Visible to the public SQL Injections 2015

SoS Newsletter- Advanced Book Block


SoS Logo

SQL Injections


SQL injection is used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution to dump the database contents to the attacker. One of the most common hacker techniques, SQL injection is used to exploit a security vulnerability in an application's software. It is mostly used against websites but can be used to attack any type of SQL database. Because of its prevalence and ease of use from the hacker perspective, it is an important area for research. The articles cited here focus on prevention, detection, and testing. These works were presented in 2015.

Li Qian; Zhenyuan Zhu; Jun Hu; Shuying Liu, “Research of SQL Injection Attack and Prevention Technology,” in Estimation, Detection and Information Fusion (ICEDIF), 2015 International Conference on, vol., no., pp. 303–306, 10–11 Jan. 2015. doi:10.1109/ICEDIF.2015.7280212
Abstract: SQL injection attack is one of the most serious security vulnerabilities in Web application system, most of these vulnerabilities are caused by lack of input validation and SQL parameters use. Typical SQL injection attack and prevention technologies are introduced in the paper. The detecting methods not only validate user input, but also use type-safe SQL parameters. SQL injection defense model is established according to the detection processes, which is effective against SQL injection vulnerabilities.
Keywords: SQL injection; defence model; input validation; prevention technology (ID#: 15-7282)


Nagpal, B.; Singh, N.; Chauhan, N.; Panesar, A., “Tool Based Implementation of SQL Injection for Penetration Testing,” in Computing, Communication & Automation (ICCCA), 2015 International Conference on, vol., no., pp. 746–749, 15–16 May 2015. doi:10.1109/CCAA.2015.7148509
Abstract: Web applications are a fundamental pillar of today’s world. Society depends on them for business and day to day tasks. Because of their extensive use, Web applications are under constant attack by hackers that exploit their vulnerabilities to disrupt business and access confidential information. SQL Injection and Remote File Inclusion are the two most frequently used exploits and hackers prefer easier rather than complicated attack techniques. Every day as number of Internet users are increasing, the vulnerabilities of a system being attacked is becoming easier. SQL Injection is one of the most common attack method that is being used these days. Havij is one of the tools used to implement SQL Injection which will be discussed in this paper. Our research objective is to analyse the use of Havij in penetration testing in IT industry and to compare various SQL Injection tools available in the market.
Keywords: SQL; program testing; Havij tools; IT industry; Internet users SQL injection; Web applications; attack method; confidential information access; penetration testing; remote file inclusion; system vulnerabilities; tool based implementation; Automation; Computer Hacking; Databases; Industries;Servers; Testing; Havij; Implementation of SQL Injection; Penetration Testing; SQLInjection; Tools for SQL Injection (ID#: 15-7283)


Hanmanthu, B.; Ram, B. Raghu; Niranjan, P., “SQL Injection Attack Prevention Based on Decision Tree Classification,” in Intelligent Systems and Control (ISCO), 2015 IEEE 9th International Conference on, vol., no., pp. 1–5, 9–10 Jan. 2015. doi:10.1109/ISCO.2015.7282227
Abstract: In real world as dependence on World Wide Web applications increasing day by day they transformed vulnerable to security attacks. Out of all the different attacks the SQL Injection Attacks are the most common. In this paper we propose SQL injection vulnerability prevention by decision tree classification technique. The proposed model make use famous decision tree classification model to prevent the SQL injection attacks. The proposed model will filter the sent HTTP request by using a decision tree classification based attack signatures. We test our proposed model on synthetic data which given satisfactory results.
Keywords: Decision trees; Information filters; Random access memory; Robustness; Uniform resource locators; Data Mining; Decision Tree; SQL Injection Attack; Web Security (ID#: 15-7284)


Sonewar, P.A.; Mhetre, N.A., “A Novel Approach for Detection of SQL Injection and Cross Site Scripting Attacks,” in Pervasive Computing (ICPC), 2015 International Conference on, vol., no., pp. 1–4, 8–10 Jan. 2015. doi:10.1109/PERVASIVE.2015.7087131
Abstract: Web applications provide vast category of functionalities and usefulness. As more and more sensitive data is available over the internet hackers are becoming more interested in such data revealing which can cause massive damage. SQL injection is one of such attacks. This attack can be used to infiltrate the database of any web application that may lead to alteration of database or disclosing important information. Cross site scripting is one more attack in which attacker obfuscates the input given to the web application that may lead to changes in view of the web page. Three tier web applications can be categorized statically and dynamically for detecting and preventing these types of attacks. Mapping model in which requests are mapped on queries can be used effectively to detect such kind of attacks and prevention logic can be applied.
Keywords: Internet; SQL; Web sites; security of data; SQL injection detection; Web applications; Web page; cross site scripting attack; database infiltration; mapping model; prevention logic; Blogs; Computers; Conferences; Databases; Intrusion detection; Uniform resource locators; Cross Site Scripting (XSS); Intrusion Detection System (IDS); SQL injection attack; Tier Web Application; Web Security Vulnerability (ID#: 15-7285)


Appelt, D.; Nguyen, C.D.; Briand, L., “Behind an Application Firewall, Are We Safe from SQL Injection Attacks?,” in Software Testing, Verification and Validation (ICST), 2015 IEEE 8th International Conference on, vol., no., pp. 1–10, 13–17 April 2015. doi:10.1109/ICST.2015.7102581
Abstract: Web application firewalls are an indispensable layer to protect online systems from attacks. However, the fast pace at which new kinds of attacks appear and their sophistication require that firewalls be updated and tested regularly as otherwise they will be circumvented. In this paper, we focus our research on web application firewalls and SQL injection attacks. We present a machine learning-based testing approach to detect holes in firewalls that let SQL injection attacks bypass. At the beginning, the approach can automatically generate diverse attack payloads, which can be seeded into inputs of web-based applications, and then submit them to a system that is protected by a firewall. Incrementally learning from the tests that are blocked or passed by the firewall, our approach can then select tests that exhibit characteristics associated with bypassing the firewall and mutate them to efficiently generate new bypassing attacks. In the race against cyber attacks, time is vital. Being able to learn and anticipate more attacks that can circumvent a firewall in a timely manner is very important in order to quickly fix or fine-tune the firewall. We developed a tool that implements the approach and evaluated it on ModSecurity, a widely used application firewall. The results we obtained suggest a good performance and efficiency in detecting holes in the firewall that could let SQLi attacks go undetected.
Keywords: Internet; SQL; firewalls; learning (artificial intelligence); ModSecurity; SQL injection attacks; SQLi attacks; Web application firewalls; bypassing attacks; cyber attacks; machine learning-based testing approach; online system protection; Databases; Grammar; Radio access networks; Security; Servers; Syntactics; Testing (ID#: 15-7286)


Naderi-Afooshteh, Abbas; Nguyen-Tuong, Anh; Bagheri-Marzijarani, Mandana; Hiser, Jason D.; Davidson, Jack W., “Joza: Hybrid Taint Inference for Defeating Web Application SQL Injection Attacks,” in Dependable Systems and Networks (DSN), 2015 45th Annual IEEE/IFIP International Conference on, vol., no., pp. 172–183, 22–25 June 2015. doi:10.1109/DSN.2015.13
Abstract: Despite years of research on taint-tracking techniques to detect SQL injection attacks, taint tracking is rarely used in practice because it suffers from high performance overhead, intrusive instrumentation, and other deployment issues. Taint inference techniques address these shortcomings by obviating the need to track the flow of data during program execution by inferring markings based on either the program’s input (negative taint inference), or the program itself (positive taint inference). We show that existing taint inference techniques are insecure by developing new attacks that exploit inherent weaknesses of the inferencing process. To address these exposed weaknesses, we developed Joza, a novel hybrid taint inference approach that exploits the complementary nature of negative and positive taint inference to mitigate their respective weaknesses. Our evaluation shows that Joza prevents real-world SQL injection attacks, exhibits no false positives, incurs low performance overhead (4%), and is easy to deploy.
Keywords: Approximation algorithms; Databases; Encoding; Inference algorithms; Optimization; Payloads; Security; SQL injection; Taint inference; Taint tracking; Web application security (ID#: 15-7287)


Pramod, A.; Ghosh, A.; Mohan, A.; Shrivastava, M.; Shettar, R., “SQLI Detection System for a Safer Web Application,” in Advance Computing Conference (IACC), 2015 IEEE International on, vol., no., pp. 237–240, 12–13 June 2015. doi:10.1109/IADCC.2015.7154705
Abstract: SQL Injection (SQLI) is a quotidian phenomenon in the field of network security. It is a potent and effective way of intruding into secured databases thereby jeopardizing the confidentiality, integrity and availability of information in them. SQL Injection works by inserting malicious queries into legal queries thereby rendering it increasingly arduous for most detection systems to be able to discern its occurrence. Hence, the need of the hour is to build a coherent and a smart SQL Injection detection system to make web applications safer and thus, more reliable. Unlike a great majority of current detection tools and systems that are deployed at a region between the web server and the database server, the proposed system is deployed between client and the web server, thereby shielding the web server from the inimical impacts of the attack. This approach is nascent and efficient in terms of detection, ranking and notification of the attack designed using pattern matching algorithm based on the concept of hashing.
Keywords: Internet; SQL; computer network security; cryptography; file organisation; file servers; pattern matching; SQL Injection; SQLI detection system; Web application; Web server; database security; database server; hashing function; network security; pattern matching algorithm; Algorithm design and analysis; Databases; Inspection; Security; Time factors; Web servers; Deep Packet Inspection; Hardware Network Analyzer; SQL injection attack (ID#: 15-7288)


Bulusu, P.; Shahriar, H.; Haddad, H.M., “Classification of Lightweight Directory Access Protocol Query Injection Attacks and Mitigation Techniques,” in Collaboration Technologies and Systems (CTS), 2015 International Conference on, vol., no.,
pp. 337–344, 1–5 June 2015. doi:10.1109/CTS.2015.7210446
Abstract: The Lightweight Directory Access Protocol (LDAP) is used in a large number of web applications, and therefore, different types of LDAP injection attacks are becoming common. These injection attacks take advantage of an application not validating inputs before being used as part of LDAP queries. An attacker can provide inputs that may result in the alteration of intended LDAP query structure. The attacks can lead to various types of security breaches including Login Bypassing, Information Disclosure, Privilege Escalation, and Information Alteration. Despite many research efforts to prevent LDAP injection attacks, many web applications remain vulnerable to such attacks. In particular, there has been little attention given to implement and test secure web applications that can mitigate LDAP query injection attacks. More attention has been given to prevent Structured Query Language (SQL) injection attacks but these mitigation techniques cannot be directly applied in order to prevent LDAP injection attacks. This work provides analysis and classification of various types of LDAP injection attacks and mitigation techniques used to prevent them, and it highlights the differences between SQL and LDAP injection attacks.
Keywords: SQL; cryptographic protocols; pattern classification; query processing; LDAP injection attacks; LDAP query injection attacks; LDAP query structure; SQL injection attacks; information alteration; information disclosure; lightweight directory access protocol mitigation techniques; lightweight directory access protocol query injection attack classification; login bypassing; privilege escalation; security breach; structured query language injection attacks; DVD; Decision support systems; LDAP injection; SQL injection; mitigation technique (ID#: 15-7289)


Palma Salas, M.I.; Martins, E., “A Black-Box Approach to Detect Vulnerabilities in Web Services Using Penetration Testing,” in Latin America Transactions, IEEE (Revista IEEE America Latina), vol.13, no.3, pp. 707–712, March 2015. doi:10.1109/TLA.2015.7069095
Abstract: Web services work over dynamic connections among distributed systems. This technology was specifically designed to easily pass SOAP message through firewalls using open ports. These benefits involve a number of security challenges, such as Injection Attacks, phishing, Denial-of-Services (DoS) attacks, and so on. The difficulty to detect vulnerabilities, before they are exploited, encourages developers to use security testing like penetration testing to reduce the potential attacks. Given a black-box approach, this research use the penetration testing to emulate a series of attacks, such as Cross-site Scripting (XSS), Fuzzing Scan, Invalid Types, Malformed XML, SQL Injection, XPath Injection and XML Bomb. In this way, was used the soapUI vulnerability scanner in order to emulate these attacks and insert malicious scripts in the requests of the web services tested. Furthermore, was developed a set of rules to analyze the responses in order to reduce false positives and negatives. The results suggest that 97.1% of web services have at least one vulnerability of these attacks. We also determined a ranking of these attacks against web services.
Keywords: Web services; XML; firewalls; program testing; DoS attacks; SOAP message; SQL injection attack; Web service testing; XML bomb attack; XPath injection attack; XSS attack; black-box approach; cross-site scripting attack; denial-of-services attacks; distributed systems; dynamic connections; firewalls; fuzzing scan attack; injection attacks; invalid type attack; malformed XML attack; malicious scripts; penetration testing; phishing; security testing; soapUI vulnerability scanner; vulnerability detection; Security; Servers; Simple object access protocol; Testing; Weapons; Cross-site Scripting; Fuzzing Scan; Invalid Types; Malformed XML; SQL Injection; XML Bomb; XPath Injection; XSS; penetration testing; web services (ID#: 15-7290)


Zibordi de Paiva, O.; Ruggiero, W.V., “A Survey on Information Flow Control Mechanisms in Web Applications,” in High Performance Computing & Simulation (HPCS), 2015 International Conference on, vol., no., pp. 211–220, 20–24 July 2015. doi:10.1109/HPCSim.2015.7237042
Abstract: Web applications are nowadays ubiquitous channels that provide access to valuable information. However, web application security remains problematic, with Information Leakage, Cross-Site Scripting and SQL-Injection vulnerabilities — which all present threats to information — standing among the most common ones. On the other hand, Information Flow Control is a mature and well-studied area, providing techniques to ensure the confidentiality and integrity of information. Thus, numerous works were made proposing the use of these techniques to improve web application security. This paper provides a survey on some of these works that propose server-side only mechanisms, which operate in association with standard browsers. It also provides a brief overview of the information flow control techniques themselves. At the end, we draw a comparative scenario between the surveyed works, highlighting the environments for which they were designed and the security guarantees they provide, also suggesting directions in which they may evolve.
Keywords: Internet; SQL; security of data; SQL-injection vulnerability; Web application security; cross-site scripting; information confidentiality; information flow control mechanisms; information integrity; information leakage; server-side only mechanisms; standard browsers; ubiquitous channels; Browsers; Computer architecture; Context; Security; Standards; Web servers; Cross-Site Scripting; Information Flow Control; Information Leakage; SQL Injection; Web Application Security (ID#: 15-7291)


Gillman, D.; Yin Lin; Maggs, B.; Sitaraman, R.K., “Protecting Websites from Attack with Secure Delivery Networks,” in Computer, vol. 48, no. 4, pp. 26–34, April 2015. doi:10.1109/MC.2015.116
Abstract: Secure delivery networks can help prevent or mitigate the most common attacks against mission-critical websites. A case study from a leading provider of content delivery services illustrates one such network’s operation and effectiveness. The Web extra at is an overview of the evolving threat landscape with Akamai Director of Web Security Solutions Product Marketing, Dan Shugrue. Dan also shares how Akamai’s Kona Site Defender service handles the increasing frequency, volume and sophistication of Web attacks with a unique architecture that is always on and doesn’t degrade performance.
Keywords: Web sites; security of data; Web attacks; Website protection; content delivery services; mission-critical Websites; secure delivery networks; Computer crime; Computer security; Firewalls (computing); IP networks; Internet; Protocols; Akamai Technologies; DDoS attacks; DNS; Domain Name System; Internet/Web technologies; Operation Ababil; SQL injection; WAF; Web Application Firewall; XSS; cache busting; cross-site scripting; cybercrime; distributed denial-of-service attacks; distributed systems; floods; hackers; security (ID#: 15-7292)


Antunes, N.; Vieira, M., “Assessing and Comparing Vulnerability Detection Tools for Web Services: Benchmarking Approach and Examples,” in Services Computing, IEEE Transactions on, vol. 8, no. 2, pp. 269–283, March–April 2015. doi:10.1109/TSC.2014.2310221
Abstract: Selecting a vulnerability detection tool is a key problem that is frequently faced by developers of security-critical web services. Research and practice shows that state-of-the-art tools present low effectiveness both in terms of vulnerability coverage and false positive rates. The main problem is that such tools are typically limited in the detection approaches implemented, and are designed for being applied in very concrete scenarios. Thus, using the wrong tool may lead to the deployment of services with undetected vulnerabilities. This paper proposes a benchmarking approach to assess and compare the effectiveness of vulnerability detection tools in web services environments. This approach was used to define two concrete benchmarks for SQL Injection vulnerability detection tools. The first is based on a predefined set of web services, and the second allows the benchmark user to specify the workload that best portrays the specific characteristics of his environment. The two benchmarks are used to assess and compare several widely used tools, including four penetration testers, three static code analyzers, and one anomaly detector. Results show that the benchmarks accurately portray the effectiveness of vulnerability detection tools (in a relative manner) and suggest that the proposed benchmarking approach can be applied in the field.
Keywords: Web services; program diagnostics; security of data; SQL injection vulnerability detection tools; anomaly detector; benchmarking approach; false positive rates; penetration testers; security-critical Web services; static code analyzers; vulnerability coverage; Benchmark testing; Computer bugs; Measurement; Security; Benchmarking; and runtime anomaly detection; penetration testing; static analysis; vulnerability detection (ID#: 15-7293)


Hermerschmidt, L.; Kugelmann, S.; Rumpe, B., “Towards More Security in Data Exchange: Defining Unparsers with Context-Sensitive Encoders for Context-Free Grammars,” in Security and Privacy Workshops (SPW), 2015 IEEE, vol., no., pp. 134–141, 21–22 May 2015. doi:10.1109/SPW.2015.29
Abstract: To exchange complex data structures in distributed systems, documents written in context-free languages are exchanged among communicating parties. Unparsing these documents correctly is as important as parsing them correctly because errors during unparsing result in injection vulnerabilities such as cross-site scripting (XSS) and SQL injection. Injection attacks are not limited to the web world. Every program that uses input to produce documents in a context-free language may be vulnerable to this class of attack. Even for widely used languages such as HTML and JavaScript, there are few approaches that prevent injection attacks by context-sensitive encoding, and those approaches are tied to the language. Therefore, the aim of this paper is to derive context-sensitive encoder from context-free grammars to provide correct unparsing of maliciously crafted input data for all context-free languages. The presented solution integrates encoder definition into context-free grammars and provides a generator for context-sensitive encoders and decoders that are used during (un)parsing. This unparsing process results in documents where the input data does neither influence the structure of the document nor change their intended semantics. By defining encoding during language definition, developers who use the language are provided with a clean interface for writing and reading documents written in that language, without the need to care about security-relevant encoding.
Keywords: Internet; context-free grammars; context-free languages; context-sensitive grammars; data structures; electronic data interchange; security of data; HTML; JavaScript; SQL injection; XSS; complex data structures; context-sensitive decoders; context-sensitive encoders; cross-site scripting; data exchange security; distributed systems; injection attack prevention; security-relevant encoding; unparsing process; Context; Decoding; Encoding; Grammar; Libraries; Security; context-sensitive encoder; encoding table; injection vulnerability; unparser (ID#: 15-7294)


Zhong, Yang; Asakura, Hiroshi; Takakura, Hiroki; Oshima, Yoshihito, “Detecting Malicious Inputs of Web Application Parameters Using Character Class Sequences,” in Computer Software and Applications Conference (COMPSAC), 2015 IEEE 39th Annual on, vol. 2, no., pp. 525–532, 1–5 July 2015. doi:10.1109/COMPSAC.2015.73
Abstract: Web attacks that exploit vulnerabilities of web applications are still major problems. The number of attacks that maliciously manipulate parameters of web applications such as SQL injections and command injections is increasing nowadays. Anomaly detection is effective for detecting these attacks, particularly in the case of unknown attacks. However, existing anomaly detection methods often raise false alarms with normal requests whose parameters differ slightly from those of learning data because they perform strict feature matching between characters appeared as parameter values and those of normal profiles. We propose a novel anomaly detection method using the abstract structure of parameter values as features of normal profiles in this paper. The results of experiments show that our approach reduced the false positive rate more than existing methods with a comparable detection rate.
Keywords: Accuracy; Electronic mail; Feature extraction; Payloads; Servers; Training; Training data; Anomaly detection; Attack detection; HTTP; Web application (ID#: 15-7295)


Wang, Yaohui; Wang, Dan; Zhao, Wenbing; Liu, Yuan, “Detecting SQL Vulnerability Attack Based on the Dynamic and Static Analysis Technology,” in Computer Software and Applications Conference (COMPSAC), 2015 IEEE 39th Annual, vol. 3, no.,
pp. 604–607, 1–5 July 2015.  doi:10.1109/COMPSAC.2015.277
Abstract: Targeting at PHP program, this paper proposes an SQL vulnerability detection method based on the injection analysis technology. This method makes a detailed analysis on the one-time injection in the aspects of data flow and program behavior, on the basis of the combination of dynamic and static analysis technique. Then it implements the SQL vulnerability determination algorithm which is based on lexical feature comparison. At last, this paper combines alias analysis technology, behavior model and SQL which is based on lexical feature comparison to design and establish a prototype system for SQL vulnerability detection. The experiment shows that our system has a good strong ability of SQL vulnerability detection and very low time cost.
Keywords: Algorithm design and analysis; Analytical models; Arrays; Computer bugs; Feature extraction; Prototypes; Testing; SQL vulnerabilities; combination of static and dynamic technique; alias analysis; behavior model (ID#: 15-7296)


Trancoso, P., “Getting Ready for Approximate Computing: Trading Parallelism for Accuracy for DSS Workloads,” in Parallel and Distributed Computing (ISPDC), 2015 14th International Symposium on, vol., no., pp. 3–3, June 29 2015–July 2 2015. doi:10.1109/ISPDC.2015.39
Abstract: Summary form only given. Processors have evolved dramatically in the last years and current multicore systems deliver very high performance. We are observing a rapid increase in the number of cores per processor thus resulting in more dense and powerful systems. Nevertheless,this evolution will meet several challenges such as power consumption, and reliability. It is expected that, in order to improve the efficiency, future processors will contain units that are able to operate at a very low power consumption with the draw back of not guaranteeing the correctness of the produced results. This model is known as Approximate Computing. One interesting approach to exploit Approximate Computing is to make applications aware of the errors and react accordingly. For this work we focus on the Decision Support System Workloads and in particular the standard TPC-H set of queries. We first define a metric that quantifies the correctness of a query result — Quality of Result (QoR). Using this metric we analyse the impact of relaxing the correctness in the DBMS on the accuracy of the query results. In order to improve the accuracy of the results we propose a dynamic adaptive technique that is implemented as a tool above the DBMS. Using heuristics, this tool spawns a number of replica query executions on different cores and combines the results as to improve the accuracy. We evaluated our technique using real TPC-H queries and data on PostgreSQL with a simple fault-injection to emulate the Approximate Computing model. The results show that for the selected scenarios, the proposed technique is able to increase the QoR with a cost in parallel resources smaller than any alternative static approach. The results are very encouraging since the QoR is within 7% of the best possible.
Keywords: SQL; database management systems; decision support systems; multiprocessing systems; parallel processing; query processing; DBMS; DSS workloads; PostgreSQL; QoR; approximate computing; decision support system; future processors; multicore systems; parallelism; power consumption; quality of result; standard TPC-H query set; static approach; Accuracy; Computational modeling; Computer architecture; Computer science; Decision support systems; Parallel processing; Program processors (ID#: 15-7297)


Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.