Formal Analysis of Vulnerabilities of Web Applications Based on SQL Injection

被引:2
|
作者
De Meo, Federico [1 ]
Rocchetto, Marco [2 ]
Vigano, Luca [3 ]
机构
[1] Univ Verona, Dipartimento Informat, Verona, Italy
[2] Singapore Univ Technol & Design, iTrust, Singapore, Singapore
[3] Kings Coll London, Dept Informat, London, England
来源
SECURITY AND TRUST MANAGEMENT, STM 2016 | 2016年 / 9871卷
关键词
D O I
10.1007/978-3-319-46598-2_13
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
We present a formal approach for the analysis of attacks that exploit SQLi to violate security properties of web applications. We give a formal representation of web applications and databases, and show that our formalization effectively exploits SQLi attacks. We implemented our approach in a prototype tool called SQLfast and we show its efficiency on four real-world case studies, including the discovery of an attack on Joomla! that no other tool can find.
引用
收藏
页码:179 / 195
页数:17
相关论文
共 50 条
  • [41] A Formal Approach to Exploiting Multi-stage Attacks Based on File-System Vulnerabilities of Web Applications
    De Meo, Federico
    Vigano, Luca
    ENGINEERING SECURE SOFTWARE AND SYSTEMS, ESSOS 2017, 2017, 10379 : 196 - 212
  • [42] Finding SQL Injection and Cross Site Scripting Vulnerabilities with Diverse Static Analysis Tools
    Algaith, Areej
    Nunes, Paulo
    Fonseca, Jose
    Gashi, Ilir
    Vieira, Marco
    2018 14TH EUROPEAN DEPENDABLE COMPUTING CONFERENCE (EDCC 2018), 2018, : 57 - 64
  • [43] Mining SQL Injection and Cross Site Scripting Vulnerabilities using Hybrid Program Analysis
    Shar, Lwin Khin
    Tan, Hee Beng Kuan
    Briand, Lionel C.
    PROCEEDINGS OF THE 35TH INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING (ICSE 2013), 2013, : 642 - 651
  • [44] Formal framework for automated analysis and verification of web-based applications
    Haydar, M
    19TH INTERNATIONAL CONFERENCE ON AUTOMATED SOFTWARE ENGINEERING, PROCEEDINGS, 2004, : 410 - 413
  • [45] On race vulnerabilities in web applications
    Paleari, Roberto
    Marrone, Davide
    Bruschi, Danilo
    Monga, Mattia
    DETECTION OF INTRUSIONS AND MALWARE, AND VULNERABILITY ASSESSMENT, 2008, 5137 : 126 - 142
  • [46] Vulnerabilities of Modern Web Applications
    Holik, F.
    Neradova, S.
    2017 40TH INTERNATIONAL CONVENTION ON INFORMATION AND COMMUNICATION TECHNOLOGY, ELECTRONICS AND MICROELECTRONICS (MIPRO), 2017, : 1256 - 1261
  • [47] Semi-Automated Verification of Defense against SQL Injection in Web Applications
    Liu, Kaiping
    Tan, Hee Beng Kuan
    Shar, Lwin Khin
    2012 19TH ASIA-PACIFIC SOFTWARE ENGINEERING CONFERENCE (APSEC), VOL 1, 2012, : 91 - 96
  • [48] Security Slicing for Auditing XML, XPath, and SQL Injection Vulnerabilities
    Thome, Julian
    Shar, Lwin Khin
    Brian, Lionel
    2015 IEEE 26TH INTERNATIONAL SYMPOSIUM ON SOFTWARE RELIABILITY ENGINEERING (ISSRE), 2015, : 553 - 564
  • [49] On automated prepared statement generation to remove SQL injection vulnerabilities
    Thomas, Stephen
    Williams, Laurie
    Xie, Tao
    INFORMATION AND SOFTWARE TECHNOLOGY, 2009, 51 (03) : 589 - 598
  • [50] An Empirical Analysis of Vulnerabilities in Python']Python Packages for Web Applications
    Ruohonen, Jukka
    2018 9TH INTERNATIONAL WORKSHOP ON EMPIRICAL SOFTWARE ENGINEERING IN PRACTICE (IWESEP), 2018, : 25 - 30
12345