The Study On Parse Tree Based SQL Injection Attacks Mechanisms

With the development of web technology, database-driven web applicationsprovide flexible, convenient, available, and various services for users. Nowadays, cloudtechnology can supply rapid elasticity to allocate computing resources for database-driven applications. It helps these applications supply better service for users.Consequently, more and more database-driven applications are deployed in the cloud.Though web and cloud technologies have several advantages, various security threatshave been described. Among these threats, SQL injection attack (SQLIAs) is one of themost serious threats. SQLIAs are code injection attacks that exploit securevulnerabilities consisting in source codes to attack databases. An SQLIA allowsattackers to bypass authentication, access private information, modify data, and evendestroy databases. In the past, attackers have designed several methods such as unionquery, tautologies, multiple queries, and detection evasion to attack back-end databases.Moreover, these methods also can be fused into a new attack.The main cause of SQLIAs is to verify user input insufficiently. Althoughdevelopers can add some codes to prevent SQLIAs, this approach depends on humanbehavior which is not a best choice. Hence, assisted detection methods are needed todetect SQLIAs. During the past few years, many researchers have proposed severaltypes of methods to detect SQLIAs such as static analysis, dynamic analysis, static anddynamic analysis and taint tracking. Nevertheless, these methods still have severaldrawbacks such as access to or modifying source codes, rewriting source codes withextra libraries, or requiring complex assisted devices.In this dissertation, we propose a detecting approach based on parse tree. Whilereceiving an HTTP request from user, a parse tree is generated according to the user’srequest. Meanwhile, the old record of parse tree for the request is retrieved and used tocompare with the generated parse tree. If the two trees are equal, it means that noSQLIAs involved in this request. We apply this approach to the following twoenvironments which are web environments and cloud-assistant wireless body areanetworks (WBANs) and then propose two mechanisms called DSD (Dynamic SQLIAsDetection) and CCSD (Cloud Computing SQLIAs Detection) to detect SQLIAs, respectively. Moreover, CCSD can be applied to different cloud environments directly.Note that both CCSD and DSD do not require any access to or modifying source codes,rewriting source codes with extra libraries, or complex assisted devices. In experiments,we demonstrate our DSD and CCSD have high accuracy rates, low false positive rates,and low response time. Therefore, they are efficient mechanisms to provide SQLIAsdetection for the two environments.