Abstract

SQL injection attacks(SQLIAs), although being well studied,
continue to be a problem today. Attackers launch attacks by using
specially crafted user inputs on web applications, such that low level
string operations mistakenly construct malicious SQL queries with the
user inputs. Many preventing mechanisms use either static analysis or
run-time prevention. A weakness of these techniques is that they need
extra effort to identify user input from the application-generated query.
                                                                                
The root cause of a SQL injection attack is that the user inputs, which
should only be considered as data, are mixed with control code. We
proposed SQLProb, a fully automated system that addresses the root cause
by dynamically extracting the user input data and analyzing the user
input in the syntactic structure of the query. The key benefit of our
technique is that it seamlessly integrates with current application and
database, without changing a single line of code of them. Comparing with
most existing black-box approaches, it does not require any source/byte
code or learning curve. Our approach has been implemented and tested with
a wide range of SQL injection attacks. We demonstrate that our approach
is robust enough and holds promise for more precise detection.
                                                                                

Bio 

Anyi Liu is a Ph.D. student in the Department of
Computer Science at George Mason University. He
received a BS and MS in Computer Science from Dalian University of
Technology, China, in 1997 and 2001, respectively. He is now pursuing a
Ph.D. in Information Technologies from George Mason University. His
research interests include information security, intrusion
detection/prevention, and security issues regarding web applications.