The use of web applications has become increasingly popular in our routine activities, such as reading the news, paying bills, and shopping on-line. As the availability of these services grows, we are witnessing an increase in the number and sophistication of attacks that target them. In particular, SQL injection, a class of code-injection attacks in which specially crafted input strings result in illegal queries to a database, has become one of the most serious threats to web applications. In this paper we present and evaluate a new technique for detecting and preventing SQL injection attacks. Our technique uses a model-based approach to detect illegal queries before they are executed on the database. In its static part, the technique uses program analysis to automatically build a model of the legitimate queries that could be generated by the application. In its dynamic part, the technique uses runtime monitoring to inspect the dynamically-generated queries and check them against the statically-built model. We developed a tool, AMNESIA, that implements our technique and used the tool to evaluate the technique on seven web applications. In the evaluation we targeted the subject applications with a large number of both legitimate and malicious inputs and measured how many attacks our technique detected and prevented. The results of the study show that our technique was able to stop all of the attempted attacks without generating any false positives.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	C. Anley Advanced SQL Injection In SQL Server Applications. Next Generation Security Software Ltd. White Paper, 2002.
	2	D. Aucsmith. Creating and maintaining software that resists malicious attack. http://www.gtisc.gatech.edu/aucsmith_bio.htm Distinguished Lecture Series. Atlanta, GA. September 2004.
	3	S. W. Boyd and A. D. Keromytis. SQLrand: Preventing SQL injection attacks. In Proceedings of the 2nd Applied Cryptography and Network Security (ACNS) Conference, pages 292--302, June 2004.
	4	A. Chawla and A. Orso. A generic instrumentation framework for collecting dynamic information. In Online Proceeding of the ISSTA Workshop on Empirical Research in Software Testing (WERST 2004), Boston, MA, USA, July 2004. http://www.sce.carleton.ca/squall/WERST2004.
	5	A. S. Christensen, A. Møller, and M. I. Schwartzbach. Precise Analysis of String Expressions. In Proceedings of the 10th International Static Analysis Symposium, SAS 03, volume 2694 of LNCS, pages 1--18. Springer-Verlag, June 2003.
	6	William R. Cook , Siddhartha Rai, Safe query objects: statically typed objects as remotely executable queries, Proceedings of the 27th international conference on Software engineering, May 15-21, 2005, St. Louis, MO, USA  [doi>10.1145/1062455.1062488]
	7	Carl Gould , Zhendong Su , Premkumar Devanbu, JDBC Checker: A Static Analysis Tool for SQL/JDBC Applications, Proceedings of the 26th International Conference on Software Engineering, p.697-698, May 23-28, 2004
	8	Carl Gould , Zhendong Su , Premkumar Devanbu, Static Checking of Dynamically Generated Queries in Database Applications, Proceedings of the 26th International Conference on Software Engineering, p.645-654, May 23-28, 2004
	9	A. R. Group. Java Architecture for Bytecode Analysis (JABA), 2004. http://www.cc.gatech.edu/aristotle/Tools/jaba.html.
	10	William G. J. Halfond , Alessandro Orso, Combining static analysis and runtime monitoring to counter SQL-injection attacks, Proceedings of the third international workshop on Dynamic analysis, p.1-7, May 17-17, 2005, St. Louis, Missouri
	11	Michael Howard , David E. Leblanc, Writing Secure Code, Microsoft Press, Redmond, WA, 2002
	12	Yao-Wen Huang , Shih-Kun Huang , Tsung-Po Lin , Chung-Hung Tsai, Web application security assessment by fault injection and behavior monitoring, Proceedings of the 12th international conference on World Wide Web, May 20-24, 2003, Budapest, Hungary  [doi>10.1145/775152.775174]
	13	Yao-Wen Huang , Fang Yu , Christian Hang , Chung-Hung Tsai , Der-Tsai Lee , Sy-Yen Kuo, Securing web application code by static analysis and runtime protection, Proceedings of the 13th international conference on World Wide Web, May 17-20, 2004, New York, NY, USA  [doi>10.1145/988672.988679]
	14	Gaurav S. Kc , Angelos D. Keromytis , Vassilis Prevelakis, Countering code-injection attacks with instruction-set randomization, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA  [doi>10.1145/948109.948146]
	15	V. B. Livshits and M. S. Lam. Finding Security Vulnerabilities in Java Applications with Static Analysis In Usenix Security Symposium, Aug. 2005.
	16	O. Maor and A. Shulman. SQL Injection Signatures Evasion. http://www.imperva.com/application_defense_center/white_papers/sql_injection_signatures_evasion.html, April 2004. White paper.
	17	Michael Martin , Benjamin Livshits , Monica S. Lam, Finding application errors and security flaws using PQL: a program query language, Proceedings of the 20th annual ACM SIGPLAN conference on Object oriented programming, systems, languages, and applications, October 16-20, 2005, San Diego, CA, USA
	18	Russell A. McClure , Ingolf H. Krüger, SQL DOM: compile time checking of dynamic SQL statements, Proceedings of the 27th international conference on Software engineering, May 15-21, 2005, St. Louis, MO, USA  [doi>10.1145/1062455.1062487]
	19	S. McDonald. SQL Injection: Modes of attack, defense, and why it matters. http://www.governmentsecurity.org/articles/SQLInjectionModesofAttackDefenceandWhyItMatters.php, April 2004. White paper.
	20	Anh Nguyen-Tuong, Salvatore Guarnieri, Doug Greene, Jeff Shirley, David Evans. Automatically Hardening Web Applications Using Precise Tainting Information In Twentieth IFIP International Information Security Conference (SEC 2005), May 2005.
	21	OWASPD -- Open Web Application Security Project. Top ten most critical web application vulnerabilities. http://www.owasp.org/documentation/topten.html, 2005.
	22	T. Pietraszek1 and C. V. Berghe. Defending Against Injection Attacks through Context-Sensitive String Evaluation. In Proceedings of Recent Advances in Intrusion Detection (RAID2005), 2005.
	23	David Scott , Richard Sharp, Abstracting application-level web security, Proceedings of the 11th international conference on World Wide Web, May 07-11, 2002, Honolulu, Hawaii, USA  [doi>10.1145/511446.511498]
	24	SecuriTeam. SQL Injection Walkthrough. http://www.securiteam.com/securityreviews/5DP0N1P76E.html, May 2002. White paper.
	25	F. Valeur and D. Mutz and G. Vigna A Learning-Based Approach to the Detection of SQL Attacks In Proceedings of the Conference on Detection of Intrusions and Malware Vulnerability Assessment (DIMVA), July 2005.
	26	G. Wassermann and Z. Su. An Analysis Framework for Security in Web Applications. In Proceedings of the FSE Workshop on Specification and Verification of Component-Based Systems (SAVCBS 2004), pages 70--78, 2004.