Formal Analysis of Vulnerabilities of Web Applications Based on SQL Injection

被引:2
|
作者
De Meo, Federico [1 ]
Rocchetto, Marco [2 ]
Vigano, Luca [3 ]
机构
[1] Univ Verona, Dipartimento Informat, Verona, Italy
[2] Singapore Univ Technol & Design, iTrust, Singapore, Singapore
[3] Kings Coll London, Dept Informat, London, England
来源
SECURITY AND TRUST MANAGEMENT, STM 2016 | 2016年 / 9871卷
关键词
D O I
10.1007/978-3-319-46598-2_13
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
We present a formal approach for the analysis of attacks that exploit SQLi to violate security properties of web applications. We give a formal representation of web applications and databases, and show that our formalization effectively exploits SQLi attacks. We implemented our approach in a prototype tool called SQLfast and we show its efficiency on four real-world case studies, including the discovery of an attack on Joomla! that no other tool can find.
引用
收藏
页码:179 / 195
页数:17
相关论文
共 50 条
  • [21] Detection and Prevention of SQL Injection Attacks on Web Applications
    Fouad, Yasser
    Elshazly, Khaled
    INTERNATIONAL JOURNAL OF COMPUTER SCIENCE AND NETWORK SECURITY, 2013, 13 (08): : 1 - 7
  • [22] A Search-based Testing Approach for XML Injection Vulnerabilities in Web Applications
    Jan, Sadeeq
    Nguyen, Cu D.
    Arcuri, Andrea
    Briand, Lionel
    2017 10TH IEEE INTERNATIONAL CONFERENCE ON SOFTWARE TESTING, VERIFICATION AND VALIDATION (ICST), 2017, : 356 - 366
  • [23] SQL Injection Detection for Web Applications Based on Elastic-Pooling CNN
    Xie, Xin
    Ren, Chunhui
    Fu, Yusheng
    Xu, Jie
    Guo, Jinhong
    IEEE ACCESS, 2019, 7 : 151475 - 151481
  • [24] JCOMIX: A Search-Based Tool to Detect XML Injection Vulnerabilities in Web Applications
    Stallenberg, Dimitri Michel
    Panichella, Annibale
    ESEC/FSE'2019: PROCEEDINGS OF THE 2019 27TH ACM JOINT MEETING ON EUROPEAN SOFTWARE ENGINEERING CONFERENCE AND SYMPOSIUM ON THE FOUNDATIONS OF SOFTWARE ENGINEERING, 2019, : 1090 - 1094
  • [25] Source Code Patterns of SQL Injection Vulnerabilities
    Schuckert, Felix
    Katt, Basel
    Langweg, Hanno
    PROCEEDINGS OF THE 12TH INTERNATIONAL CONFERENCE ON AVAILABILITY, RELIABILITY AND SECURITY (ARES 2017), 2017,
  • [26] An Improved Approach for SQL Injection Vulnerabilities Detection
    Zhang, Zongzhi
    Wen, Qiaoyan
    Zhang, Zhao
    INFORMATION TECHNOLOGY APPLICATIONS IN INDUSTRY, PTS 1-4, 2013, 263-266 : 3017 - 3020
  • [27] Fragmented Query parse tree based SQL Injection Detection System for Web Applications
    Priyaa, B. Deva
    Devi, M. Indra
    2016 INTERNATIONAL CONFERENCE ON COMPUTING TECHNOLOGIES AND INTELLIGENT DATA ENGINEERING (ICCTIDE'16), 2016,
  • [28] A Mutation Approach of Detecting SQL Injection Vulnerabilities
    Huang, Yanyu
    Fu, Chuan
    Chen, Xuan
    Guo, Hao
    He, Xiaoyu
    Li, Jin
    Liu, Zheli
    CLOUD COMPUTING AND SECURITY, PT II, 2017, 10603 : 175 - 188
  • [29] Analysis of Effectiveness of Black-Box Web Application Scanners in Detection of Stored SQL Injection and Stored XSS Vulnerabilities
    Parvez, Muhammad
    Zavarsky, Pavol
    Khoury, Nidal
    2015 10TH INTERNATIONAL CONFERENCE FOR INTERNET TECHNOLOGY AND SECURED TRANSACTIONS (ICITST), 2015, : 186 - 191
  • [30] Predicting Web Vulnerabilities in Web Applications Based on Machine Learning
    Khalid, Muhammad Noman
    Farooq, Humera
    Iqbal, Muhammad
    Alam, Muhammad Talha
    Rasheed, Kamran
    INTELLIGENT TECHNOLOGIES AND APPLICATIONS, INTAP 2018, 2019, 932 : 473 - 484
12345