SQLPrevent: Effective Dynamic Detection and Prevention of SQL Injection Attacks Without Access to the Application Source Code

San-Tsai Sun ; Konstantin Beznosov

22 February 2008

Abstract: This paper presents an effective approach for detecting and preventing known as well as novel SQL injection attacks. Unlike existing approaches, ours (1) is resistant to evasion techniques, such as hexadecimal encoding or inline comment, (2) does not require analysis or modification of the application source code, (3) does not need training traces, (4) does not require modification of the runtime environment, such as PHP interpreter or JVM, and (5) is independent of the back-end database used. Our approach is based on two simple observations, that (1) in malicious HTTP requests, parameter values are used not only as \emph{literals} in the corresponding SQL statements but also as other SQL constructs, such as delimiters, identifiers or operators; and (2) a malformed parameter value in an HTTP request comprises more than one SQL \emph{token}. We use J2EE to implement a tool we have named SQLPrevent that dynamically detects SQL injection attacks using the above heuristics, and blocks the corresponding SQL statements from being submitted to the back-end database. Using the AMNESIA testbed, we evaluate SQLPrevent over 15,000 unique HTTP requests with five web applications. In our experiments, SQLPrevent produced no false positives or false negatives, and imposed at most 4\% (0.3\% on average) performance overhead with respect to average 500 millisecond response time in the testbed applications.

Keyword(s): SQL Injection Attacks ; SQLPrevent

Published in: San-Tsai Sun and Konstantin Beznosov, "SQLPrevent: Effective dynamic detection and prevention of SQL injection attacks without access to the application source code," Tech. Rep. LERSSE-TR-2008-01, Laboratory for Education and Research in Secure Systems Engineering, University of British Columbia, February 2008.:

The record appears in these collections:
Technical Reports

 Record created 2009-04-27, last modified 2013-05-22

Transfer from CDS 0.99.7:
Download fulltext

Rate this document:

Rate this document:
(Not yet reviewed)