Early Detection of SQL Injection Attacks

SQL Injection (SQLI) is a common vulnerability found in web applications. The starting point of SQLI attack is the client-side (browser). If attack inputs can be detected early at the browse side, then it could be thwarted early by not forwarding the malicious inputs to the server-side for further processing. This paper presents a client-side approach to detect SQLI attacks1 . The client-side accepts shadow SQL queries from the server-side and checks any deviation between shadow queries with dynamic queries generated with user supplied inputs. We measure the deviation of shadow query and dynamic query based on conditional entropy metrics and propose four metrics in this direction. We evaluate the approach with three PHP applications containing SQLI vulnerabilities. The evaluation results indicate that our approach can detect well-known SQLI attacks early at the client-side and impose negligible overhead.