CANDID: Preventing SQL injection attacks using dynamic candidate evaluations

Sruthi Bandhakavi, Prithvi Bisht, P. Madhusudan, V. N. Venkatakrishnan

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

SQL injection attacks are one of the topmost threats for applications written for the Web. These attacks are launched through specially crafted user input on web applications that use low level string operations to construct SQL queries. In this work, we exhibit a novel and powerful scheme for automatically transforming web applications to render them safe against all SQL injection attacks. A characteristic diagnostic feature of SQL injection attacks is that they change the intended structure of queries issued. Our technique for detecting SQL injection is to dynamically mine the programmer-intended query structure on any input, and detect attacks by comparing it against the structure of the actual query issued. We propose a simple and novel mechanism, called C<scp>ANDID</scp>, for mining programmer intended queries by dynamically evaluating runs over benign candidate inputs. This mechanism is theoretically well founded and is based on inferring intended queries by considering the symbolic query computed on a program run. Our approach has been implemented in a tool called C<scp>ANDID</scp>, that retrofits Web applications written in Java to defend them against SQL injection attacks. We report extensive experimental results that show that our approach performs remarkably well in practice.

Original languageEnglish (US)
Title of host publicationCCS'07 - Proceedings of the 14th ACM Conference on Computer and Communications Security
Pages12-24
Number of pages13
DOIs
StatePublished - 2007
Event14th ACM Conference on Computer and Communications Security, CCS'07 - Alexandria, VA, United States
Duration: Oct 29 2007Nov 2 2007

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)1543-7221

Other

Other14th ACM Conference on Computer and Communications Security, CCS'07
Country/TerritoryUnited States
CityAlexandria, VA
Period10/29/0711/2/07

Keywords

  • Dynamic monitoring
  • Retrofitting code
  • SQL injection attacks
  • Symbolic evalua-tion

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'CANDID: Preventing SQL injection attacks using dynamic candidate evaluations'. Together they form a unique fingerprint.

Cite this