Filters








1,149 Hits in 6.5 sec

Formal Analysis of Vulnerabilities of Web Applications Based on SQL Injection (Extended Version) [article]

Federico De Meo, Marco Rocchetto, Luca Viganò
2016 arXiv   pre-print
We present a formal approach that exploits attacks related to SQL Injection (SQLi) searching for security flaws in a web application.  ...  We give a formal representation of web applications and databases, and show that our formalization effectively exploits SQLi attacks.  ...  A number of formal approaches for the security analysis of web apps, based on the Dolev-Yao (DY) intruder model [11] , have been implemented recently, e.g., [1, 3, 5, 32, 38] .  ... 
arXiv:1605.00358v2 fatcat:3i46qmej3bfmpbamwhj6jwp57y

Formal Analysis of Vulnerabilities of Web Applications Based on SQL Injection [chapter]

Federico De Meo, Marco Rocchetto, Luca Viganò
2016 Lecture Notes in Computer Science  
We present a formal approach for the analysis of attacks that exploit SQLi to violate security properties of web applications.  ...  According to OWASP (the Open Web Applications Security Project [27]), SQL injection (SQLi) is the most critical threat for the security of web applications (web apps, for short), and MITRE lists improper  ...  In § 3, we give a categorization of SQLi vulnerabilities, based on which, in § 4, we provide our formalization. In § 5, we discuss SQLfast and its application real-world case studies.  ... 
doi:10.1007/978-3-319-46598-2_13 fatcat:ipbs4yafwzbupk5jeptqsuz4fq

SQLAS: Tool To Detect And Prevent Attacks In Php Web Applications

Vandana Dwivedi, Himanshu Yadav, Anurag Jain
2015 International Journal of Security Privacy and Trust Management  
Web application injection attacks, such as SQL injection (SQLIA), Cross-Site Scripting (XSS) and Cross-Site Request Forgery (XSRF) are major threats to the security of the Web Applications.  ...  In this paper we present SQL Attack Scanner (SQLAS) a Tool which can detect & prevent SQL injection Attack in web applications.  ...  QED identifies XSS and SQL injection vulnerabilities that arise as a result of the interaction of multiple modules of a servlet-based web application.  ... 
doi:10.5121/ijsptm.2015.4103 fatcat:aywiwd35zfajvbg56r42x77tle

An empirical investigation into open source web applications' implementation vulnerabilities

Toan Huynh, James Miller
2010 Empirical Software Engineering  
Are these vulnerabilities the result of interactions between web applications and external systems? What is the proportion of vulnerable lines of code within a web application?  ...  Current web applications have many inherent vulnerabilities; in fact, in 2008, over 63% of all documented vulnerabilities are for web applications.  ...  SQLCheck uses a formal definition of a SQL injection vulnerability; and identifies SQL injection attacks based on the formal definition.  ... 
doi:10.1007/s10664-010-9131-y fatcat:d25zkhhudzdhzb7i7c3cy3g3my

CANDID

Prithvi Bisht, P. Madhusudan, V. N. Venkatakrishnan
2010 ACM Transactions on Privacy and Security  
SQL injection attacks are one of the top-most threats for applications written for the Web.  ...  These attacks are launched through specially crafted user inputs, on Web applications that use low-level string operations to construct SQL queries.  ...  ACKNOWLEDGMENTS We heartily thank Sruthi Bandhakavi, who was involved in this research and much of its ideas and implementation, and co-authored the conference version of this paper.  ... 
doi:10.1145/1698750.1698754 fatcat:qjw32kjuxjf3xfxilsyybygfrq

Supporting automated vulnerability analysis using formalized vulnerability signatures

Mohamed Almorsy, John Grundy, Amani S. Ibrahim
2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering - ASE 2012  
We have developed a prototype static vulnerability analysis tool based on our formalized vulnerability signatures specification approach.  ...  Hackers can easily exploit vulnerabilities in such publically accessible services. In addition to, 75% of the total reported application vulnerabilities are web application specific.  ...  ACKNOWLEDGEMENTS The authors are grateful to Swinburne University of Technology and the FRST SPPI project for support for this research.  ... 
doi:10.1145/2351676.2351691 dblp:conf/kbse/AlmorsyGI12 fatcat:stzi4hevergi3iffmptejzdgzq

Opportunistic Diversity-Based Detection of Injection Attacks in Web Applications

Wenyu Qu, Wei Huo, Lingyu Wang
2018 EAI Endorsed Transactions on Security and Safety  
Web-based applications delivered using clouds are becoming increasingly popular due to less demand of client-side resources and easier maintenance than desktop counterparts.  ...  In this work, we propose to employ opportunistic diversity inherent to Web applications and their database backends to detect injection attacks.  ...  Acknowledgements Authors with Concordia University were partially supported by the Natural Sciences and Engineering Research Council of Canada under Discovery Grant N01035.  ... 
doi:10.4108/eai.11-12-2018.156032 fatcat:4rbyn3sgfnctboeft44ng5f7zu

On Preventing SQL Injection Attacks [chapter]

Bharat Kumar Ahuja, Angshuman Jana, Ankit Swarnkar, Raju Halder
2015 Advances in Intelligent Systems and Computing  
In this paper, we propose three new approaches to detect and prevent SQL Injection Attacks (SQLIA), as an alternative to the existing solutions.  ...  We discus in details the benefits and shortcomings of the proposals w.r.t the literature.  ...  For instance, ' is replace by ". " Dynamic phase: In the modified version of web application, it is observed that only INSERT statement is vulnerable to SQLIA.  ... 
doi:10.1007/978-81-322-2650-5_4 fatcat:fxve6ouxh5cmzdp4px5g2kknaq

A Survey on SQL Injection Prevention Methods

Shahbaaz Mohammed Hayat Chaki, Mazura Mat Din
2019 International Journal of Innovative Computing  
query on the application.  ...  Therefore, this paper will be focusing on reviewing different types of SQL Injection prevention methods and SQL injection types.  ...  AMNESIA combines dynamic and static analysis to detect and prevent vulnerabilities of web applications during runtime. To generate different types of query statements, AMNESIA uses static analysis.  ... 
doi:10.11113/ijic.v9n1.224 fatcat:2otlw3uudvaxjjihyqoih3utui

Assessing the Impact of Firewalls and Database Proxies on SQL Injection Testing [chapter]

Dennis Appelt, Nadia Alshahwan, Lionel Briand
2014 Lecture Notes in Computer Science  
This paper examines the effects and potential benefits of utilising Web Application Firewalls (WAFs) and database proxies in SQL injection testing of web applications and services.  ...  only on the output of the application.  ...  To the best of our knowledge, these terms have not been defined formally in previous research on SQL injection testing.  ... 
doi:10.1007/978-3-319-07785-7_2 fatcat:ycef3mwjjncwtfsypc46ikgrlq

Creation and Evaluation of SQL Injection Security Tools

Fabrizio Monticelli
2008 Zenodo  
used to access web applications.  ...  Based on the above analysis and on today's computer security state-of-the-art, we focus our research on the specific field of SQLIAs, which are still one of the most exploited and dangerous intrusion techniques  ...  Acknowledgments This work is my master's graduation thesis and it is the result of years of  ... 
doi:10.5281/zenodo.3264351 fatcat:3ufhyzi5dzg4dee5aebjazcggm

A Practical J2EE Application Static Analysis Method Based Upon Taint Propagation

Jian Jun Hu, Qiaoyan Wen, Dai Fei Guo, Yansong Wang
2017 MATEC Web of Conferences  
Currently security audit/review for binaries is an upcoming method used to detect security vulnerabilities. In this paper we describe an efficient security audit method based on the java binaries.  ...  This method can The method in this invention can greatly reduce false positives and provides an efficient solution for automated secure auditing on binaries by only checking the exploitable security flows  ...  Thanks especially to Beijing university of Posts and Telecommunications and Siemens Ltd., China.  ... 
doi:10.1051/matecconf/201712804005 fatcat:5zzq2avcwbcq7jteystxzmcpgi

Sound and precise analysis of web applications for injection vulnerabilities

Gary Wassermann, Zhendong Su
2007 Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation - PLDI '07  
One common type of such attacks is SQL injection, where an attacker exploits faulty application code to execute maliciously crafted database queries.  ...  Web applications are popular targets of security attacks.  ...  Acknowledgments We thank the PLDI anonymous reviewers for their useful and detailed comments, which helped improve the presentation of this work.  ... 
doi:10.1145/1250734.1250739 dblp:conf/pldi/WassermannS07 fatcat:3zly5365ujgndhm7asqqlw3tnm

Sound and precise analysis of web applications for injection vulnerabilities

Gary Wassermann, Zhendong Su
2007 SIGPLAN notices  
One common type of such attacks is SQL injection, where an attacker exploits faulty application code to execute maliciously crafted database queries.  ...  Web applications are popular targets of security attacks.  ...  Acknowledgments We thank the PLDI anonymous reviewers for their useful and detailed comments, which helped improve the presentation of this work.  ... 
doi:10.1145/1273442.1250739 fatcat:hbyxtjhpcrhdrdm2r55aoo7xry

WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation

W.G.J. Halfond, A. Orso, P. Manolios
2008 IEEE Transactions on Software Engineering  
We have implemented our techniques in the Web Application SQL-injection Preventer (WASP) tool, which we used to perform an empirical evaluation on a wide range of Web applications that we subjected to  ...  One of these attacks is SQL injection, which can give attackers unrestricted access to the databases that underlie Web applications and has become increasingly frequent and serious.  ...  Any opinions expressed in this paper are those of the authors and do not necessarily reflect the views of the US Air Force.  ... 
doi:10.1109/tse.2007.70748 fatcat:7zltdllbnrhrnm2m6jgxildifu
« Previous Showing results 1 — 15 out of 1,149 results