000000178 001__ 178
000000178 005__ 20130522141946.0
000000178 037__ $$aLERSSE-REPORT-2009-032
000000178 041__ $$aeng
000000178 100__ $$aSan-Tsai Sun
000000178 100__ $$aKonstantin Beznosov
000000178 245__ $$aSQLPrevent: Effective Dynamic Protection Against SQL Injection Attacks
000000178 260__ $$c2009-03-30
000000178 300__ $$a36p
000000178 520__ $$aThis paper presents an approach for retrofitting existing web applications with run-time protection against known as well as unseen SQL injection attacks (SQLIAs). This approach (1) is  resistant to evasion techniques, such as hexadecimal encoding or inline comment, (2) does not require analysis or modification of the application source code, (3) does not require modification of the runtime environment, such as PHP interpreter or JVM, and (4) is independent of the back-end database used. The approach precision is also enhanced with a method for reducing the rate of false positives in the SQLIA detection logic via runtime discovery of the developers' intention for individual SQL statements made by web applications. We have implemented the proposed approach in the form of protection mechanisms for J2EE applications. Named SQLPrevent, these mechanisms intercept both HTTP requests and SQL statements, mark and track parameter values originated from HTTP requests, and perform SQLIA detection and prevention on the intercepted SQL statements. We extended the AMNESIA testbed to contain false positive testing traces, and employed the extended testbed to evaluate SQLPrevent over 15,000 unique HTTP requests with five web applications. In our experiments, SQLPrevent produced no known false positives or false negatives, and imposed a 3.6% performance overhead with respect to 30 millisecond response time in the tested applications. We also ported SQLPrevent to ASP.NET and ASP, which is of vital importance to the protection of legacy ASP applications, as they have been the target of several massive SQLIAs since October 2007.
000000178 6531_ $$aSQL Injection 
000000178 6531_ $$aWeb Application Security
000000178 6531_ $$aSQLPrevent
000000178 8560_ $$fsantsais@ece.ubc.ca
000000178 8564_ $$uhttp://lersse-dl.ece.ubc.ca/record/178/files/178.pdf$$yTransfer from CDS 0.99.7
000000178 909C4 $$pSan-Tsai Sun and Konstantin Beznosov, "SQLPrevent: Effective Dynamic Protection Against SQL Injection Attacks," Tech. Rep. LERSSE-TR-2009-32, Laboratory for Education and Research in Secure Systems Engineering, University of British Columbia, March 2009
000000178 980__ $$aREPORT