||Web-based applications have become the major means of providing services by web servers and databases. These applications are the frequent target for attacks be-cause the databases underlying Web applications often contain private information (e.g., user accounts and financial records). In particular, SQL injection attacks, a class of injection flaw in which specially crafted input strings leads to illegal queries to da-tabases, are one of the topmost threats to web applications. A number of research pro-totypes and commercial products that maintain the queries structure in web applica-tions have been developed but these techniques fail to address the full scope of the problem or have limitations.|
In this paper, we propose a novel and effective mechanism for automatically translating SQL requests to LDAP-equivalent requests to render them secure against SQL injection attacks. After queries are executed on SQL database and LDAP, our technique checks the difference in responses from SQL database and LDAP to prevent SQL injection attacks. We implemented our technique in a tool, TransSQL, consists of two steps. In the preprocessing step, Database Duplicating process, we adopt sqldump program to extract entire information of SQL database that could be used to produce LDAP schema and LDAP Data Interchange Format file. In the runtime step, Request Translation process, the technique intercepts SQL queries for translation and checks the results from LDAP against SQL database. TransSQL has been implemented in Java and deployed between web applications and databases. Our empirical evaluation has shown that TransSQL is both effectiveness and efficiency against SQL injection attacks.
|| C. Anley. Advanced SQL Injection In SQL Server Applications. White paper, Next Generation Security Software Ltd., 2002.|
 C.Anley. (more) Advanced SQL Injection. White paper, Next Generation Securi-ty Software Ltd., 2002.
 OWASP Top Ten Project. OWASP Top 10 for 2010. http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
 Symantec Global Internet Security Threat Report Trends for 2009 Volume XV, Published April 2010. http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xv_04-2010.en-us.pdf
 Breach, The Web Hacking Incidents Database 2009: Bi-Annual Report, The Web Hacking Incidents Database 2008: Annual Report, The Web Hacking Incidents Database 2007: Annual Report, http://www.breach.com/resources/whitepapers/
 V. B. Livshits and M. S. Lam. Finding Security Errors in Java Programs with Static Analysis. In Usenix Security Symposium (2005).
 Y. Xie, and A. Aiken. Static detection of security vulnerabilities in scripting lan-guages. In USENIX Security Symposium (2006).
 Y. Huang, S. Huang, T. Lin, and C. Tsai. Web Application Security Assessment by Fault Injection and Behavior Monitoring. In the International World Wide Web Conference (WWW 2004).
 Network Working Group. RFC2616 - Hypertext Transfer Protocol -- HTTP/1.1. The Internet Society, 1999.
 Network Working Group. RFC2965 - HTTP State Management Mechanism. The Internet Society, 2000.
 T. M. D. Network. Request.servervariables collection. Technical report, Microsoft Corporation, 2005. http://msdn.microsoft.com/en-us/library/ms525396(VS.90).aspx
 OpenLDAP community. OpenLDAP Project. http://www.openldap.org/
 RSnake and ha.ckers.org web application security lab. SQL Injection cheat sheet Esp: for filter evasion. http://ha.ckers.org/sqlinjection/
 Ferruh.mavituna. SQL Injection Cheat Sheet. http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
 W. Halfond, J. Viegas and A. Orso. A Classification of SQL Injection Attacks and Prevention Techniques. International Symposium on Secure Software Engineering (ISSSE 2006)
 Python Software Foundation. Python Programming Language. http://www.python.org/
 MySQL Library. mysql_real_escape_string() function. http://php.net/manual/en/function.mysql-real-escape-string.php
 Hibernate. hibernate.org. http://www.hibernate.org/.
 R. McClure and I. Kr¨uger. SQL DOM: Compile Time Checking of Dynamic SQL Statements. In Proceedings of the 27th International Conference on Soft-ware Engineering (ICSE 05), 2005.
 W. R. Cook and S. Rai. Safe Query Objects: Statically Typed Objects as Re-motely Executable Queries. In Proceedings of the 27th International Conference on Software Engineering (ICSE 2005), 2005.
 Y. Huang, S. Huang, T. Lin, and C. Tsai. Web Application Security Assessment by Fault Injection and Behavior Monitoring. In Proceedings of the 11th Interna-tional World Wide Web Conference (WWW 03), 2003.
 Y. Kosuga, K. Kono, M. Hanaoka, M. Hishiyama, and Y. Takahama. Sania: Syn-tactic and Semantic Analysis for Automated Testing against SQL Injection. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC 07), 2007.
 V. B. Livshits and M. S. Lam. Finding Security Errors in Java Programs with Static Analysis. In Proceedings of the 14th Usenix Security Symposium, 2005.
 Y. Xie, and A. Aiken. Static detection of security vulnerabilities in scripting lan-guages. In Proceedings of the 15th Conference on USENIX Security Symposium. 2006.
 W. G. Halfond and A. Orso. AMNESIA: Analysis and Monitoring for NEutraliz-ing SQL-Injection Attacks. In Proceedings of the IEEE and ACM International Conference on Automated Software Engineering (ASE 2005), 2005.
 W. G. Halfond and A. Orso. Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks. In Proceedings of the Third International ICSE Workshop on Dynamic Analysis (WODA 2005), 2005.
 G. T. Buehrer, B. W. Weide, and P. A. G. Sivilotti. Using Parse Tree Validation to Prevent SQL Injection Attacks. In International Workshop on Software Engi-neering and Middleware (SEM), 2005.
 Z. Su and G. Wassermann. The Essence of Command Injection Attacks in Web Applications. In The 33rd Annual Symposium on Principles of Programming Languages (POPL 2006), 2006.
 T. Pietraszek and C. V. Berghe. Defending Against Injection Attacks through Context-Sensitive String Evaluation. In Proceedings of Recent Advances in In-trusion Detection (RAID2005), 2005.
 S. W. Boyd and A. D. Keromytis. SQLrand: Preventing SQL Injection Attacks. In Proceedings of the 2nd Applied Cryptography and Network Security (ACNS) Conference, 2004.
 MySQL. mysqldump — A Database Backup Program. http://dev.mysql.com/doc/refman/5.1/en/mysqldump.html.
 My Virtual Directory. JDBC->LDAP Bridge. http://myvd.sourceforge.net/jdbcldap.html, 2008
 S. McDonald. SQL Injection: Modes of attack, defense, and why it matters. White paper, GovernmentSecurity.org, 2002.
 K. Spett. Blind sql injection. White paper, SPI Dynamics, Inc., 2003. http://www.net-security.org/dl/articles/Blind_SQLInjection.pdf.