Context:
SQL injection attack (SQLIA) poses a serious defense threat to web applications by allowing attackers to gain unhindered access to theunderlying databases containing potentially sensitive information. A lot of methods and techniques have been proposed by different researchers and practitioners to mitigate SQL injection problem.
However, deploying those methods and techniques without a clear understanding can induce a false sense of security. Classification of such techniques would provide a great assistance to get rid of such false sense of security.
Objectives:
This paper is focused on classification of such techniques by building taxonomy of SQL injection defense techniques.
Methods:
Systematic literature review (SLR) is conducted using five reputed and familiar e-databases; IEEE, ACM, Engineering Village (Inspec/Compendex), ISI web of science and Scopus.
Results:
61 defense techniques are found and based on these techniques, a taxonomy of SQL injection defense techniques is built. Our taxonomy consists of various dimensions which can be grouped under two higher order terms; detection method and evaluation criteria.
Conclusion:
The taxonomy provides a basis for comparison among different defense techniques. Organization(s) can use our taxonomy to choose suitable owns depending on their available resources and environments. Moreover, this classification can lead towards a number of future research directions in the field of SQL injection.
Source: Blekinge Institute of Technology
Authors: Aryal, Dhiraj | Shakya, Anup