Preventing SQL injection attacks by automatic parameterizing of raw queries using lexical and semantic analysis methods

Abstract

SQL Injection (SQLI) is one of the most important security threats to web applications. Many techniques have been proposed for counteracting SQLI Attacks (SQLIAs); however, second-order attacks and the injection attacks that raise data-type mismatch errors have been ignored in most of them. In this paper, we propose a new anomaly-based method (deployed as a proxy between the application server and its database server) for detection and/or prevention of SQLIAs without requiring any modification to the source code of vulnerable applications. The majority of attacks, which lead to a change in the syntax of application queries, are identified in the detection phase by lexical analysis of the queries. The remaining types of attacks, such as second-order attacks and attacks generating data-type mismatch errors, are prevented in the prevention phase, where each query is automatically converted to a parameterized query (before submitting to the database) using a semantic analysis method.