Formal Analysis of Vulnerabilities of Web Applications Based on SQL Injection

被引:2
|
作者
De Meo, Federico [1 ]
Rocchetto, Marco [2 ]
Vigano, Luca [3 ]
机构
[1] Univ Verona, Dipartimento Informat, Verona, Italy
[2] Singapore Univ Technol & Design, iTrust, Singapore, Singapore
[3] Kings Coll London, Dept Informat, London, England
来源
SECURITY AND TRUST MANAGEMENT, STM 2016 | 2016年 / 9871卷
关键词
D O I
10.1007/978-3-319-46598-2_13
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
We present a formal approach for the analysis of attacks that exploit SQLi to violate security properties of web applications. We give a formal representation of web applications and databases, and show that our formalization effectively exploits SQLi attacks. We implemented our approach in a prototype tool called SQLfast and we show its efficiency on four real-world case studies, including the discovery of an attack on Joomla! that no other tool can find.
引用
收藏
页码:179 / 195
页数:17
相关论文
共 50 条
  • [31] SQLIFIX: Learning Based Approach to Fix SQL Injection Vulnerabilities in Source Code
    Siddiq, Mohammed Latif
    Jahin, Md Rezwanur Rahman
    Ul Islam, Mohammad Rafid
    Shahriyar, Rifat
    Iqbal, Anindya
    2021 IEEE INTERNATIONAL CONFERENCE ON SOFTWARE ANALYSIS, EVOLUTION AND REENGINEERING (SANER 2021), 2021, : 354 - 364
  • [32] Automatic Generation of Tests to Exploit XML Injection Vulnerabilities in Web Applications
    Jan, Sadeeq
    Panichella, Annibale
    Arcuri, Andrea
    Briand, Lionel
    IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, 2019, 45 (04) : 335 - 362
  • [33] Securing web applications from injection and logic vulnerabilities: Approaches and challenges
    Deepa, G.
    Thilagam, P. Santhi
    INFORMATION AND SOFTWARE TECHNOLOGY, 2016, 74 : 160 - 180
  • [34] Detection of SQL Injection and XSS Attacks in Three Tier Web Applications
    Sonewar, Piyush A.
    Thosar, Sonali D.
    2016 INTERNATIONAL CONFERENCE ON COMPUTING COMMUNICATION CONTROL AND AUTOMATION (ICCUBEA), 2016,
  • [35] Commix: automating evaluation and exploitation of command injection vulnerabilities in Web applications
    Stasinopoulos, Anastasios
    Ntantogian, Christoforos
    Xenakis, Christos
    INTERNATIONAL JOURNAL OF INFORMATION SECURITY, 2019, 18 (01) : 49 - 72
  • [36] Commix: automating evaluation and exploitation of command injection vulnerabilities in Web applications
    Anastasios Stasinopoulos
    Christoforos Ntantogian
    Christos Xenakis
    International Journal of Information Security, 2019, 18 : 49 - 72
  • [37] A Reusable SQL Injection Detection Method for Java']Java Web Applications
    He, Chengwan
    He, Yue
    KSII TRANSACTIONS ON INTERNET AND INFORMATION SYSTEMS, 2020, 14 (06) : 2576 - 2590
  • [38] TPSQLi: Test Prioritization for SQL Injection Vulnerability Detection in Web Applications
    Yang, Guan-Yan
    Wang, Farn
    Gu, You-Zong
    Teng, Ya-Wen
    Yeh, Kuo-Hui
    Ho, Ping-Hsueh
    Wen, Wei-Ling
    APPLIED SCIENCES-BASEL, 2024, 14 (18):
  • [39] SQLIVD - AOP: Preventing SQL Injection Vulnerabilities Using Aspect Oriented Programming through Web Services
    Shanmughaneethi, V.
    Pravin, Ra. Yagna
    Shyni, C. Emilin
    Swamynathan, S.
    HIGH PERFORMANCE ARCHITECTURE AND GRID COMPUTING, 2011, 169 : 327 - 337
  • [40] Confeagle: Automated Analysis of Configuration Vulnerabilities in Web Applications
    Eshete, Birhanu
    Villafiorita, Adolfo
    Weldemariam, Komminist
    Zulkernine, Mohammad
    2013 IEEE 7TH INTERNATIONAL CONFERENCE ON SOFTWARE SECURITY AND RELIABILITY (SERE), 2013, : 188 - 197
12345