Title :
TransSQL: A Translation and Validation-Based Solution for SQL-injection Attacks
Author :
Zhang, Kai-Xiang ; Lin, Chia-Jun ; Chen, Shih-Jen ; Hwang, Yanling ; Huang, Hao-Lun ; Hsu, Fu-Hau
Author_Institution :
Comput. Sci. & Inf. Eng., Nat. Central Univ., Jhongli, Taiwan
Abstract :
SQL injection attacks, a class of injection flaw in which specially crafted input strings leads to illegal queries to databases, are one of the topmost threats to web applications. A number of research prototypes and commercial products that maintain the queries structure in web applications have been developed. But these techniques either fail to address the full scope of the problem or have limitations. Based on our observation that the injected string in a SQL injection attack is interpreted differently on different databases, in this paper, we propose a novel and effective solution TransSQL to solve this problem. TransSQL automatically translates a SQL request to a LDAP-equivalent request. After queries are executed on a SQL database and a LDAP one, TransSQL checks the difference in responses between a SQL database and a LDAP one to detect and block SQL injection attacks. Experimental results show that TransSQL is an effective and efficient solution against SQL injection attacks.
Keywords :
Internet; SQL; computer crime; program verification; query formulation; query processing; LDAP-equivalent request; SQL database; SQL-injection attack; TransSQL; Web application; illegal database; illegal query; injected string; injection flaw; query structure; validation-based solution; Bridges; Databases; Libraries; Monitoring; Runtime; Security; Testing; LDAP; SQL injection; web security;
Conference_Titel :
Robot, Vision and Signal Processing (RVSP), 2011 First International Conference on
Conference_Location :
Kaohsiung
Print_ISBN :
978-1-4577-1881-6
DOI :
10.1109/RVSP.2011.59
