|Home > Theses > Creation and Evaluation of SQL Injection Security Tools|
03 November 2008
Abstract: This work summarizes our research on the topic of the creation and evaluation of security tools against SQL injection attacks (SQLIAs). We introduce brieﬂy the key concepts and problems of information security and we present the ma jor role that SQL Injection is playing in this scenario. Based on the above analysis and on today’s computer security state-of-the-art, we focus our research on the speciﬁc ﬁeld of SQLIAs, which are still one of the most exploited and dangerous intrusion techniques used to access web applications. More exactly we address both the problems of (1) how to completely evaluate SQLIAs security systems in order to achieve useful results and subsequently a better level of security by proposing a novel evaluation methodology, and (2) how to be safe from SQLIAs by creating and presenting, as a case study of our evaluation procedure, an eﬀective tool for detecting and preventing known as wel l as new SQL injection attacks. The proposal evaluation methodology is general and adaptable to any security tools for detection or prevention of SQLIAs. It is a complete step-by-step procedure which provides a guideline to test and value important characteristics such as eﬃciency, eﬀectiveness, stability, ﬂexibility and performance and achieves usable and comparable results to properly judge the tested tool. In addiction, as a case study of our methodology, we present the evaluation of our tool we have named SQLPrevent which dynamically detects SQL injection attacks using a heuristics approach, and blocks the corresponding SQL statements from being submitted to the back-end database. In our experiments, SQLPrevent produced no false positives or false negatives, it has 100% detection and prevention rate measured on diﬀerent types of SQLIAs, is environment independence, and imposed on average of 0.3% performance overhead.
Keyword(s): SQL Injection Detection and Prevention ; Web Application Security ; SQLPrevent
Published in: Fabrizio Monticelli, "Creation and Evaluation of SQL Injection Security Tools," Master thesis, Milano (MI), Italia, Department of Computer Engineering, Politecnico di Milano Technical University, Oct, 2008, pp.184. :
The record appears in these collections: