Article

Using parse tree validation to prevent SQL injection attacks

Authors:
Gregory Buehrer

The Ohio State University, Columbus, OH

The Ohio State University, Columbus, OH
View Profile

,
Bruce W. Weide

The Ohio State University, Columbus, OH

The Ohio State University, Columbus, OH
View Profile

,
Paolo A. G. Sivilotti

The Ohio State University, Columbus, OH

The Ohio State University, Columbus, OH
View Profile

SEM '05: Proceedings of the 5th international workshop on Software engineering and middlewareSeptember 2005Pages 106–113https://doi.org/10.1145/1108473.1108496

Published:05 September 2005Publication History

SEM '05: Proceedings of the 5th international workshop on Software engineering and middleware

Pages 106–113

ABSTRACT

An SQL injection attack targets interactive web applications that employ database services. Such applications accept user input, such as form fields, and then include this input in database requests, typically SQL statements. In SQL injection, the attacker provides user input that results in a different database request than was intended by the application programmer. That is, the interpretation of the user input as part of a larger SQL statement, results in an SQL statement of a different form than originally intended. We describe a technique to prevent this kind of manipulation and hence eliminate SQL injection vulnerabilities. The technique is based on comparing, at run time, the parse tree of the SQL statement before inclusion of user input with that resulting after inclusion of input. Our solution is efficient, adding about 3 ms overhead to database query costs. In addition, it is easily adopted by application programmers, having the same syntactic structure as current popular record set retrieval methods. For empirical analysis, we provide a case study of our solution in J2EE. We implement our solution in a simple static Java class, and show its effectiveness and scalability.

References

S. W. Boyd and A. D. Keromytis. SQLRand: Preventing SQL injection attacks. In Proceedings of the 2nd Applied Cryptography and Network Security (ACNS) Conference, pages 292--302. Springer-Verlag, June 2004.Google ScholarCross Ref
C. Brabrand, A. Møller, M. Ricky, and M. I. Schwartzbach. Powerforms: Declarative client-side form field validation. World Wide Web, 3(4):205--214, 2000. Google ScholarDigital Library
C. Anley. Advanced SQL injection in SQL server applications. In http:/www.nextgenss.com/papers/advanced_sql_injection.pdf, 2002.Google Scholar
A. Christensen, A. Moeller, and M. Schwartzbach. Precise analysis of string expressions. In Proceedings of the 10th International Static Analysis Symposium, pages 1--18. Springer-Verlag, August 2003 2003. Google ScholarDigital Library
C. Cowan, S. Beattie, J. Johansen, and P. Wagle, PointGuard: Protecting pointers from buffer overflow vulnerabilities. In Proceedings of the 12th USENIX Security Symposium, pages 91--104, August 2003. Google ScholarDigital Library
C. Cowan, C. Pu, D. Maier, H. Hinton, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 7th USENIX Security Symposium, pages 63--78, January 1998. Google ScholarDigital Library
P.-Y. Gibello. Zql: A java sql parser. In http://www.experlog.com/gibello/zql/, 2002.Google Scholar
C. Gould, Z. Su, and P. Devanbu. JDBC checker: A static analysis tool for SQL/JDBC applications. In Proceedings of the 26th International Conference on Software Engineering (ICSE'04), pages 697--698. IEEE Press, May 2004. Google ScholarDigital Library
C. Gould, Z. Su, and P. Devanbu. Static checking of dynamically generated queries in database applications. In Proceedings of the 26th International Conference on Software Engineering (ICSE'04), pages 645--654. IEEE Press, May 2004. Google ScholarDigital Library
W. G. Halfond and A. Orso. Combining static analysis and runtime monitoring to counter SQL-injection attacks. In Online Proceeding of the Third International ICSE Workshop on Dynamic Analysis (WODA 2005), pages 22--28, May 2005. http://www.csd.uwo.ca/woda2005/proceedings.html. Google ScholarDigital Library
Y.-W. Huang, S.-K. Huang, T.-P. Lin, and C.-H. Tsai. Web application security assessment by fault injection and behavior monitoring. In Proceedings of the 11th International World Wide Web Conference (WWW 03), pages 148--159, May 2003. Google ScholarDigital Library
Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, and D. Lee. Securing web application code by static and runtime protection. In Proceedings of the 12th International World Wide Web Conference (WWW 04), pages 40--52. ACM Press, May 2004. Google ScholarDigital Library
G. Kc, A. Keromytis, and V. Prevelakis. Countering code-injection attacks with instruction-set randomization. In Proceedings of the ACM Conference on Computer and Communications Security (CCS 03), pages 272--280. ACM Press, October 2003. Google ScholarDigital Library
D. Litchfield. Web application disassembly with ODBC error messages. In http://www.nextgenss.com/papers/webappdis.doc.Google Scholar
P. Litwin. Stop SQL injection attacks before they stop you. In http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection/default.aspx, 2004.Google Scholar
O. Maor and A. Shulman. SQL injection signatures evasion. In http://www.imperva.com/application_defense_center/white_papers/sql_injection_signature_evasion.html, 2004.Google Scholar
S. McDonald. SQL injection: Modes of attack, defense, and why it matters. In http://www.governmentsecurity.org/articles/SQLInjectionModesofAttackDefenseandWhyItMatters.php, 2005.Google Scholar
R. McMillan. Web security flaw settlement: FTC charges that Petco web site left customer data exposed. In http://www.pcworld.com/news/article/0,aid,118638,00.asp, 2004.Google Scholar
A. Nguyen-Tuong, S. Guarnieri, D. Green, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In Proceedings of IFIP Security 2005. Springer, May 2005.Google ScholarCross Ref
J. Offutt and W. Xu. Generating test cases for web services using data perturbation. In Proceedings of the 2004 Workshop on Testing, Analysis and Verification of Web Services (TAV-WEB), pages 1--10. ACM Press, July 2004.Google ScholarDigital Library
W. Security. Challenges of automated web application scanning. In http://greatguards.com/docs/insightweb.htm, 2003.Google Scholar
K. Spett. SQL injection: Are your web applications vulnerable? In SPI Labs White Paper, 2004.Google Scholar
G. Wasserman and Z. Su. An analysis framework for security in web applications. In Proceedings of the FSE Workshop on Specification and Verification of Component-Based Systems (SAVCBS 2004), pages 70--78, October 2004.Google Scholar

Recommendations

SQL Injection Attacks and Defense
Read More
Preventing SQL Injection Attacks in Stored Procedures
ASWEC '06: Proceedings of the Australian Software Engineering Conference

An SQL injection attack targets interactive web applications that employ database services. These applications accept user inputs and use them to form SQL statements at runtime. During an SQL injection attack, an attacker might provide malicious SQL ...
Read More
SQL Injection Attacks and possible Remedies: protect your Database
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SEM '05: Proceedings of the 5th international workshop on Software engineering and middleware
September 2005
121 pages
ISBN:1595932054
DOI:10.1145/1108473
Program Chairs:
Elisabetta Di Nitto
Politecnico di Milano
,
Amy L. Murphy
University of Lugano
Copyright © 2005 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 5 September 2005
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Qualifiers
- Article
Conference

Acceptance Rates
Overall Acceptance Rate22of59submissions,37%
Upcoming Conference
FSE '24

Sponsor:

sigsoft

32nd ACM International Conference on the Foundations of Software Engineering

July 15 - 19, 2024

Ipojuca (Pernambuco) , Brazil
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 217
  Total Citations
  View Citations
- 4,090
  Total Downloads
- Downloads (Last 12 months)109
- Downloads (Last 6 weeks)22
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Using parse tree validation to prevent SQL injection attacks

SEM '05: Proceedings of the 5th international workshop on Software engineering and middleware

ABSTRACT

References

Cited By

Recommendations

SQL Injection Attacks and Defense

Preventing SQL Injection Attacks in Stored Procedures

SQL Injection Attacks and possible Remedies: protect your Database