A Reusable SQL Injection Detection Method for Java']Java Web Applications

被引:1
|
作者
He, Chengwan [1 ]
He, Yue [2 ]
机构
[1] Wuhan Inst Technol, Sch Comp Sci & Engn, Wuhan 430205, Hubei, Peoples R China
[2] Wuhan Univ Technol, Sch Informat Engn, Wuhan 430000, Hubei, Peoples R China
来源
KSII TRANSACTIONS ON INTERNET AND INFORMATION SYSTEMS | 2020年 / 14卷 / 06期
关键词
SQL injection attack; aspect-oriented programming; taint analysis; aspect library; metamodel;
D O I
10.3837/tiis.2020.06.014
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
The fundamental reason why most SQL injection detection methods are difficult to use in practice is the low reusability of the implementation code. This paper presents a reusable SQL injection detection method for Java Web applications based on AOP (Aspect-Oriented Programming) and dynamic taint analysis, which encapsulates the dynamic taint analysis processes into different aspects and establishes aspect library to realize the large-grained reuse of the code for detecting SQL injection attacks. A metamodel of aspect library is proposed, and a management tool for the aspect library is implemented. Experiments show that this method can effectively detect 7 known types of SQL injection attack such as tautologies, logically incorrect queries, union query, piggy-backed queries, stored procedures, inference query, alternate encodings and so on, and support the large-grained reuse of the code for detecting SQL injection attacks.
引用
收藏
页码:2576 / 2590
页数:15
相关论文
共 50 条
  • [11] Java']Java technology in the design and implementation of web applications
    Masovic, Sead
    Saracevic, Muzafer
    Kamberovic, Hamza
    Kudumovic, Mensura
    TECHNICS TECHNOLOGIES EDUCATION MANAGEMENT-TTEM, 2012, 7 (02): : 504 - 512
  • [12] Static detection of logic vulnerabilities in Java web applications
    Kong, Ying
    Zhang, Yuqing
    Fang, Zhejun
    Liu, Qixu
    Proc. of the 11th IEEE Int. Conference on Trust, Security and Privacy in Computing and Communications, TrustCom-2012 - 11th IEEE Int. Conference on Ubiquitous Computing and Communications, IUCC-2012, 2012, : 1083 - 1088
  • [13] Driver Generation for Java']Java EE Web Applications
    Dietrich, Jens
    Gauthier, Francois
    Krishnan, Padmanabhan
    2018 25TH AUSTRALASIAN SOFTWARE ENGINEERING CONFERENCE (ASWEC), 2018, : 121 - 125
  • [14] Access Control of Web and Java']Java Based Applications
    Tso, Kam S.
    Pajevski, Michael J.
    Johnson, Bryan
    2011 IEEE 17TH PACIFIC RIM INTERNATIONAL SYMPOSIUM ON DEPENDABLE COMPUTING (PRDC), 2011, : 320 - 325
  • [15] Detection and Prevention of SQL Injection Attacks on Web Applications
    Fouad, Yasser
    Elshazly, Khaled
    INTERNATIONAL JOURNAL OF COMPUTER SCIENCE AND NETWORK SECURITY, 2013, 13 (08): : 1 - 7
  • [16] Java']Java, SQL, Cloudscape, and Derby
    North, K
    DR DOBBS JOURNAL, 2004, 29 (12): : 38 - 41
  • [17] Web applications as Java servlets
    Cox, B.
    Dr. Dobb's Journal, 2001, 26 (05):
  • [18] 用Java Web防范SQL注入攻击
    王艳娜
    电脑编程技巧与维护, 2008, (14) : 85 - 87
  • [19] Java Web防SQL注入的方法
    夏汛
    陈玲
    信息与电脑(理论版), 2011, (14) : 133 - 133
  • [20] Policy-Based Intrusion Detection in Web Applications by Monitoring Java']Java Information Flows
    Hiet, Guillaume
    Tong, Valerie Viet Triem
    Me, Ludovic
    Morin, Benjamin
    CRISIS: 2008 THIRD INTERNATIONAL CONFERENCE ON RISKS AND SECURITY OF INTERNET AND SYSTEMS, PROCEEDINGS, 2008, : 53 - 60
12345