Raju Halder, Agostino Cortesi. Obfuscation-based Analysis of SQL Injection Attacks. In Proceedings of the 15th IEEE Symposium on Computers and Communications (ISCC 2010). IEEE Press, Riccione, Italy, 22-25 June 2010. [doi]
In this paper, we propose an obfuscation/deobfuscation based technique to detect the presence of possible SQL Injection Attacks (SQLIA) in a query before submitting it to a DBMS. This technique combines static and dynamic analysis. In the static phase, the queries in the application are replaced by queries in obfuscated form. The main idea behind obfuscation is to isolate all the atomic formulas from other control elements of the query. During the dynamic phase, the user inputs are merged into the obfuscated atomic formulas, and the dynamic verifier analysis the presence of possible SQLIA at atomic formula level. Finally, a deobfuscation step is performed to recover the original query before submitting it to the DBMS.