{"title":"Object oriented approach to SQL injection preventer","authors":"D. Giri, S. P. Kumar, L. Prasannakumar, R. Murthy","doi":"10.1109/ICCCNT.2012.6395979","DOIUrl":null,"url":null,"abstract":"Many web applications can be exposed to a variety of Web-based attacks. One of these attacks is SQL injection, which can give attackers unrestricted access to the databases and has become increasingly frequent and serious. This paper presents a new highly automated approach for protecting Web applications against SQL injection that has both theoretical and practical advantages over most existing techniques. From a theoretical view, the approach is based on the idea of positive tainting and on the concept of syntax-aware evaluation. From a practical view, our technique is efficient, has minimal deployment requirements, and has a negligible performance overhead in most cases. We have implemented our techniques in the Web Application SQL-injection Preventer (WASP) tool, where a wide range of Web applications were subjected to a large and varied set of attacks and legal accesses. We considered login validation of user in an online banking system. WASP was able to stop all of these attacks and did not generate any false positives.","PeriodicalId":364589,"journal":{"name":"2012 Third International Conference on Computing, Communication and Networking Technologies (ICCCNT'12)","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2012-07-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2012 Third International Conference on Computing, Communication and Networking Technologies (ICCCNT'12)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICCCNT.2012.6395979","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 2
Abstract
Many web applications can be exposed to a variety of Web-based attacks. One of these attacks is SQL injection, which can give attackers unrestricted access to the databases and has become increasingly frequent and serious. This paper presents a new highly automated approach for protecting Web applications against SQL injection that has both theoretical and practical advantages over most existing techniques. From a theoretical view, the approach is based on the idea of positive tainting and on the concept of syntax-aware evaluation. From a practical view, our technique is efficient, has minimal deployment requirements, and has a negligible performance overhead in most cases. We have implemented our techniques in the Web Application SQL-injection Preventer (WASP) tool, where a wide range of Web applications were subjected to a large and varied set of attacks and legal accesses. We considered login validation of user in an online banking system. WASP was able to stop all of these attacks and did not generate any false positives.