Information-Theoretic Detection of SQL Injection Attacks

SQL Injection (SQLI) is a wide spread vulnerability commonly found in web-based programs. Exploitations of SQL injection vulnerabilities lead to harmful consequences such as authentication bypassing and leakage of sensitive personal information. Therefore, SQLI needs to be mitigated to protect end users. In this work, we present a novel approach to detect SQLI attacks based on information theory. We compute the entropy of each query present in a program accessed before program deployment. During program execution time, when an SQL query is invoked, we compute the entropy again to identify any change in the entropy measure for that query. The approach then relies on the assumption that dynamic queries with attack inputs result in increased or decreased level of entropy. In contrast, a dynamic query with benign inputs does not result in any change of entropy value. The proposed framework is validated with three open source PHP applications that have been reported to contain SQLI vulnerabilities. We implement a prototype tool in Java to facilitate the training and detection phase of the proposed approach. The evaluation results indicate that the approach detects all known SQLI vulnerabilities and can be a complementary technique to identify unknown vulnerabilities.