Labeling user inputs to prevent SQL injection attacks

Abstract

SQL Injection Attacks (SQLIAs) aim at exploiting vulnerabilities in web applications in order to execute malicious SQL commands. It is established that prepared statements are resilient to SQLIA, but unfortunately their use is not as pervasive as it should be. This thesis presents SQLPIL (SQL injection Prevention by Input Labeling); an effective and light semi-automated tool that leverages prepared statements to defeat SQLIAs. SQLPIL steps proceed as follows: 1) The subject web application is instrumented; 2) At runtime, the (secured) instrumented application ensures that user inputs reaching the SQL query strings are labeled; and 3) The query strings to be executed are analyzed at runtime in order to identify the parts that originated from inputs and accordingly generate-execute safe prepared statements. We provide two implementations of SQLPIL, one for the Java platform and another for ASP.NET. We empirically evaluated our Java implementation using a benchmark that includes five JSP commercial applications and a large number of attacks and legitimate queries. The results were promising as all 1000 attacks were prevented, and all 1000 legitimate runs executed successfully; in other words, the technique exhibited no false alarms when applied on typical applications. Also, the runtime cost averaged percent6.5. Relying on the resilience of prepared statements to defeat SQLIA’s was shown to be a successful approach. And the overhead of achieving that through the use of a tool such as SQLPIL was shown to be acceptable.