TransSQL: A Translation and Validation-Based Solution for SQL-injection Attacks

Zhang, Kai-Xiang; Lin, Chia-Jun; Chen, Shih-Jen; Hwang, Yanling; Huang, Ho‐Chuan; Hsu, Fu-Hau

doi:10.1109/rvsp.2011.59

Cited by 24 publications

(20 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Authors in paper [7] proposed a translation and validation-based solution for SQLi attacks, TransSQL, where SQL requests are automatically translated to Lightweight Directory Access Protocol (LDAP)-equivalent requests. SQL and LDAP-equivalent queries are then executed on SQL database and LDAP database, respectively.…”

Section: Related Work For Sql Injection Attacksmentioning

confidence: 99%

A Learning-based Neural Network Model for the Detection and Classification of SQL Injection Attacks

Moradpoor

2017

International Journal of Cyber Warfare and Terrorism

View full text Add to dashboard Cite

Abstract-Structured Query Language injection (SQLi) attack is a code injection technique where hackers inject SQL commands into a database via a vulnerable web application. Injected SQL commands can modify the back-end SQL database and thus compromise the security of a web application. In the previous publications, the author has proposed a Neural Network (NN)-based model for detections and classifications of the SQLi attacks. The proposed model was built from three elements: 1) a Uniform Resource Locator (URL) generator, 2) a URL classifier, and 3) a NN model. The proposed model was successful to: 1) detect each generated URL as either a benign URL or a malicious, and 2) identify the type of SQLi attack for each malicious URL. The published results proved the effectiveness of the proposal. In this paper, the author re-evaluates the performance of the proposal through two scenarios using controversial data sets. The results of the experiments are presented in order to demonstrate the effectiveness of the proposed model in terms of accuracy, truepositive rate as well as false-positive rate.

show abstract

Section: Related Work For Sql Injection Attacksmentioning

confidence: 99%

A Learning-based Neural Network Model for the Detection and Classification of SQL Injection Attacks

Moradpoor

2017

International Journal of Cyber Warfare and Terrorism

View full text Add to dashboard Cite

show abstract

“…So the system shows the result as Null. The major shortcoming of this models that it is not applicable for injection queries which contain instances, alias, UNION and UNIONALL [11]. In [9], tokenization method is proposed, which is efficient but applied on original as well as query with injection is not possible for all queries that their original query is already stored.…”

Section: Original Querymentioning

confidence: 99%

“…Table 4 shows all the pros and cons of previous model in the field of SQL Injection Attack. Table illustrated below compares five models Sania: [7], SBSQLID [8], RDUD [9], TransSQL [11] and Tokenization [10] on the basis of their advantages and drawbacks.…”

Section: Query Tokenizationmentioning

confidence: 99%

See 1 more Smart Citation

SQL Injection Attacks: Technique and Prevention Mechanism

Shrivastava¹,

Pathak²

2013

IJCA

View full text Add to dashboard Cite

In today's era where almost every task is performed through web applications, the need to assure the security of web applications has increased. A survey held in 2010 shows web application vulnerabilities and SQL Injection attack ranked among top five [1]. SQL Injection attack (SQLIA) is performed by those persons who want to access the database and want to steal, change or delete the data which they do not have permission to access [1]. In SQLIA adversary requests through a malicious query which shows some confidential data [2]. In research, it is also proved that when a network and host-level entry point is highly secured, the public interface provided by an application is the one and only source of SQL injection attack. SQLIA can't be applied without using space, single quotes or double dashes [3]. So to prevent SQLIA, these options are taken in observation. Previous model [10] used JDBC-LDAP library which did not support instances, alias and set operations (UNION and UNION ALL). If a query with injection is accepted by any database which is based on relational approach, then it will be accepted by all databases that are based on relational approach. This paper is focused on SQLIA and its techniques and encounters the shortcoming of previous models. This paper proposed a model which uses two databases one relational and other hierarchical to ensure about injection in a query, compare the results by applying tokenization technique on both databases. If the results are same, there is no injection, otherwise it is present. The proposed model uses a tokenization technique so; query containing Alias, Instances and Set operations can also be blocked at the entry point.

show abstract

“…The underlying idea of this technique is that any SQLIA will alter the structure of the original SQL statement and by detecting the difference in the structures, a SQLIA can be identified. [9] Kai-Xiang Zhang, Chia-Jun Lin, et.al proposed a translation and validation(TransSQL) based approach for detecting and preventing SQL Injection attacks. The basic idea of this approach relies on how different databases interpret SQL queries and those SQL queries with injection.…”

Section: Literature Surveymentioning

confidence: 99%

Preventing SQL Injection Attacks

Asha¹,

Kumar²,

Vaidhyanathan.³

2012

IJCA

View full text Add to dashboard Cite

With the recent rapid increase in web based applications that employ back-end database services, results show that SQL Injection and Remote File Inclusion are the two frequently used exploits rather than using other complicated techniques. With the rise in use of web applications, SQL injection based attacks are gradually increasing and is now one of the most common attacks in the internet. It allows an attacker to gain control over the database of an application, thereby able to read and alter confidential data. This paper illustrates few different forms of SQL injection and based on observation, it is seen that SQL Injection is interpreted differently on different databases. Finally, an effective solution is proposed for the prevention of these kinds of injection attacks, in such a way that it is independent of the underlying platform and database. Two levels of user authentication has been proposed in this method, SQL based authentication and an XML based authentication, and has been found to be very effective in preventing such attacks.

show abstract

TransSQL: A Translation and Validation-Based Solution for SQL-injection Attacks

Cited by 24 publications

References 10 publications

A Learning-based Neural Network Model for the Detection and Classification of SQL Injection Attacks

A Learning-based Neural Network Model for the Detection and Classification of SQL Injection Attacks

SQL Injection Attacks: Technique and Prevention Mechanism

Preventing SQL Injection Attacks

Contact Info

Product

Resources

About