Method of protection of database management systems against sql-identifier injection attacks
DOI:
https://doi.org/10.18372/2310-5461.52.16385Keywords:
SQL injection, SQL-IDIA, DBMS, identifier, data baseAbstract
The article reviews SQL injection and SQL identifier injection attacks in database management systems, identifies their nature, the threats they pose, and the types of these attacks. A new method of protecting database management systems from SQL identifier injection attacks is also covered. Proposed solution are functions that can be added to the prepared API statements: setColumnName: uses the column name and its index as arguments and setTableName: uses the table name and its index as arguments. This method allows you to prepare operators to fill placeholders with table and column names, prevents SQL-IDIA, does not skip schema information, has no restrictions on input-based sanitation approaches. These two features help prevent database management systems from leaking confidential database information by performing a default operation when the input column or table name does not exist in the database. For example, if a column name is used in a particular function and the column name is invalid, the database management system will sort the results by the first column of the table. Only the table and column names in our advanced API were examined, as GitHub analysis showed that 96% of concatenated IDs were table and column names. In all experiments, the new setColumnName feature surpassed the implementation of dynamic whitelisting. In two experiments, the implementation of a static whitelist slightly exceeded the name function of the new set of columns. Although this special approach has little performance advantage, whitelisting approaches can add non-trivial complexity to program code and lead to erroneous results. The new setColumnName feature has successfully prevented all these attacks. Filling placeholders with column names is practical and effective compared to existing special approaches, does not create additional costs compared to the existing functions of the trained operator, and is effective against SQL identifier injection attack.
References
D. S. Dakun Shen, Ian Markwood and Y. Liu, “Virtual safe: Unauthorized walking behavior detection for mobile devices,” IEEE Transactions on Mobile Computing, 2018 (eng).
OWASP, “Owasp top 10 – 2017 The ten most critical web application security risks.” https://www.owasp.org/index.php/Category: OWASP Top Ten Project, 2017 (eng).
J. A. Ligatti, D. Goldgof, C. Cetin, and J.-B. Subils, “Systems and methods for anonymous authentication using multiple devices,” June 28 2016. US Patent 9,380,058 (eng).
C. Cetin, J. Ligatti, and D. Goldgof, “SQL-Identifier injection attacks,” in 2019 IEEE Conference on Communications and Network Security (CNS) (IEEE CNS 2019), 2019 (eng).
D. Watson, “Web application attacks,” Network Security, vol. 2007, no. 10, pp. 10–14, 2007 (eng).
W. G. Halfond, J. Viegas, A. Orso, et al., “A classification of sql-injection attacks and countermeasures,” in Proceedings of the IEEE International Symposium on Secure Software Engineering, vol. 1, pp. 13–15, IEEE, 2006 (eng).
S. W. Boyd and A. D. Keromytis, “SQLrand: Preventing SQL injection attacks,” in Proceedings of the International Conference on Applied Cryptography and Network Security, pp. 292–302, 2004 (eng).
D. Ray and J. Ligatti, “Defining injection attacks,” in Proceedings of the 17th International Infomation Security Conference, pp. 425–441, 2014 (eng).
J. Grossman, S. Fogie, R. Hansen, A. Rager, and P. D. Petkov, XSS attacks: cross site scripting exploits and defense. Syngress, 2007 (eng).
J. Fonseca, M. Vieira, and H. Madeira, “Testing and comparing web vulnerability scanning tools for sql injection and xss attacks,” in 13th Pacific Rim international symposium on dependable computing (PRDC 2007), pp. 365–372, IEEE, 2007 (eng).
B. Eshete, A. Villafiorita, and K. Weldemariam, “Early detection of security misconfiguration vulnerabilities in web applications,” in 2011 Sixth International Conference on Availability, Reliability and Security, pp. 169–174, IEEE, 2011 (eng).
C. Joshi and U. K. Singh, “Security testing and assessment of vulnerability scannersin quest of current information security landscape,” International Journal of Computer Applications, vol. 145, no. 2, pp. 1–7, 2016 (eng).
C. Nagy and A. Cleve, “A static code smell detector for SQL queries embedded in java code,” in Proceedings of the IEEE International Working Conference on Source Code Analysis and Manipulation, pp. 147–152, 2017 (eng).
