Abstract
Web applications are threatened seriously by SQL injection attacks. Even though a number of methods and tools have been put forward to detect or prevent SQL injections, there is a lack of effective method for detecting second-order SQL injection which stores user inputs into the back-end database. This paper proposes a detecting solution that combines both static and dynamic methods for second-order SQL injection. This solution first analyzes source code to find out the vulnerable data item pair which probably has second-order SQL injection vulnerability and then transforms it into an effective test sequence. After that, test sequence and malicious inputs are combined together for testing. Assessment of this solution in four applications and practical use show its effectiveness in the detection of second-order SQL injection.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
2011 CWE/SANS Top 25 Most Dangerous Software Errors. http://cwe.mitre.org/top25/index.html
OWASP TOP 10 – 2013: The ten most critical web application security risks. https://www.owasp.org/index.php/Top_10#OWASP_Top_10_for_2013
Ollmann, G.: Second-order code injection attacks. Technical report. NGSSoftware Insight Security Research (2004)
Justin, C.: SQL Injection Attacks and Defense. Syngress Publishing Inc., Boston (2009)
Livshits, V.B., Lam M.S.: Finding security vulnerabilities in Java applications with static analysis. In: Proceedings of the 14th USENIX Security Symposium, pp. 271–286 (2005)
Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting web application vulnerabilities. In: 2006 IEEE Symposium on Security and Privacy, pp. 258–263 (2006)
Pietraszek, T., Berghe, C.V.: Defending against injection attacks through context-sensitive string evaluation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 124–145. Springer, Heidelberg (2006)
Wassermann, G., Su, Z.: Sound and precise analysis of web application for injection vulnerabilities. ACM SIGPLAN Not. 42(6), 32–41 (2007)
Halfond, W.G.J., Choudhary, S.R., Orso, A.: Improving penetration testing through static and dynamic analysis. Softw. Test. Verif. Reliab. 21(3), 195–241 (2011)
Bau, J., Bursztein, E., Gupta, D., Mitchell, J.: State of the art: automated black-box web application vulnerability testing, In: 2010 IEEE Symposium on Security and Privacy, pp. 332–345 (2010)
Doupé, A., Cova, M., Vigna, G.: Why Johnny can’t pentest: an analysis of black-box web vulnerability scanners. In: Detection of Intrusions and Malware, and Vulnerability Assessment - 7th International Conference, pp. 111–131 (2010)
Khoury, N., Zavarsky, P., Lindskog, D., Ruhl, R.: Testing and assessing web vulnerability scanners for persistent SQL injection attacks. In: Proceedings of the 1st International Workshop on Security and Privacy in e-Societies, pp. 12–18 (2011)
Halfond, W.G.J., Orso, A.: AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks. In: 20th IEEE/ACM International Conference on Automated Software Engineering, pp. 174–183 (2005)
Mohosina, A., Zulkernine, M.: DESERVE: a framework for detecting program security vulnerability exploitations. In: Proceedings of the 2012 IEEE Sixth International Conference on Software Security and Reliability, pp. 98–107 (2012)
Anley, C.: Advanced SQL injection in SQL server applications. An NGSSoftware Insight Security Research (2002)
Horwitz, S., Reps, T., Binkley, D.: Interprocedural slicing using dependence graphs. ACM Trans. Program. Lang. Syst. 12(1), 26–60 (1990)
Tian, W., Yang, J.F., Xu J., Si G.N.: Attack model based penetration test for SQL injection vulnerability. In: Proceedings of the 2012 IEEE 36th IEEE Annual Computer Software and Applications Conference Workshops, pp. 589–594 (2012)
Wang, J., Phan, R.C.W., Whitley, J.N., Parish, D.J.: Augmented attack tree modeling of SQL injection attacks. In: ICIME 2010 - 2010 2nd IEEE International Conference on Information Management and Engineering, pp. 182–186 (2010)
IBM Rational AppScan. http://www-01.ibm.com/software/awdtools/appscan
Acknowledgement
This work is funded by the National Natural Science Foundation of China (No. 91118003, 61272106, 61003080) and 985 funds of Tianjin University.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Yan, L., Li, X., Feng, R., Feng, Z., Hu, J. (2014). Detection Method of the Second-Order SQL Injection in Web Applications. In: Liu, S., Duan, Z. (eds) Structured Object-Oriented Formal Language and Method. SOFL+MSVL 2013. Lecture Notes in Computer Science(), vol 8332. Springer, Cham. https://doi.org/10.1007/978-3-319-04915-1_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-04915-1_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-04914-4
Online ISBN: 978-3-319-04915-1
eBook Packages: Computer ScienceComputer Science (R0)