000000146 001__ 146
000000146 005__ 20130522141946.0
000000146 037__ $$aLERSSE-REPORT-2008-025
000000146 041__ $$aeng
000000146 100__ $$aSan-Tsai Sun
000000146 100__ $$aKonstantin Beznosov
000000146 245__ $$aSQLPrevent: Effective Dynamic Detection and Prevention of SQL Injection Attacks Without Access to the Application Source Code
000000146 260__ $$c2008-02-22
000000146 300__ $$a34p
000000146 520__ $$aThis paper presents an effective approach for detecting and preventing known as well as novel SQL injection attacks. Unlike existing approaches, ours (1) is resistant to evasion techniques, such as hexadecimal encoding or inline comment, (2) does not require analysis or modification of the application source code, (3) does not need training traces, (4) does not require modification of the runtime environment, such as PHP interpreter or JVM, and (5) is independent of the back-end database used. Our approach is based on two simple observations, that (1) in malicious HTTP requests, parameter values are used not only as \emph{literals} in the corresponding SQL statements but also as other SQL constructs, such as delimiters, identifiers or operators; and (2) a malformed parameter value in an HTTP request comprises more than one SQL \emph{token}. We use J2EE to implement a tool we have named SQLPrevent that dynamically detects SQL injection attacks using the above heuristics, and blocks the corresponding SQL statements from being submitted to the back-end database. Using the AMNESIA testbed, we evaluate SQLPrevent over 15,000 unique HTTP requests with five web applications. In our experiments, SQLPrevent produced no false positives or false negatives, and imposed at most 4\% (0.3\% on average) performance overhead with respect to average 500 millisecond response time in the testbed applications.
000000146 6531_ $$aSQL Injection Attacks
000000146 6531_ $$aSQLPrevent
000000146 8560_ $$fsantsais@ece.ubc.ca
000000146 8564_ $$uhttp://lersse-dl.ece.ubc.ca/record/146/files/146.pdf$$yTransfer from CDS 0.99.7
000000146 909C4 $$pSan-Tsai Sun and Konstantin Beznosov, "SQLPrevent: Effective dynamic detection and prevention of SQL injection attacks without access to the application source code," Tech. Rep. LERSSE-TR-2008-01, Laboratory for Education and Research in Secure Systems Engineering, University of British Columbia, February 2008.
000000146 980__ $$aREPORT