TY - GEN
T1 - Detecting and preventing SQL injection attacks
T2 - 1st Cybersecurity and Cyberforensics Conference, CCC 2016
AU - Qbea'H, Mohammad
AU - Alshraideh, Mohammad
AU - Sabri, Khair Eddin
N1 - Publisher Copyright:
© 2016 IEEE.
PY - 2016/10/18
Y1 - 2016/10/18
N2 - There are many organizations using databases to store and hide confidential data. Some of these data are published through World Wide Web (WWW) and the remaining data are hidden. Unfortunately, the attackers usually try to access and steal these hidden data by attacking the structure and the content of the database using an attacking technique called Structural Query Language Injection Attack (SQLIA). This technique gives the attackers illegal authorization to execute queries on database through the vulnerabilities in input boxes and page URL's. These queries may reveal or change the confidential data. Many techniques are available in the literature to prevent and detect SQLIA. However, these techniques do not consider languages other than the English language such as Arabic, Greek, and Japanese. Therefore, these techniques may not be able to discover attacks using such languages. In this paper, we present a formal approach to detect and prevent common types of SQLIA considering multi-languages. We formalize tautology and alternative encoding attacks using regular expressions and finite automata. We consider cases not discussed in the literature. Furthermore, we provide regular expressions and code in ASP.net which can be used by developers to detect and prevent attacks on websites that use Microsoft SQL server 2014 (MSSQL). We validate our work manually and by using tools. Results show that our model can detect and prevent SQL injection attacks including languages other than the English language.
AB - There are many organizations using databases to store and hide confidential data. Some of these data are published through World Wide Web (WWW) and the remaining data are hidden. Unfortunately, the attackers usually try to access and steal these hidden data by attacking the structure and the content of the database using an attacking technique called Structural Query Language Injection Attack (SQLIA). This technique gives the attackers illegal authorization to execute queries on database through the vulnerabilities in input boxes and page URL's. These queries may reveal or change the confidential data. Many techniques are available in the literature to prevent and detect SQLIA. However, these techniques do not consider languages other than the English language such as Arabic, Greek, and Japanese. Therefore, these techniques may not be able to discover attacks using such languages. In this paper, we present a formal approach to detect and prevent common types of SQLIA considering multi-languages. We formalize tautology and alternative encoding attacks using regular expressions and finite automata. We consider cases not discussed in the literature. Furthermore, we provide regular expressions and code in ASP.net which can be used by developers to detect and prevent attacks on websites that use Microsoft SQL server 2014 (MSSQL). We validate our work manually and by using tools. Results show that our model can detect and prevent SQL injection attacks including languages other than the English language.
KW - Encoding
KW - Finite Automata
KW - Regular Expression
KW - SQL Injection
KW - Website Security
UR - http://www.scopus.com/inward/record.url?scp=84994853667&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84994853667&partnerID=8YFLogxK
U2 - 10.1109/CCC.2016.26
DO - 10.1109/CCC.2016.26
M3 - Conference contribution
AN - SCOPUS:84994853667
T3 - Proceedings - 2016 Cybersecurity and Cyberforensics Conference, CCC 2016
SP - 123
EP - 129
BT - Proceedings - 2016 Cybersecurity and Cyberforensics Conference, CCC 2016
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 2 August 2016 through 4 August 2016
ER -