AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks. The use of web applications has become increasingly popular in our routine activities, such as reading the news, paying bills, and shopping on-line. As the availability of these services grows, we are witnessing an increase in the number and sophistication of attacks that target them. In particular, SQL injection, a class of code-injection attacks in which specially crafted input strings result in illegal queries to a database, has become one of the most serious threats to web applications. In this paper we present and evaluate a new technique for detecting and preventing SQL injection attacks. Our technique uses a model-based approach to detect illegal queries before they are executed on the database. In its static part, the technique uses program analysis to automatically build a model of the legitimate queries that could be generated by the application. In its dynamic part, the technique uses runtime monitoring to inspect the dynamically-generated queries and check them against the statically-built model. We developed a tool, AMNESIA, that implements our technique and used the tool to evaluate the technique on seven web applications. In the evaluation we targeted the subject applications with a large number of both legitimate and malicious inputs and measured how many attacks our technique detected and prevented. The results of the study show that our technique was able to stop all of the attempted attacks without generating any false positives.

This software is also peer reviewed by journal TOMS.

References in zbMATH (referenced in 11 articles )

Showing results 1 to 11 of 11.
Sorted by year (citations)

  1. Li, Xiaowei; Xue, Yuan.: A survey on server-side approaches to securing web applications (2014)
  2. Rimsa, Andrei; D’Amorim, Marcelo; Pereira, Fernando Magno Quintão; Bigonha, Roberto S.: Efficient static checker for tainted variable attacks (2014)
  3. Fu, Xiang; Powell, Michael C.; Bantegui, Michael; Li, Chung-Chih: Simple linear string constraints (2013)
  4. Lee, Inyong; Jeong, Soonki; Yeo, Sangsoo; Moon, Jongsub: A novel method for SQL injection attack detection based on removing SQL query attribute values (2012)
  5. Bravenboer, Martin; Dolstra, Eelco; Visser, Eelco: Preventing injection attacks with syntax embeddings (2010)
  6. Chakraborty, Anindya; Majumdar, Arun K.; Sural, Shamik: A column dependency-based approach for static and dynamic recovery of databases from malicious transactions (2010) ioport
  7. Gil, Joseph (Yossi); Lenz, Keren: Simple and safe SQL queries with \textttC++ templates (2010)
  8. Huynh, Toan; Miller, James: An empirical investigation into open source web applications’ implementation vulnerabilities (2010) ioport
  9. Sawin, Jason; Rountev, Atanas: Improving static resolution of dynamic class loading in Java using dynamically gathered environment information (2009) ioport
  10. Xydas, I.; Miaoulis, G.; Bonnefoi, P.-F.; Plemenos, D.; Ghazanfarpour, D.: Using an evolutionary neural network for web intrusion detection (2008)
  11. Sher, Muhammad; Magedanz, Thomas: A vulnerabilities analysis and corresponding middleware security extensions for securing NGN applications (2007)