SQLPIL: SQL injection prevention by input labeling
SQL injection attacks (SQLIAs) aim at exploiting vulnerabilities in web applications in order to execute malicious SQL commands. It is established that prepared statements are resilient to SQLIAs, and thus, developers are advised to use them when constructing SQL queries as opposed to applying strin...
Gespeichert in:
| Veröffentlicht in: | Security and communication networks 2015-10, Vol.8 (15), p.2545-2560 |
|---|---|
| Hauptverfasser: | , |
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | 2560 |
|---|---|
| container_issue | 15 |
| container_start_page | 2545 |
| container_title | Security and communication networks |
| container_volume | 8 |
| creator | Masri, Wes Sleiman, Sam |
| description | SQL injection attacks (SQLIAs) aim at exploiting vulnerabilities in web applications in order to execute malicious SQL commands. It is established that prepared statements are resilient to SQLIAs, and thus, developers are advised to use them when constructing SQL queries as opposed to applying string concatenation operations. Unfortunately, this recommended programming practice is not as pervasive as it should be. This paper addresses this shortcoming by presenting SQL injection Prevention by Input Labeling (SQLPIL), an effective, light, and fully automated tool that leverages prepared statements to prevent SQLIAs at runtime. Given a Java program in which SQL queries are built as strings, SQLPIL dynamically transforms the strings into secure prepared statements right before their execution, thus guaranteeing that malicious input will always be treated as data and never as SQL commands. We empirically evaluated our Java implementation of SQLPIL using a benchmark that includes five JSP commercial applications, a number of legitimate queries, and a number of attacks of representative types. The results were promising as all attacks were prevented, and all legitimate runs executed successfully; in other words, the technique exhibited no false alarms when applied on typical applications. Also, the runtime cost was acceptable, assuming typical settings. Copyright © 2015 John Wiley & Sons, Ltd.
This paper presents SQLPIL; an effective, light, and fully automated tool that leverages prepared statements to prevent SQL injection attacks at runtime. Given a Java program in which SQL queries are built as strings, SQLPIL dynamically transforms the strings into secure prepared statements right before their execution; thus, guaranteeing that malicious input will always be treated as data and never as SQL commands. Out empirical results exhibited no false alarms when applied on typical applications, and the runtime cost was acceptable. |
| doi_str_mv | 10.1002/sec.1199 |
| format | Article |
| fullrecord | <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_proquest_miscellaneous_1753508613</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>3797686331</sourcerecordid><originalsourceid>FETCH-LOGICAL-c3979-928dbe606c2372121a1bc62c5b4890cd21772e0d25a61e13b04f1dd939545893</originalsourceid><addsrcrecordid>eNp1kFFLwzAUhYMoOKfgTyj44ktnbpI2jW8ytjqpOtnQx9CmmXR2bU1adf_ezMlQwYfLOVw-DoeD0CngAWBMLqxWAwAh9lAPBBU-BkL2dx7YITqydolxCIyzHiKzh2Q6SS49p15RLbVqi7ryGqPfdPVls7X7N13rlWmmy6J6PkYHi7S0-uRb-2g-Hs2H135yH0-GV4mvqODCFyTKMx3iUBHKCRBIIVMhUUHGIoFVToBzonFOgjQEDTTDbAF57noGLIgE7aPzbWxj6tdO21auCqt0WaaVrjsrgQc0wFEI1KFnf9Bl3ZnKlXMUFixy9yNQmdpaoxeyMcUqNWsJWG62k247udnOof4WfS9Kvf6Xk7PR8Ddf2FZ_7PjUvMiQUx7Ip7tYPsa30_iGgRzTT5nxeyU</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>1709480949</pqid></control><display><type>article</type><title>SQLPIL: SQL injection prevention by input labeling</title><source>EZB-FREE-00999 freely available EZB journals</source><source>Alma/SFX Local Collection</source><creator>Masri, Wes ; Sleiman, Sam</creator><creatorcontrib>Masri, Wes ; Sleiman, Sam</creatorcontrib><description>SQL injection attacks (SQLIAs) aim at exploiting vulnerabilities in web applications in order to execute malicious SQL commands. It is established that prepared statements are resilient to SQLIAs, and thus, developers are advised to use them when constructing SQL queries as opposed to applying string concatenation operations. Unfortunately, this recommended programming practice is not as pervasive as it should be. This paper addresses this shortcoming by presenting SQL injection Prevention by Input Labeling (SQLPIL), an effective, light, and fully automated tool that leverages prepared statements to prevent SQLIAs at runtime. Given a Java program in which SQL queries are built as strings, SQLPIL dynamically transforms the strings into secure prepared statements right before their execution, thus guaranteeing that malicious input will always be treated as data and never as SQL commands. We empirically evaluated our Java implementation of SQLPIL using a benchmark that includes five JSP commercial applications, a number of legitimate queries, and a number of attacks of representative types. The results were promising as all attacks were prevented, and all legitimate runs executed successfully; in other words, the technique exhibited no false alarms when applied on typical applications. Also, the runtime cost was acceptable, assuming typical settings. Copyright © 2015 John Wiley & Sons, Ltd.
This paper presents SQLPIL; an effective, light, and fully automated tool that leverages prepared statements to prevent SQL injection attacks at runtime. Given a Java program in which SQL queries are built as strings, SQLPIL dynamically transforms the strings into secure prepared statements right before their execution; thus, guaranteeing that malicious input will always be treated as data and never as SQL commands. Out empirical results exhibited no false alarms when applied on typical applications, and the runtime cost was acceptable.</description><identifier>ISSN: 1939-0114</identifier><identifier>EISSN: 1939-0122</identifier><identifier>DOI: 10.1002/sec.1199</identifier><language>eng</language><publisher>London: Blackwell Publishing Ltd</publisher><subject>Automation ; Commands ; data labeling/tainting ; flow tracking ; Java (programming language) ; prepared/parameterized statements ; program analysis ; Queries ; Query languages ; Run time (computers) ; SQL injection attacks ; Strings ; web applications</subject><ispartof>Security and communication networks, 2015-10, Vol.8 (15), p.2545-2560</ispartof><rights>Copyright © 2015 John Wiley & Sons, Ltd.</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c3979-928dbe606c2372121a1bc62c5b4890cd21772e0d25a61e13b04f1dd939545893</citedby><cites>FETCH-LOGICAL-c3979-928dbe606c2372121a1bc62c5b4890cd21772e0d25a61e13b04f1dd939545893</cites></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>314,777,781,27905,27906</link.rule.ids></links><search><creatorcontrib>Masri, Wes</creatorcontrib><creatorcontrib>Sleiman, Sam</creatorcontrib><title>SQLPIL: SQL injection prevention by input labeling</title><title>Security and communication networks</title><addtitle>Security Comm. Networks</addtitle><description>SQL injection attacks (SQLIAs) aim at exploiting vulnerabilities in web applications in order to execute malicious SQL commands. It is established that prepared statements are resilient to SQLIAs, and thus, developers are advised to use them when constructing SQL queries as opposed to applying string concatenation operations. Unfortunately, this recommended programming practice is not as pervasive as it should be. This paper addresses this shortcoming by presenting SQL injection Prevention by Input Labeling (SQLPIL), an effective, light, and fully automated tool that leverages prepared statements to prevent SQLIAs at runtime. Given a Java program in which SQL queries are built as strings, SQLPIL dynamically transforms the strings into secure prepared statements right before their execution, thus guaranteeing that malicious input will always be treated as data and never as SQL commands. We empirically evaluated our Java implementation of SQLPIL using a benchmark that includes five JSP commercial applications, a number of legitimate queries, and a number of attacks of representative types. The results were promising as all attacks were prevented, and all legitimate runs executed successfully; in other words, the technique exhibited no false alarms when applied on typical applications. Also, the runtime cost was acceptable, assuming typical settings. Copyright © 2015 John Wiley & Sons, Ltd.
This paper presents SQLPIL; an effective, light, and fully automated tool that leverages prepared statements to prevent SQL injection attacks at runtime. Given a Java program in which SQL queries are built as strings, SQLPIL dynamically transforms the strings into secure prepared statements right before their execution; thus, guaranteeing that malicious input will always be treated as data and never as SQL commands. Out empirical results exhibited no false alarms when applied on typical applications, and the runtime cost was acceptable.</description><subject>Automation</subject><subject>Commands</subject><subject>data labeling/tainting</subject><subject>flow tracking</subject><subject>Java (programming language)</subject><subject>prepared/parameterized statements</subject><subject>program analysis</subject><subject>Queries</subject><subject>Query languages</subject><subject>Run time (computers)</subject><subject>SQL injection attacks</subject><subject>Strings</subject><subject>web applications</subject><issn>1939-0114</issn><issn>1939-0122</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2015</creationdate><recordtype>article</recordtype><sourceid>ABUWG</sourceid><sourceid>AFKRA</sourceid><sourceid>AZQEC</sourceid><sourceid>BENPR</sourceid><sourceid>CCPQU</sourceid><sourceid>DWQXO</sourceid><sourceid>GNUQQ</sourceid><recordid>eNp1kFFLwzAUhYMoOKfgTyj44ktnbpI2jW8ytjqpOtnQx9CmmXR2bU1adf_ezMlQwYfLOVw-DoeD0CngAWBMLqxWAwAh9lAPBBU-BkL2dx7YITqydolxCIyzHiKzh2Q6SS49p15RLbVqi7ryGqPfdPVls7X7N13rlWmmy6J6PkYHi7S0-uRb-2g-Hs2H135yH0-GV4mvqODCFyTKMx3iUBHKCRBIIVMhUUHGIoFVToBzonFOgjQEDTTDbAF57noGLIgE7aPzbWxj6tdO21auCqt0WaaVrjsrgQc0wFEI1KFnf9Bl3ZnKlXMUFixy9yNQmdpaoxeyMcUqNWsJWG62k247udnOof4WfS9Kvf6Xk7PR8Ddf2FZ_7PjUvMiQUx7Ip7tYPsa30_iGgRzTT5nxeyU</recordid><startdate>201510</startdate><enddate>201510</enddate><creator>Masri, Wes</creator><creator>Sleiman, Sam</creator><general>Blackwell Publishing Ltd</general><general>Hindawi Limited</general><scope>BSCLL</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>7SP</scope><scope>8FD</scope><scope>8FE</scope><scope>8FG</scope><scope>ABUWG</scope><scope>AFKRA</scope><scope>ARAPS</scope><scope>AZQEC</scope><scope>BENPR</scope><scope>BGLVJ</scope><scope>CCPQU</scope><scope>DWQXO</scope><scope>GNUQQ</scope><scope>HCIFZ</scope><scope>JQ2</scope><scope>K7-</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope><scope>P5Z</scope><scope>P62</scope><scope>PIMPY</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>PRINS</scope></search><sort><creationdate>201510</creationdate><title>SQLPIL: SQL injection prevention by input labeling</title><author>Masri, Wes ; Sleiman, Sam</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c3979-928dbe606c2372121a1bc62c5b4890cd21772e0d25a61e13b04f1dd939545893</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2015</creationdate><topic>Automation</topic><topic>Commands</topic><topic>data labeling/tainting</topic><topic>flow tracking</topic><topic>Java (programming language)</topic><topic>prepared/parameterized statements</topic><topic>program analysis</topic><topic>Queries</topic><topic>Query languages</topic><topic>Run time (computers)</topic><topic>SQL injection attacks</topic><topic>Strings</topic><topic>web applications</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Masri, Wes</creatorcontrib><creatorcontrib>Sleiman, Sam</creatorcontrib><collection>Istex</collection><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Electronics & Communications Abstracts</collection><collection>Technology Research Database</collection><collection>ProQuest SciTech Collection</collection><collection>ProQuest Technology Collection</collection><collection>ProQuest Central (Alumni Edition)</collection><collection>ProQuest Central UK/Ireland</collection><collection>Advanced Technologies & Aerospace Collection</collection><collection>ProQuest Central Essentials</collection><collection>ProQuest Central</collection><collection>Technology Collection</collection><collection>ProQuest One Community College</collection><collection>ProQuest Central Korea</collection><collection>ProQuest Central Student</collection><collection>SciTech Premium Collection</collection><collection>ProQuest Computer Science Collection</collection><collection>Computer Science Database</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><collection>Advanced Technologies & Aerospace Database</collection><collection>ProQuest Advanced Technologies & Aerospace Collection</collection><collection>Publicly Available Content Database</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>ProQuest Central China</collection><jtitle>Security and communication networks</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Masri, Wes</au><au>Sleiman, Sam</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>SQLPIL: SQL injection prevention by input labeling</atitle><jtitle>Security and communication networks</jtitle><addtitle>Security Comm. Networks</addtitle><date>2015-10</date><risdate>2015</risdate><volume>8</volume><issue>15</issue><spage>2545</spage><epage>2560</epage><pages>2545-2560</pages><issn>1939-0114</issn><eissn>1939-0122</eissn><abstract>SQL injection attacks (SQLIAs) aim at exploiting vulnerabilities in web applications in order to execute malicious SQL commands. It is established that prepared statements are resilient to SQLIAs, and thus, developers are advised to use them when constructing SQL queries as opposed to applying string concatenation operations. Unfortunately, this recommended programming practice is not as pervasive as it should be. This paper addresses this shortcoming by presenting SQL injection Prevention by Input Labeling (SQLPIL), an effective, light, and fully automated tool that leverages prepared statements to prevent SQLIAs at runtime. Given a Java program in which SQL queries are built as strings, SQLPIL dynamically transforms the strings into secure prepared statements right before their execution, thus guaranteeing that malicious input will always be treated as data and never as SQL commands. We empirically evaluated our Java implementation of SQLPIL using a benchmark that includes five JSP commercial applications, a number of legitimate queries, and a number of attacks of representative types. The results were promising as all attacks were prevented, and all legitimate runs executed successfully; in other words, the technique exhibited no false alarms when applied on typical applications. Also, the runtime cost was acceptable, assuming typical settings. Copyright © 2015 John Wiley & Sons, Ltd.
This paper presents SQLPIL; an effective, light, and fully automated tool that leverages prepared statements to prevent SQL injection attacks at runtime. Given a Java program in which SQL queries are built as strings, SQLPIL dynamically transforms the strings into secure prepared statements right before their execution; thus, guaranteeing that malicious input will always be treated as data and never as SQL commands. Out empirical results exhibited no false alarms when applied on typical applications, and the runtime cost was acceptable.</abstract><cop>London</cop><pub>Blackwell Publishing Ltd</pub><doi>10.1002/sec.1199</doi><tpages>16</tpages><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext |
| identifier | ISSN: 1939-0114 |
| ispartof | Security and communication networks, 2015-10, Vol.8 (15), p.2545-2560 |
| issn | 1939-0114 1939-0122 |
| language | eng |
| recordid | cdi_proquest_miscellaneous_1753508613 |
| source | EZB-FREE-00999 freely available EZB journals; Alma/SFX Local Collection |
| subjects | Automation Commands data labeling/tainting flow tracking Java (programming language) prepared/parameterized statements program analysis Queries Query languages Run time (computers) SQL injection attacks Strings web applications |
| title | SQLPIL: SQL injection prevention by input labeling |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-18T00%3A25%3A22IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=SQLPIL:%20SQL%20injection%20prevention%20by%20input%20labeling&rft.jtitle=Security%20and%20communication%20networks&rft.au=Masri,%20Wes&rft.date=2015-10&rft.volume=8&rft.issue=15&rft.spage=2545&rft.epage=2560&rft.pages=2545-2560&rft.issn=1939-0114&rft.eissn=1939-0122&rft_id=info:doi/10.1002/sec.1199&rft_dat=%3Cproquest_cross%3E3797686331%3C/proquest_cross%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=1709480949&rft_id=info:pmid/&rfr_iscdi=true |