Prevention of SQL Injection Attacks using AWS WAF

SQL injection is one of several different types of code injection techniques used to attack data driven applications. This is done by the attacker injecting an input in the query not intended by the programmer of the application gaining the access of the database which results in potential reading, modification or deletion of users’ data. The vulnerabilities are due to the lack of input validation which is the most critical part of software security that is often not properly covered in the design phase of the software development lifecycle. This paper presents different techniques and some of the countermeasures for detection and prevention of SQL injection attacks. The proposed procedure in the paper is to use a database firewall between the client (user) side and the database server through AWS to avoid the malicious codes injected by the attackers

Runtime monitors for tautology based SQL injection attacks

Increased usage of web applications in recent years has emphasized the need to achieve (i) confidentiality, (ii) integrity, and (iii) availability of web applications. Backend database being the main target for external attacks such as SQL Injection Attacks, there is an emerging need to handle such attacks to secure stored information. Pre-deployment testing alone does not ensure complete security and hence post-deployment monitoring of web applications during its interaction with the external world can help us to handle SQL Injection Attacks in a better way. In this paper, we present a framework which can be used to handle tautology based SQL Injection Attacks using post-deployment monitoring technique. Our framework uses two pre-deployment testing techniques i.e. basis path and data flow testing techniques to identify legal execution paths of the software. Runtime monitors are then developed and integrated to observe the behavior of the software for identified execution paths such that their violation will help to detect and prevent tautology based SQL Injection Attacks. © 2012 IEEE