Open Access
A Classification of SQL-Injection Attacks and Countermeasures
Reads0
Chats0
TLDR
An extensive review of the different types of SQL injection attacks known to date is presented, including descriptions and examples of how attacks of that type could be performed and existing detection and prevention techniques against SQL injections.Abstract:
SQL injection attacks pose a serious security threat to Web applications: they allow attackers to obtain unrestricted access to the databases underlying the applications and to the potentially sensitive information these databases contain. Although researchers and practitioners have proposed various methods to address the SQL injection problem, current approaches either fail to address the full scope of the problem or have limitations that prevent their use and adoption. Many researchers and practitioners are familiar with only a subset of the wide range of techniques available to attackers who are trying to take advantage of SQL injection vulnerabilities. As a consequence, many solutions proposed in the literature address only some of the issues related to SQL injection. To address this problem, we present an extensive review of the different types of SQL injection attacks known to date. For each type of attack, we provide descriptions and examples of how attacks of that type could be performed. We also present and analyze existing detection and prevention techniques against SQL injection attacks. For each technique, we discuss its strengths and weaknesses in addressing the entire range of SQL injection attacks.read more
Citations
More filters
Journal ArticleDOI
Edge Computing Security: State of the Art and Challenges
TL;DR: This paper provides a comprehensive survey on the most influential and basic attacks as well as the corresponding defense mechanisms that have edge computing specific characteristics and can be practically applied to real-world edge computing systems.
Journal ArticleDOI
Fog computing security: a review of current applications and security solutions
TL;DR: The impact of security issues and possible solutions are determined, providing future security-relevant directions to those responsible for designing, developing, and maintaining Fog systems.
Proceedings ArticleDOI
Using positive tainting and syntax-aware evaluation to counter SQL injection attacks
TL;DR: A new, highly automated approach for protecting existing Web applications against SQL injection, based on the novel idea of positive tainting and the concept of syntax-aware evaluation is proposed.
Journal ArticleDOI
WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation
TL;DR: A new highly automated approach for protecting Web applications against SQL injection that has both conceptual and practical advantages over most existing techniques is presented and implemented in the Web application SQL-injection preventer tool.
Journal ArticleDOI
The dark side of the Internet: Attacks, costs and responses
TL;DR: This paper explores and provides taxonomies of the causes and costs of the attacks, and types of responses to the attacks and investigates the responses of governments and institutions to the dark side of the Internet.
References
More filters
Proceedings Article
Hypertext Transfer Protocol -- HTTP/1.1
Roy T. Fielding,James Gettys,Jeffrey C. Mogul,H. Frystyk,Larry Masinter,Paul J. Leach,Tim Berners-Lee +6 more
TL;DR: The Hypertext Transfer Protocol is an application-level protocol for distributed, collaborative, hypermedia information systems, which can be used for many tasks beyond its use for hypertext through extension of its request methods, error codes and headers.
Proceedings ArticleDOI
Securing web application code by static analysis and runtime protection
TL;DR: A lattice-based static analysis algorithm derived from type systems and typestate is created, and its soundness is addressed, thus securing Web applications in the absence of user intervention and reducing potential runtime overhead by 98.4%.
Proceedings ArticleDOI
The essence of command injection attacks in web applications
Zhendong Su,Gary Wassermann +1 more
TL;DR: This paper presents the first formal definition of command injection attacks in the context of web applications, and gives a sound and complete algorithm for preventing them based on context-free grammars and compiler parsing techniques.
Proceedings ArticleDOI
AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks
TL;DR: A new technique using a model-based approach to detect illegal queries before they are executed on the database and was able to stop all of the attempted attacks without generating any false positives.
Book
Writing Secure Code
TL;DR: The first book that focuses on programming secure applications in general instead of covering security for just the Web developer, network administrator, or IT professional is as mentioned in this paper, which provides software designers, architects, developers, and testers the training, theory, and techniques they need to ensure security.