Title :
Comparing SQL Injection Detection Tools Using Attack Injection: An Experimental Study
Author :
Elia, Ivano Alessandro ; Fonseca, José ; Vieira, Marco
Author_Institution :
Dept. for Technol., Univ. of Naples Parthenope, Naples, Italy
Abstract :
System administrators frequently rely on intrusion detection tools to protect their systems against SQL Injection, one of the most dangerous security threats in database-centric web applications. However, the real effectiveness of those tools is usually unknown, which may lead administrators to put an unjustifiable level of trust in the tools they use. In this paper we present an experimental evaluation of the effectiveness of five SQL Injection detection tools that operate at different system levels: Application, Database and Network. To test the tools in a realistic scenario, Vulnerability and Attack Injection is applied in a setup based on three web applications of different sizes and complexities. Results show that the assessed tools have a very low effectiveness and only perform well under specific circumstances, which highlight the limitations of current intrusion detection tools in detecting SQL Injection attacks. Based on experimental observations we underline the strengths and weaknesses of the tools assessed.
Keywords :
Internet; SQL; security of data; SQL injection detection tools; attack injection; database-centric Web application; intrusion detection tool; security threat; system administration; vulnerability; Databases; Intrusion detection; Monitoring; Payloads; Scalp; Web server; Fault Injection; Intrusion Detection; SQL Injection; Security; Web applications;
Conference_Titel :
Software Reliability Engineering (ISSRE), 2010 IEEE 21st International Symposium on
Conference_Location :
San Jose, CA
Print_ISBN :
978-1-4244-9056-1
Electronic_ISBN :
1071-9458
DOI :
10.1109/ISSRE.2010.32
