Reference : Semi-Automated Verification of Defense against SQL Injection in Web Applications
Scientific congresses, symposiums and conference proceedings : Paper published in a book
Engineering, computing & technology : Computer science
http://hdl.handle.net/10993/17033
Semi-Automated Verification of Defense against SQL Injection in Web Applications
English
Liu, Kaiping mailto [Nanyang Technological University > Information Engineering]
Tan, Hee Beng Kuan mailto [Nanyang Technological University > Information Engineering]
Shar, Lwin Khin mailto [Nanyang Technological University > Information Engineering]
2012
APSEC
Yes
International
19th Asia-Pacific Software Engineering Conference
04-12-2012 to 07-12-2012
[en] SQL injection ; Vulnerabilities ; Code auditing
[en] Recent reports reveal that majority of the attacks to Web applications are input manipulation attacks. Among these attacks, SQL injection attack – malicious input is submitted to manipulate the database in a way that was unintended by the applications' developers – is one such attack. This paper proposes an approach for assisting to code verification process on the defense against SQL injection. The approach extracts all such defenses implemented in code. With the use of the proposed approach, developers, testers or auditors can then check the defenses extracted from code to verify their adequacy. We have evaluated the feasibility, effectiveness, and usefulness of the proposed approach by a set of open-source systems. Our experiment results showed that the proposed approach is effective in extracting all the possible defenses implemented/adopted by Web applications. We observed that the proposed approach would be useful in identifying the false positive cases resulting from other related approaches and auditing the code in order to fix the actual vulnerable cases.
http://hdl.handle.net/10993/17033
91-96

File(s) associated to this reference

Fulltext file(s):

FileCommentaryVersionSizeAccess
Limited access
Semi-Automated Verification of Defense against SQL Injection in Web Applications_APSEC12.pdfPublisher postprint211.09 kBRequest a copy

Bookmark and Share SFX Query

All documents in ORBilu are protected by a user license.