| Title | SQL-Identifier Injection Attacks |
| Publication Type | Conference Paper |
| Year of Publication | 2019 |
| Authors | Cetin, Cagri, Goldgof, Dmitry, Ligatti, Jay |
| Conference Name | 2019 IEEE Conference on Communications and Network Security (CNS) |
| Keywords | automated analysis, code vulnerability, Collaboration, confidential patient information, electronic health records, electronic medical record software, GitHub, Health Care, Human Behavior, injecting identifiers, Java, Metrics, policy-based governance, prepared-statement API, privacy, pubcrawl, resilience, Resiliency, security of data, software maintenance, software reliability, SQL, SQL detection, SQL Injection, SQL statements, SQL-ID IAs, SQL-identifier injection attacks |
| Abstract | This paper defines a class of SQL-injection attacks that are based on injecting identifiers, such as table and column names, into SQL statements. An automated analysis of GitHub shows that 15.7% of 120,412 posted Java source files contain code vulnerable to SQL-Identifier Injection Attacks (SQL-IDIAs). We have manually verified that some of the 18,939 Java files identified during the automated analysis are indeed vulnerable to SQL-ID IAs, including deployed Electronic Medical Record software for which SQL-IDIAs enable discovery of confidential patient information. Although prepared statements are the standard defense against SQL injection attacks, existing prepared-statement APIs do not protect against SQL-IDIAs. This paper therefore proposes and evaluates an extended prepared-statement API to protect against SQL-IDIAs. |
| DOI | 10.1109/CNS.2019.8802743 |
| Citation Key | cetin_sql-identifier_2019 |
SQL-Identifier Injection Attacks