Detecting SQL Injection Attacks Using Syntax Analysis of Dynamically Generated Queries

Web applications are popular targets of security attacks. One common type of such attacks is SQL injection, where an attacker using specially crafted inputs, causes a web application to generate and send a query that functions differently than the programmer intended. Thus a diagnostic feature of SQL injection attacks is that they change the intended syntactic structure of queries issued. This paper presents a query intent evaluation technique to detect possible SQL Injection attacks by tracing the queries in which the input substrings modify the syntactic structure of the rest of the query. This approach has been implemented in a tool which takes an SQL query as input and detects if it is a command injection attack. Introduction The ubiquity and popularity of World Wide Web has attracted the developers to develop applications web based. In a competition to develop online services for general public, web applications have often been deployed with minimal attention to security risks, as a result most applications are vulnerable to attacks [2]. SQL injection attacks are one of the topmost threats for web applications. An SQL injection attack targets interactive web applications that employ database services. Such an application accepts user input, such as form fields, and then includes this input in database requests by constructing database queries dynamically, and then dispatches 201 Research Cell: An International Journal of Engineering Sciences ISSN: 2229-6913 Issue Sept 2011, Vol. 4 © 2011 Journal Anu Books these queries over an API to appropriate databases for execution. In such a way, a web application retrieves and presents data to the user based on the user’s input as part of the application’s functionality. However, if the user’s input is not handled properly, serious security problems can occur. This is because queries are constructed dynamically in an ad hoc manner through low-level string manipulations. This is ad hoc because databases interpret query strings as structured, meaningful commands, while web applications often view query strings simply as unstructured sequences of characters. This semantic gap, combined with improper handling of user input, makes web applications susceptible to a large class of malicious attacks known as SQL command injection attacks (SQLCIA). For example, if a database contains user names and passwords, the application may contain code such as the following: String query = “SELECT * FROM accounts WHERE name=’” + request.getParameter(“name”) + “‘ AND password=’” + request.getParameter(“passwd”) + “‘“; Figure 1 The code in Figure 1 generates a query intended to be used to authenticate a user who tries to login to a web site. However, if a malicious user enters admin into the name field and ‘OR’ a’=’a. into the password field, the query string generated is shown in figure 2, whose condition always evaluates to true, and the user will bypass the authentication logic. SELECT * FROM accounts WHERE name=’admin’ AND password= ‘’ OR ‘a’=’a’ Figure 2 SQL injection attacks are extremely prevalent, and ranked as the second most common form of attack on web applications in 2010 [1]. The percentage of these attacks among the overall number of attacks reported rose from 5.5% in 2004 to 14% in 2006 to 24% in 2008[4]. Out of various vulnerabilities reported in 2010, SQL injection vulnerabilities amount significantly with 18%