Formal Analysis of Vulnerabilities of Web Applications Based on SQL Injection

被引:2
|
作者
De Meo, Federico [1 ]
Rocchetto, Marco [2 ]
Vigano, Luca [3 ]
机构
[1] Univ Verona, Dipartimento Informat, Verona, Italy
[2] Singapore Univ Technol & Design, iTrust, Singapore, Singapore
[3] Kings Coll London, Dept Informat, London, England
来源
SECURITY AND TRUST MANAGEMENT, STM 2016 | 2016年 / 9871卷
关键词
D O I
10.1007/978-3-319-46598-2_13
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
We present a formal approach for the analysis of attacks that exploit SQLi to violate security properties of web applications. We give a formal representation of web applications and databases, and show that our formalization effectively exploits SQLi attacks. We implemented our approach in a prototype tool called SQLfast and we show its efficiency on four real-world case studies, including the discovery of an attack on Joomla! that no other tool can find.
引用
收藏
页码:179 / 195
页数:17
相关论文
共 50 条
  • [1] Analysis and Classification of SQL Injection Vulnerabilities and Attacks on Web Applications
    Sharma, Chandershekhar
    Jain, S. C.
    2014 INTERNATIONAL CONFERENCE ON ADVANCES IN ENGINEERING AND TECHNOLOGY RESEARCH (ICAETR), 2014,
  • [2] Test SQL Injection Vulnerabilities in Web Applications Based on Structure Matching
    Wu, Haiyan
    Gao, Guozhu
    Miao, Chunyu
    2011 INTERNATIONAL CONFERENCE ON COMPUTER SCIENCE AND NETWORK TECHNOLOGY (ICCSNT), VOLS 1-4, 2012, : 935 - 938
  • [3] Fault-based testing for discovering SQL injection vulnerabilities in web applications
    Alsmadi I.
    AlEroud A.
    Saifan A.A.
    International Journal of Information and Computer Security, 2021, 16 (1-2): : 51 - 62
  • [4] A Rejection-Based Approach for Detecting SQL Injection Vulnerabilities in Web Applications
    Saoudi, Lalia
    Adi, Kamel
    Boudraa, Younes
    FOUNDATIONS AND PRACTICE OF SECURITY, FPS 2019, 2020, 12056 : 379 - 386
  • [5] Security Testing of Web Applications: A Search-Based Approach for Detecting SQL Injection Vulnerabilities
    Liu, Muyang
    Li, Ke
    Chen, Tao
    PROCEEDINGS OF THE 2019 GENETIC AND EVOLUTIONARY COMPUTATION CONFERENCE COMPANION (GECCCO'19 COMPANION), 2019, : 417 - 418
  • [6] Detecting SQL Injection Vulnerabilities in Web Services
    Antunes, Nuno
    Vieira, Marco
    LADC: 2009 4TH LATIN-AMERICAN SYMPOSIUM ON DEPENDABLE COMPUTING, 2009, : 17 - 24
  • [7] Static Analysis Approaches to Detect SQL Injection and Cross Site Scripting Vulnerabilities in Web Applications: A Survey
    Gupta, Mukesh Kumar
    Govil, M. C.
    Singh, Girdhari
    2014 RECENT ADVANCES AND INNOVATIONS IN ENGINEERING (ICRAIE), 2014,
  • [8] Sound and precise analysis of web applications for injection vulnerabilities
    Wassermann, Gary
    Su, Zhendong
    ACM SIGPLAN NOTICES, 2007, 42 (06) : 32 - 41
  • [9] Sound and Precise Analysis of Web Applications for Injection Vulnerabilities
    Wassermann, Gary
    Su, Zhendong
    PLDI'07: PROCEEDINGS OF THE 2007 ACM SIGPLAN CONFERENCE ON PROGRAMMING LANGUAGE DESIGN AND IMPLEMENTATION, 2007, : 32 - 41
  • [10] Analysis of SQL injection attacks in the cloud and in WEB applications
    Kumar, Animesh
    Dutta, Sandip
    Pranav, Prashant
    SECURITY AND PRIVACY, 2024, 7 (03)
12345