SQLPrevent: Effective Dynamic Protection Against SQL Injection Attacks

This paper presents an approach for retrofitting existing web applications with run-time protection against known as well as unseen SQL injection attacks (SQLIAs). This approach (1) is resistant to evasion techniques, such as hexadecimal encoding or inline comment, (2) does not require analysis or modification of the application source code, (3) does not require modification of the runtime environment, such as PHP interpreter or JVM, and (4) is independent of the back-end database used. The approach precision is also enhanced with a method for reducing the rate of false positives in the SQLIA detection logic via runtime discovery of the developers' intention for individual SQL statements made by web applications. We have implemented the proposed approach in the form of protection mechanisms for J2EE applications. Named SQLPrevent, these mechanisms intercept both HTTP requests and SQL statements, mark and track parameter values originated from HTTP requests, and perform SQLIA detection and prevention on the intercepted SQL statements. We extended the AMNESIA testbed to contain false positive testing traces, and employed the extended testbed to evaluate SQLPrevent over 15,000 unique HTTP requests with five web applications. In our experiments, SQLPrevent produced no known false positives or false negatives, and imposed a 3.6% performance overhead with respect to 30 millisecond response time in the tested applications. We also ported SQLPrevent to ASP.NET and ASP, which is of vital importance to the protection of legacy ASP applications, as they have been the target of several massive SQLIAs since October 2007.