Patent attributes
In an example embodiment, a system detects unauthorized database queries made by a maliciously formed web request. The system captures a web request for a web application and one or more database queries triggered in response to the web request during runtime. If the captured web request matches a valid web request in a table of valid web requests for the web application, the system checks if each captured database query matches a valid database query mapped to the valid web request in the table. The system may declare an injection attack if at least one captured database query does not match a valid database query mapped to the valid web request, or may perform additional validation of the captured request and the at least one captured database query prior to declaring the attack. The system may form the table of valid web requests using a dynamic simulation process, using static code analysis, or a combination of both.