Preventing SQL injection attacks by automatic parameterizing of raw queries using lexical and semantic analysis methods

Document Type: Article

Authors

Department of Computer Engineering, Sharif University of Technology, Azadi Ave., Tehran, Iran

Abstract

SQL injection (SQLI) is one of the most important security threats against web applications. Many tech-
niques have been proposed for counteracting SQLI attacks; however, second-order attacks and the injection
attacks that are raising data-type mismatch errors have been ignored in most of them. In this paper, we
propose a new anomaly-based method (deploying as a proxy between the application server and its database
server) for detection and/or prevention of SQLI attacks without requiring any modi cation to the source
code of vulnerable applications. The majority of attacks, which lead to a change in the syntax of applica-
tion queries, are identi ed in the detection phase by lexical analysis of the queries. The remained types of
attacks, such as second-order attacks and attacks generating data type mismatch errors, are prevented to
be executed in the prevention phase, where each query is automatically converted to a parameterized query
(before submitting to its database) using a semantic analysis method.

Keywords

Main Subjects