TY - JOUR
T1 - Systematic Review Analysis on SQLIA Detection and Prevention Approaches
AU - Aliero, Muhammad Saidu
AU - Qureshi, Kashif Naseer
AU - Pasha, Muhammad Fermi
AU - Ghani, Imran
AU - Yauri, Rufai Aliyu
N1 - Publisher Copyright:
© 2020, Springer Science+Business Media, LLC, part of Springer Nature.
PY - 2020/6/1
Y1 - 2020/6/1
N2 - SQL injection attack (SQLIA) is one of the most severe attacks that can be used against web database driving applications. Attackers use SQLIA to get unauthorized access and perform unauthorized data modification. To combat problem of SQLIA, different researchers proposed variety of tools and methods that can be used as defense barrier between client application and database server. However, these tools and methods failed to address the whole problem of SQL injection attack, because most of the approaches are vulnerable in nature, cannot resist sophisticated attack or limited to scope of subset of SQLIA type. With regard to this different researcher proposed different approach (experimental and analytical evaluation) to evaluate the effectiveness of these existing tools based on type SQLIAs they can detect or prevent. However, none of the researcher considers evaluating these existing tool or method based on their ability to be deployed in various injection parameters or development requirements therefore, in this study Kitchenham’s guidelines of performing systematic review of software for conducting our study. In this paper, we reviewed the tools and methods that are commonly used in detection and prevention of SQLIA, Finally, we analytically evaluated the reviewed tools and methods based on our experience with respect to SQIAs types and injection parameters. The evaluation result showed that most researchers focused on proposing approaches to detect and prevent SQLIAs, rather than evaluating the efficiency and effectiveness of the existing SQLIA detection and prevention tools/methods. The study also revealed that more emphasis was given by the previous studies on prevention measures than detection measures in combating problem of SQLIAs. An analysis showed that these tools and methods are developed to prevent subset of SQLIAs type and only few of them can be deployed to various injection parameters to be considered in examining SQLIAs. It further revealed that none of the tools or methods can be deployed to prevent attacks that can take advantage of second order (server side SQLIA) SQLI vulnerability. Finally, the study highlights the major challenges that require immediate response by developers and researchers in order to prevent the risk of being hacked through SQLIAs.
AB - SQL injection attack (SQLIA) is one of the most severe attacks that can be used against web database driving applications. Attackers use SQLIA to get unauthorized access and perform unauthorized data modification. To combat problem of SQLIA, different researchers proposed variety of tools and methods that can be used as defense barrier between client application and database server. However, these tools and methods failed to address the whole problem of SQL injection attack, because most of the approaches are vulnerable in nature, cannot resist sophisticated attack or limited to scope of subset of SQLIA type. With regard to this different researcher proposed different approach (experimental and analytical evaluation) to evaluate the effectiveness of these existing tools based on type SQLIAs they can detect or prevent. However, none of the researcher considers evaluating these existing tool or method based on their ability to be deployed in various injection parameters or development requirements therefore, in this study Kitchenham’s guidelines of performing systematic review of software for conducting our study. In this paper, we reviewed the tools and methods that are commonly used in detection and prevention of SQLIA, Finally, we analytically evaluated the reviewed tools and methods based on our experience with respect to SQIAs types and injection parameters. The evaluation result showed that most researchers focused on proposing approaches to detect and prevent SQLIAs, rather than evaluating the efficiency and effectiveness of the existing SQLIA detection and prevention tools/methods. The study also revealed that more emphasis was given by the previous studies on prevention measures than detection measures in combating problem of SQLIAs. An analysis showed that these tools and methods are developed to prevent subset of SQLIAs type and only few of them can be deployed to various injection parameters to be considered in examining SQLIAs. It further revealed that none of the tools or methods can be deployed to prevent attacks that can take advantage of second order (server side SQLIA) SQLI vulnerability. Finally, the study highlights the major challenges that require immediate response by developers and researchers in order to prevent the risk of being hacked through SQLIAs.
KW - Analytical evaluation
KW - Detection method
KW - Detection tool
KW - Injection parameters
KW - SQLIA prevention
KW - SQLIAs detection
KW - Types of SQLIAs
UR - http://www.scopus.com/inward/record.url?scp=85078789042&partnerID=8YFLogxK
U2 - 10.1007/s11277-020-07151-2
DO - 10.1007/s11277-020-07151-2
M3 - Review article
AN - SCOPUS:85078789042
SN - 0929-6212
VL - 112
SP - 2297
EP - 2333
JO - Wireless Personal Communications
JF - Wireless Personal Communications
IS - 4
ER -