Elsevier

Computers & Security

Volume 44, July 2014, Pages 104-118
Computers & Security

Detecting SQL injection attacks using query result size

https://doi.org/10.1016/j.cose.2014.04.007Get rights and content

Abstract

Web applications are becoming an essential part of our everyday lives, with many of our activities dependent on the functionality and security of these applications. Web applications are ubiquitous, perform mission critical tasks, and handle sensitive user data. As the scale of these applications grows, injection vulnerabilities, such as SQL injections, become major security challenges. Most of these vulnerabilities stem from a lack of input validation; that is, web applications use malicious input as part of a sensitive operation without properly checking or sanitizing the input values. SQL injection attacks target databases that are accessible through a web front-end; moreover, they take advantage of flaws in the input validation logic of web components. In this paper, we exhibit a novel scheme that automatically transforms web applications, rendering them safe against SQL injection attacks. Our technique dynamically analyzes the developer-intended query result size for any input, and detects attacks by comparing this against the result of the actual query. We implement this technique in a tool for protecting Java-based web applications. An experimental evaluation demonstrates that our technique is effective against SQL injection vulnerabilities.

Introduction

Web applications using database-driven content have become a common and widespread technology. They typically provide customized content after receiving information (e.g., account name and password) from a user, and interface with databases that contain information such as customer names, preferences, credit card numbers, and purchase orders. Therefore, it is important that web applications prevent attackers from gaining unauthorized access to the system, accessing private information, or simply causing a denial of service (Alhuzali et al., 2012). Despite this requirement, many application vulnerabilities still exist in web applications (OWASP, Top Ten 2013, 2013, http://www.owasp.org/).

SQL injection is a technique for maliciously exploiting applications that use client-supplied data in SQL statements. Attackers trick the target operations (SQL sink or structure of SQL queries) into executing unintended commands by supplying specially crafted input sources (inputs either provided by the user or another program). In this way, attackers gain unauthorized access to a database, allowing them to view or manipulate restricted data (Balzarotti et al., 2008). Using SQL injection vulnerabilities, an attacker may read, modify, or even delete database information. In many cases, this information is confidential or sensitive. The causes of SQL injection vulnerabilities are relatively simple and well understood. A SQL Injection Attack (SQLIA) is a class of code injection that takes advantage of a lack of validation of input sources (Lee et al., 2012, Tajpour et al., 2012). These attacks occur when developers combine hard-coded strings with user-provided input to create queries. If input sources are not properly validated, attackers may be able to change the developer's intended SQL query by inserting new SQL keywords through specially crafted input strings.

Sanitization is a particular type of input validation. Generally, sanitization removes potentially malicious elements from the input sources (Aljawarneh and Alkhateeb, 2009). In addition, sanitization is performed prior to the use of external input parameters in target operations.

Although SQL injection vulnerabilities have recently received a great deal of attention, many proposed solutions fail to address the full scope of the problem (Ficco et al., 2009, OWASP Top Ten 2013, 2013, http://www.owasp.org/; Sheikh, 2011). Moreover, attackers continue to find new exploits (Choraś et al., 2013, SQL Injection Walkthrough, http://www.governmentsecurity.org/forum/topic/183-sql-injection-walkthrough/). Most solutions and preventive measures assume that, if a regular expression or built-in validation function is applied to the input source, the result is safe to use. Unfortunately, this is not always the case. For example, it is possible to apply a sanitization function to certain malicious values; however, this does not offer complete protection from all attacks (Ficco et al., 2009). In model checking-based analysis (see Section 2), false negatives (attacks that succeed) can occur because the attack pattern definitions are incomplete or incorrect. General tools, such as a proxy or Instruction Detection System (IDS), are also largely ineffective against SQLIAs, which are performed through ports used for regular web traffic (Halfond and Orso, 2005). Structural matching techniques, such as a parse tree, also suffer from false negatives when an attack query's parse tree matches an expected structure (see Section 4.2).

In this paper, we propose a technique that estimates the query result size to prevent SQL injection attack. This method automatically estimates a safe substituted query cost at each SQL query location. The crux of the technique is to (1) determine the information needed to check the attack patterns of the queries generated by an application, and (2) apply an estimation technique to compare these substituted query costs using the query result size. Therefore, our technique first uses taint propagation to analyze the application code and automatically check the legitimate queries that could be generated by the application. Next, the technique estimates the size of the generated query results. Queries that have different result sizes are classified as illegal, and are prevented from being executed on the database. We implement the Injection Detector Libraries (IDLs) tool, and use this to evaluate the proposed technique on a set of five subjects and various real-world applications (Halfond and Orso, 2005, The MITRE Corporation, http://www.cve.mitre.org/). We target these subjects with a large number of both legitimate accesses and SQLIAs.

The contributions of this paper are as follows:

  • We describe a positive tainting technique that characterizes the sanitization process by modeling the way in which an application processes input values.

  • We introduce a new technique that counters SQLIAs by estimating the query result size.

  • We implement our approach and demonstrate its effectiveness.

The remainder of this paper is organized as follows: Section 2 presents a survey of previous related work. Section 3 discusses query result size estimation with a sample relational database, and Section 4 illustrates our approach using an example. Section 5 describes the system architecture, and Section 6 details its implementation. Section 7 contains a comparison evaluation, and, finally, Section 8 presents our conclusions.

Section snippets

Proxy filers-based analysis

Scott and Sharp (2002) proposed the use of proxy filters to detect SQLIAs. Their proxy filtering system is based on an input validation rule for the data flowing to a web application. Using their SPDL (Security Policy Descriptor Language), developers provide constraints and specify which transformations are to be applied to application parameters as they flow from the web page to the application server. Boyd and Keromytis (2004) described SQLrand, which provides a framework allowing developers

Sample relational database

Table 1 shows a simple invoice relational database. This relational schema (R-schema) model consists of 5 tables and 20 columns. Each book can take one or more invoices, each author can take one or more books, and each delivery can take one or more invoices. The ‘type’ column can be null. In addition, each book is related to one or more publishers and authors. One explicit referential integrity relation is shown in Fig. 1: {(Book.BID, Invoice.BID)}.

Fig. 1 illustrates the initial R-schema model

Query size-based sanitization approach

In this section, we analyze the input validation sanitization to identify potential SQL injection vulnerabilities. We check which elements, of those that pose a security risk, are contained for each target operation. More precisely, we attempt to confirm the existence of potential security vulnerabilities that can bypass the sanitization and reach the target operation.

System architecture

The software architecture consists of a substitution variable verification (SVV) layer and a query cost estimator (QCE) layer, as described in Fig. 5. The objective is to develop an automated approach to prevent vulnerability attacks.

  • Substitution Variable Verification (SVV): SVV consists of three components. The regular expression checker (REC) receives the real variables in the SQL queries, and filters out attack patterns against the regular expressions. The vulnerability detector (VD)

Implementation

In this section, we describe the sanitization process for the input variables, and propose an approach for the detection of vulnerable input variables. We utilize the specialized IDLs (Injection Detector Libraries), which accurately and efficiently validate the SQL queries.

Evaluation

We evaluated our approach with respect to two metrics: (a) experimental effectiveness, and (b) acceptable performance accuracy.

Conclusion and future work

In this paper, we have presented a novel technique that modifies applications to guard themselves against SQLIAs. We implemented our approach, and, by applying it to applications, identified novel vulnerabilities that stem from incorrect or incomplete sanitization. The main finding is that, by using a substitute input variable and query size-based sanitization, it is possible to detect and prevent SQL queries that include injection vulnerabilities. Our approach provides evidence that it is

Role of funding source

No funding was received for this study.

Conflict of interest

There are no conflicts of interests to declare.

Author contribution

The work presented here was carried out in collaboration between all authors. Y.-S.J. and J.-Y.C. designed methods and experiments, carried out the experiments, analyzed the data, interpreted the results and wrote the paper. J.-Y.C. discussed analyses and presentation. Y.-S.J. and J.-Y.C. prepared the manuscript. All authors have contributed to, seen and approved the manuscript.

Acknowledgments

This research was supported by the MSIP (Ministry of Science, ICT and Future Planning), Korea, under the ITRC (Information Technology Research Center) support program (NIPA-2014-H0301-14-1023) supervised by the NIPA (National IT Industry Promotion Agency).

Young-Su Jang received M.S. degree in Computer Science from Korea University, Seoul, Korea, in 2011. Currently, he is a Ph.D. candidate with the Computer Science and Engineering Department, Korea University, Seoul, Korea. His current research interests are secure software engineering, secure coding, and security.

References (61)

  • I. Lee et al.

    A novel method for SQL injection attack detection based on removing SQL query attribute values

    Math Comp Model

    (2012)
  • T. Scholte et al.

    Have things changed now? An empirical study on input validation vulnerabilities in web applications

    Comput Secur

    (2012)
  • A. Alhuzali et al.

    Analysis of SQL injection methods and its prevention

    (2012)
  • S. Ali et al.

    SQLIPA: an authentication mechanism against SQL injection

    Eur J Sci Res

    (2009)
  • S. Aljawarneh et al.

    Design and implementation of new data validation service (NDVS) using semantic web technologies in web applications

  • D.R. Anekar

    SQL injection detection and prevention mechanism using positive tainting and syntax aware evaluation

    Int J Adv Comput Inf Res

    (2012)
  • S. Artzi et al.

    Finding bugs in web applications using dynamic test generation and explicit-state model checking

    IEEE Trans Softw Eng

    (2010)
  • D. Balzarotti et al.

    Saner: composing static and dynamic analysis to validate sanitization in web applications

    Secur Priv

    (2008)
  • P. Bisht et al.

    CANDID: dynamic candidate evaluations for automatic prevention of SQL injection attacks

    ACM Trans Inf Syst Secur

    (2010)
  • S.W. Boyd et al.

    SQLrand: preventing SQL injection attacks

  • W. Breitling

    Fallacies of the cost based optimizer

  • G. Buehrer et al.

    Using parse tree validation to prevent SQL injection attacks

  • C. Cadar et al.

    Symbolic execution for software testing in practice: preliminary assessment

  • M. Choraś et al.

    Correlation approach for SQL injection attacks detection

  • A. Christensen et al.

    Precise analysis of string expressions

  • S. Clark et al.

    Familiarity breeds contempt: the honeymoon effect and the role of legacy code in zero-day vulnerabilities

  • Compiler construction with Java. http://catalog.compilertools.net/java.html [accessed on...
  • R. Elmasri et al.

    Fundamentals of database systems

    (2010)
  • Exploits Database by offensive security. http://www.exploit-db.com [accessed on...
  • A. Felt et al.

    Diesel: applying privilege separation to database access

  • M. Ficco et al.

    A weight-based symptom correlation approach to SQL injection attacks

    Dependable Comput

    (2009)
  • R.A. Gandhi et al.

    Studying software vulnerabilities

    CrossTalk

    (2010)
  • V. Haldar et al.

    Dynamic taint propagation for JAVA

  • W.G. Halfond et al.

    Using positive tainting and syntax-aware evaluation to counter SQL injection attacks

  • W.G. Halfond et al.

    Amnesia: analysis and monitoring for neutralizing SQL injection attacks

  • B. Harangsri

    Query result size estimation techniques in database systems

    (1998)
  • R. Hu et al.

    Type-safe eventful sessions in Java

  • M. Junjin

    An approach for SQL injection vulnerability detection

  • G. Kabra et al.

    Redundancy and information leakage in fine-grained access control

  • E. Kirda et al.

    Noxes: a client-side solution for mitigating cross-site scripting attacks

  • Cited by (0)

    Young-Su Jang received M.S. degree in Computer Science from Korea University, Seoul, Korea, in 2011. Currently, he is a Ph.D. candidate with the Computer Science and Engineering Department, Korea University, Seoul, Korea. His current research interests are secure software engineering, secure coding, and security.

    Jin-Young Choi received M.S. degree from Drexel University, Philadelphia, PA, in 1986, and Ph.D. degree from the University of Pennsylvania, Philadelphia, in 1993. He is currently a Professor with the Computer Science and Engineering Department, Korea University, Seoul, Korea. His current research interests are real-time computing, formal methods, programming languages, process algebras, security, and secure software engineering.

    View full text