Abstract
Securing the data, a fundamental asset in an organization, against SQL Injection (SQLI), the most frequent attack in web applications, is vital. In SQLI, an attacker alters the structure of the actual query by injecting code via the input, and gaining access to the database. This paper proposes a new method for securing web applications against SQLI Attacks (SQLIAs). It contains two phases based on systematic analysis and runtime validation and uses our new technique for detection and prevention. At the static phase, our method removes user inputs from SQL queries and gathers as much information as possible, from static and dynamic queries in order to minimize the overhead at runtime. On the other hand, at the dynamic phase, the prepared information alongside our technique are used to check the validity of the runtime query. To facilitate the usage of our method and show our expectations in practice, ESARV was implemented. The empirical evaluations demonstrated in this paper, indicate that ESARV is efficient, accurate, effective, and also has no deployment requirements.
Highlights
Web applications are widely used due to providing accessibility and convenience
This paper proposes a new method for securing web applications against SQL Injection (SQLI) Attacks (SQLIAs)
This combinational method is based on systematic analysis and runtime validation and uses our proposed detection and prevention technique for information security
Summary
Web applications are widely used due to providing accessibility and convenience. Their vast usage makes them a suitable target for an attacker; preserving their security becomes essential. Different types of attacks exist for web applications and according to OWASP Top Ten in 2017 [4], SQLIA has the highest frequency among them all. This shows the significance of securing web applications and their data against this frequent attack. SQLIAs have different types: tautology, illegal/logically incorrect, union, piggy backed, blind injection, timing attacks, alternate encoding and Stored Procedure (SP).
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: Indonesian Journal of Electrical Engineering and Informatics (IJEEI)
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
