Abstract—The increasing dependence on web applications have made them a natural target for attackers. Among these attacks SQL Injection Attacks (SQLIA) are the most prevalent. In this paper we propose a SQL injection vulnerability scanner that is light-weight, fast and has a low false positive rate. These scanners prove as a practical tool to discover the vulnerabilities in a web application as well as to test the efficiency of counter attack mechanisms. In the latter part of our work we propose a security mechanism to counter SQL Injection Attacks. Our security methodology is based on the design of a filter for the HTTP request send by clients or users and look for attack signatures. The proposed filter is generic in the sense that it can be used with any web application. Finally we test our proposed security mechanism using the vulnerability scanner developed by us as well as other well known scanners. The proposed security mechanism is able to counter all the vulnerabilities that were previously reported before the deployment of our security framework.
Index Terms—SQL Injection Attacks, URL filter, Web Application Vulnerability Scanner.
Sangita Roy is with the Indian Institute of Technology, Patna, Bihar, India (e-mail: r_sangita@iitp.ac.in).
Avinash Kumar Singh is with the Gwalior Engineering College, Gwalior, MP, India (e-mail: avinashkumarsingh1986@ gmail.com).
Ashok Singh Sairam is with the Indian Institute of Technology, Patna, Bihar, India (e-mail: ashok@iitp.ac.in).
Cite: Sangita Roy, Avinash Kumar Singh and Ashok Singh Sairam, "Detecting and Defeating SQL Injection Attacks," International Journal of Information and Electronics Engineering vol. 1, no. 1, pp. 38-46, 2011.