Formal Analysis of Vulnerabilities of Web Applications Based on SQL Injection
نویسندگان
چکیده
We present a formal approach for the analysis of attacks that exploit SQLi to violate security properties of web applications. We give a formal representation of web applications and databases, and show that our formalization effectively exploits SQLi attacks. We implemented our approach in a prototype tool called SQLfast and we show its efficiency on four real-world case studies, including the discovery of an attack on Joomla! that no other tool can find.
منابع مشابه
A Formal Approach to Exploiting Multi-stage Attacks Based on File-System Vulnerabilities of Web Applications
Web applications require access to the file-system for many different tasks. When analyzing the security of a web application, security analysts should thus consider the impact that file-system operations have on the security of the whole application. Moreover, the analysis should take into consideration how file-system vulnerabilities might interact with other vulnerabilities leading an attack...
متن کاملEfficient Design of Static Analysis Tool for Detecting Web Vulnerabilities
The number and the importance of web applications have increased rapidly over the last years. At the same time, the quantity and impact of security vulnerabilities in such applications have grown as well. Since manual code reviews are time-consuming, error prone and costly, the need for automated solutions has become evident. Many web applications written in ASP suffer from injection vulnerabil...
متن کاملPreventing SQL Injection through Automatic Query Sanitization with ASSIST
Web applications are becoming an essential part of our everyday lives. Many of our activities are dependent on the functionality and security of these applications. As the scale of these applications grows, injection vulnerabilities such as SQL injection are major security challenges for developers today. This paper presents the technique of automatic query sanitization to automatically remove ...
متن کاملWeb Application Security—Past, Present, and Future *
Web application security remains a major roadblock to universal acceptance of the Web for many kinds of online transactions, especially since the recent sharp increase in remotely exploitable vulnerabilities has been attributed to Web application bugs. In software engineering, software testing is an established and well-researched process for improving software quality. Recently formal verifica...
متن کاملEliminating SQL Injection and Cross Site Scripting Using Aspect Oriented Programming
Security vulnerabilities in the web applications that we use to shop, bank, and socialize online expose us to exploits that cost billions of dollars each year. This paper describes the design and implementation of AspectShield, a system designed to mitigate the most common web application vulnerabilities without requiring costly and potentially dangerous modifications to the source code of vuln...
متن کامل