SIGNATURE BASED EVALUATION TO COUNTER AND PREVENT INJECTION ATTACKS

Abstract

The databases that underlie web applications were facing issues like, unauthorized access, so many security threats in recent years. Many software systems have evolved to include a Web-based component that makes them available to the public via the Internet and can expose them to a variety of Web-based attacks. One of these attacks is SQL injection, which can give attackers unrestricted access to the databases and has become frequent and serious threat to them. Successful injection attack can give attackers access to and even control of the databases that underlay Web applications, which may contain sensitive or confidential information. This paper presents a new highly automated approach for protecting Web applications against SQL injection that has both conceptual and practical advantages over most existing techniques. From a conceptual standpoint, the approach is based on the idea of positive tainting and on the concept of syntax-aware evaluation. From a practical standpoint, our technique is precise and efficient, has minimal deployment requirements, and incurs a very low performance overhead in most cases. We have implemented this technique(Injection preventer) [1] , which we used to perform an empirical evaluation on a wide range of Web applications that we subjected to a large and varied set of attacks and legitimate accesses.