A Reusable SQL Injection Detection Method for Java']Java Web Applications

被引：1

作者：

He, Chengwan ^{[1
]}

He, Yue ^{[2
]}

机构：

[1] Wuhan Inst Technol, Sch Comp Sci & Engn, Wuhan 430205, Hubei, Peoples R China

[2] Wuhan Univ Technol, Sch Informat Engn, Wuhan 430000, Hubei, Peoples R China

来源：

KSII TRANSACTIONS ON INTERNET AND INFORMATION SYSTEMS | 2020年 / 14卷 / 06期

关键词：

SQL injection attack; aspect-oriented programming; taint analysis; aspect library; metamodel;

D O I：

10.3837/tiis.2020.06.014

中图分类号：

TP [自动化技术、计算机技术];

学科分类号：

0812 ;

摘要：

The fundamental reason why most SQL injection detection methods are difficult to use in practice is the low reusability of the implementation code. This paper presents a reusable SQL injection detection method for Java Web applications based on AOP (Aspect-Oriented Programming) and dynamic taint analysis, which encapsulates the dynamic taint analysis processes into different aspects and establishes aspect library to realize the large-grained reuse of the code for detecting SQL injection attacks. A metamodel of aspect library is proposed, and a management tool for the aspect library is implemented. Experiments show that this method can effectively detect 7 known types of SQL injection attack such as tautologies, logically incorrect queries, union query, piggy-backed queries, stored procedures, inference query, alternate encodings and so on, and support the large-grained reuse of the code for detecting SQL injection attacks.

引用

页码：2576 / 2590

页数：15

共 50 条

[31] Type-Based Taint Analysis for Java']Java Web Applications
Huang, Wei
Dong, Yao
Milanova, Ana
FUNDAMENTAL APPROACHES TO SOFTWARE ENGINEERING, FASE 2014, 2014, 8411 : 140 - 154
[32] Web services & Java']Java server pages - Building distributed applications
Kanalakis, JM
DR DOBBS JOURNAL, 2002, 27 (01): : 28 - +
[33] Building Web applications using Java']Java 2 enterprise edition
Wu, CT
TOOLS 39: TECHNOLOGY OF OBJECT-ORIENTED LANGUAGES AND SYSTEMS, PROCEEDINGS: SOFTWARE TECHNOLOGY FOR THE AGE OF THE INTERNET, 2001, 39 : 355 - 355
[34] A Java']Java framework for Web-based multimedia and collaborative applications
Fuentes, L
Troya, JM
IEEE INTERNET COMPUTING, 1999, 3 (02) : 55 - +
[35] Building enterprise web applications with java
Salo, T.
Hill, J.
JOOP - Journal of Object-Oriented Programming, 2000, 13 (02): : 28 - 29
[36] Encountering SQL Injection in Web Applications
Padma, Joshi N.
Raju, M. B.
Ravishankar, N.
Ravi, N. Ch
PROCEEDINGS OF THE 2ND INTERNATIONAL CONFERENCE ON COMPUTING METHODOLOGIES AND COMMUNICATION (ICCMC 2018), 2018, : 257 - 261
[37] CORBA, Java']Java, and the Web
Hess, D
BYTE, 1996, 21 (09): : 36 - 36
[38] Automated Discovery of Java']JavaScript Code Injection Attacks in PHP Web Applications
Gupta, Shashank
Gupta, B. B.
1ST INTERNATIONAL CONFERENCE ON INFORMATION SECURITY & PRIVACY 2015, 2016, 78 : 82 - 87
[39] Detection of SQL Injection and XSS Attacks in Three Tier Web Applications
Sonewar, Piyush A.
Thosar, Sonali D.
2016 INTERNATIONAL CONFERENCE ON COMPUTING COMMUNICATION CONTROL AND AUTOMATION (ICCUBEA), 2016,
[40] Reusable Libraries for Safety-Critical Java']Java
Rios, Juan Ricardo
Schoeberl, Martin
2014 IEEE 17TH INTERNATIONAL SYMPOSIUM ON OBJECT/COMPONENT/SERVICE-ORIENTED REAL-TIME DISTRIBUTED COMPUTING (ISORC), 2014, : 188 - 197

← 1 2 3 4 5 →