SQLPrevent: Effective Dynamic Detection and Prevention of SQL Injection Attacks Without Access to the Application Source Code

This paper presents an effective approach for detecting and preventing known as well as novel SQL injection attacks. Unlike existing approaches, ours (1) is resistant to evasion techniques, such as hexadecimal encoding or inline comment, (2) does not require analysis or modification of the application source code, (3) does not need training traces, (4) does not require modification of the runtime environment, such as PHP interpreter or JVM, and (5) is independent of the back-end database used. Our approach is based on two simple observations, that (1) in malicious HTTP requests, parameter values are used not only as \emph{literals} in the corresponding SQL statements but also as other SQL constructs, such as delimiters, identifiers or operators; and (2) a malformed parameter value in an HTTP request comprises more than one SQL \emph{token}. We use J2EE to implement a tool we have named SQLPrevent that dynamically detects SQL injection attacks using the above heuristics, and blocks the corresponding SQL statements from being submitted to the back-end database. Using the AMNESIA testbed, we evaluate SQLPrevent over 15,000 unique HTTP requests with five web applications. In our experiments, SQLPrevent produced no false positives or false negatives, and imposed at most 4\% (0.3\% on average) performance overhead with respect to average 500 millisecond response time in the testbed applications