Semi-automated verification of defense against SQL injection in web applications
Recent reports reveal that majority of the attacks to Web applications are input manipulation attacks. Among these attacks, SQL injection attack malicious input is submitted to manipulate the database in a way that was unintended by the applications' developers is one such attack. This paper pr...
Saved in:
| Main Authors: | , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2012
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/4838 https://ink.library.smu.edu.sg/context/sis_research/article/5841/viewcontent/Semi_automated_verification_of_defense_against_SQL_injection_2012_av.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-5841 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-58412020-05-04T01:44:39Z Semi-automated verification of defense against SQL injection in web applications LIU, Kaiping TAN, Hee Beng Kuan SHAR, Lwin Khin Recent reports reveal that majority of the attacks to Web applications are input manipulation attacks. Among these attacks, SQL injection attack malicious input is submitted to manipulate the database in a way that was unintended by the applications' developers is one such attack. This paper proposes an approach for assisting to code verification process on the defense against SQL injection. The approach extracts all such defenses implemented in code. With the use of the proposed approach, developers, testers or auditors can then check the defenses extracted from code to verify their adequacy. We have evaluated the feasibility, effectiveness, and usefulness of the proposed approach by a set of open-source systems. Our experiment results showed that the proposed approach is effective in extracting all the possible defenses implemented/adopted by Web applications. We observed that the proposed approach would be useful in identifying the false positive cases resulting from other related approaches and auditing the code in order to fix the actual vulnerable cases. 2012-12-01T08:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/4838 info:doi/10.1109/APSEC.2012.18 https://ink.library.smu.edu.sg/context/sis_research/article/5841/viewcontent/Semi_automated_verification_of_defense_against_SQL_injection_2012_av.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University SQL injection vulnerabilities code auditing software security static analysis Web applications Information Security Software Engineering |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
SQL injection vulnerabilities code auditing software security static analysis Web applications Information Security Software Engineering |
| spellingShingle |
SQL injection vulnerabilities code auditing software security static analysis Web applications Information Security Software Engineering LIU, Kaiping TAN, Hee Beng Kuan SHAR, Lwin Khin Semi-automated verification of defense against SQL injection in web applications |
| description |
Recent reports reveal that majority of the attacks to Web applications are input manipulation attacks. Among these attacks, SQL injection attack malicious input is submitted to manipulate the database in a way that was unintended by the applications' developers is one such attack. This paper proposes an approach for assisting to code verification process on the defense against SQL injection. The approach extracts all such defenses implemented in code. With the use of the proposed approach, developers, testers or auditors can then check the defenses extracted from code to verify their adequacy. We have evaluated the feasibility, effectiveness, and usefulness of the proposed approach by a set of open-source systems. Our experiment results showed that the proposed approach is effective in extracting all the possible defenses implemented/adopted by Web applications. We observed that the proposed approach would be useful in identifying the false positive cases resulting from other related approaches and auditing the code in order to fix the actual vulnerable cases. |
| format |
text |
| author |
LIU, Kaiping TAN, Hee Beng Kuan SHAR, Lwin Khin |
| author_facet |
LIU, Kaiping TAN, Hee Beng Kuan SHAR, Lwin Khin |
| author_sort |
LIU, Kaiping |
| title |
Semi-automated verification of defense against SQL injection in web applications |
| title_short |
Semi-automated verification of defense against SQL injection in web applications |
| title_full |
Semi-automated verification of defense against SQL injection in web applications |
| title_fullStr |
Semi-automated verification of defense against SQL injection in web applications |
| title_full_unstemmed |
Semi-automated verification of defense against SQL injection in web applications |
| title_sort |
semi-automated verification of defense against sql injection in web applications |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2012 |
| url |
https://ink.library.smu.edu.sg/sis_research/4838 https://ink.library.smu.edu.sg/context/sis_research/article/5841/viewcontent/Semi_automated_verification_of_defense_against_SQL_injection_2012_av.pdf |
| _version_ |
1770575059259228160 |