flawfinder 5 and rats 6 [54,10,9,49]. However, these tools suffer from several false positive and negative reports [11,14].…”

Section: Static Methods Dynamic Methodsmentioning

confidence: 99%

“…Here the modified statement is either reconstructed at runtime using a cryptographic key that is inaccessible to the attacker [4], or the user input is tagged with delimiters that allow an augmented sql grammar to detect the attacks [7,46]. Both approaches require significant source code modifications though.…”

Section: Dynamic Methodsmentioning

confidence: 99%

See 2 more Smart Citations

Countering code injection attacks: a unified approach

Mitropoulos

Karakoidas

Λουρίδας

et al. 2011

Information Management &Amp; Computer Security

View full text Add to dashboard Cite

Code injection exploits a software vulnerability through which a malicious user can make an application run unauthorized code. Server applications frequently employ dynamic and domain-specific languages, which are used as vectors for the attack. We propose a generic approach that prevents the class of injection attacks involving these vectors: our scheme detects attacks by using location-specific signatures to validate code statements. The signatures are unique identifiers that represent specific characteristics of a statement's execution. We have applied our approach successfully to defend against attacks targeting sql, xpath and JavaScript.

show abstract

Section: Static Methods Dynamic Methodsmentioning

confidence: 99%

Section: Static Methods Dynamic Methodsmentioning

confidence: 99%

See 1 more Smart Citation

Countering code injection attacks: a unified approach

Mitropoulos

Karakoidas

Λουρίδας

et al. 2011

Information Management &Amp; Computer Security

View full text Add to dashboard Cite

show abstract

“…Instruction -Set Randomization SQL rand [8] provides a framework that allows developer to create SQL Queries using randomized keywords instead of the normal SQL keywords. A proxy between the web application and the database intercepts SQL queries and de-randomizes the keywords.…”

Section: B Prepare Statementmentioning

confidence: 99%

Prevention of SQL Injection Attacks by Using Service Oriented Authentication Technique

Balasundram¹,

Ramaraj²

2013

IJMO

View full text Add to dashboard Cite

Abstract-Web applications have become steadily increased in daily routines activities and continue to integrate them. On-line reservations, paying bills and on-line shopping expect these web applications to be secure and reliable; the fear of SQL-Injection Attacks has become increasingly frequent and serious. SQL Injection Attacks (SQLIAs) are one of the topmost threats for web application security. Using SQL Injection attackers can leak confidential information; such as credit card numbers from web applications and even corrupt the database. This paper presents a new technique to protect Web applications against SQL injection Attacks. SQL Injection Attacks are a class of attacks that many of these systems are highly vulnerable to, and there is no known foolproof defense against such attacks. The new innovative technique -Service -Oriented Authentication‖ is to prevent SQL-Injection Attacks in database the deployment of this technique is by appending first level Service has the functionality of Tame-card detection and Prevention. The Second level Service has the functionality of Authentication Checker also dataset (the temporary storage of database) of application scripts additionally allowing seamless integration with currently-deployed systems.Index Terms-Database security, world-wide application security, SQL-injection attacks, runtime monitoring.

show abstract

“…Both methods as such naturally have pros and cons. An example query modification countermeasure is SQLrand [30].…”

Section: Countermeasuresmentioning

confidence: 99%

A Metamodel for Web Application Injection Attacks and Countermeasures

Holm¹,

Ekstedt²

2012

Lecture Notes in Business Information Processing

View full text Add to dashboard Cite

Abstract. Web application injection attacks such as cross site scripting and SQL injection are common and problematic for enterprises. In order to defend against them, practitioners with large heterogeneous system architectures and limited resources struggle to understand the effectiveness of different countermeasures under various conditions. This paper presents an enterprise architecture metamodel that can be used by enterprise decision makers when deciding between different countermeasures for web application injection attacks. The scope of the model is to provide low-effort guidance on an abstraction level of use for an enterprise decision maker. This metamodel is based on a literature review and revised according to the judgment by six domain experts identified through peer-review.

show abstract

SQLrand: Preventing SQL Injection Attacks

Cited by 278 publications

References 12 publications

Countering code injection attacks: a unified approach

Countering code injection attacks: a unified approach

Prevention of SQL Injection Attacks by Using Service Oriented Authentication Technique

A Metamodel for Web Application Injection Attacks and Countermeasures

Contact Info

Product

Resources

About