Authors: Charles Asanya and Ratan Guha
The widespread use of web applications to store and disseminate information across the World Wide Web has made our lives easier and interesting, however, this achievement has created unintended consequences. Web based application used for storing information is of great interest to attackers due to the sensitivity and usefulness of information stored in them. Prolific attackers go to great lengths in order to gain access to this information. Structured Query Language Injection Attack (SQLIA) is one of the most common ways attackers use to gain access to and steal information. It is used to maliciously manipulate data stored in a database. User input taken from text box created by developers to allow interaction with a database is used to perform this attack. Using a malformed SQL statement, attacker alters the intended query structure in order to break into and steal information or change and destroy a database. A successful attack can lead to financial and integrity loss to an organization. Unfortunately many systems in operation today are vulnerable to this attack. The need for the detection and prevention of this type of attacks has led to several proposals by researchers. Some of the proposal are too cumbersome and are therefore difficult to implement, or simply cannot stop all types of SQLIA. In this paper, we propose Combinational Technique For Stopping SQL Injection in a Legacy System (CoTeFoLS). This technique uses a combinational defensive mechanism to detect and prevent SQLIA in a deployed ASP.net based web application. It acts as a wrapper to the existing application. It integrates effortlessly with the current system. This paper briefly described several proposed techniques for the detection and prevention of SQL Injection Attack. The paper provided the definition of SQLIA. It then presented a novel idea for the detection and prevention of SQLIA in an existing system that may be vulnerable to sql injection attack. It then concludes with a suggestion for future work.
Keywords: Combinational Technique, Defensive Coding, World Wide Web, Vulnerability, Web Based Application, Wrapper, Deployed System