Skip to main content
SpringerLink
Log in

Detection Method of the Second-Order SQL Injection in Web Applications

  • Conference paper
  • First Online:
Structured Object-Oriented Formal Language and Method (SOFL+MSVL 2013)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 8332))

Abstract

Web applications are threatened seriously by SQL injection attacks. Even though a number of methods and tools have been put forward to detect or prevent SQL injections, there is a lack of effective method for detecting second-order SQL injection which stores user inputs into the back-end database. This paper proposes a detecting solution that combines both static and dynamic methods for second-order SQL injection. This solution first analyzes source code to find out the vulnerable data item pair which probably has second-order SQL injection vulnerability and then transforms it into an effective test sequence. After that, test sequence and malicious inputs are combined together for testing. Assessment of this solution in four applications and practical use show its effectiveness in the detection of second-order SQL injection.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. 2011 CWE/SANS Top 25 Most Dangerous Software Errors. http://cwe.mitre.org/top25/index.html

  2. OWASP TOP 10 – 2013: The ten most critical web application security risks. https://www.owasp.org/index.php/Top_10#OWASP_Top_10_for_2013

  3. Ollmann, G.: Second-order code injection attacks. Technical report. NGSSoftware Insight Security Research (2004)

    Google Scholar 

  4. Justin, C.: SQL Injection Attacks and Defense. Syngress Publishing Inc., Boston (2009)

    Google Scholar 

  5. Livshits, V.B., Lam M.S.: Finding security vulnerabilities in Java applications with static analysis. In: Proceedings of the 14th USENIX Security Symposium, pp. 271–286 (2005)

    Google Scholar 

  6. Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting web application vulnerabilities. In: 2006 IEEE Symposium on Security and Privacy, pp. 258–263 (2006)

    Google Scholar 

  7. Pietraszek, T., Berghe, C.V.: Defending against injection attacks through context-sensitive string evaluation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 124–145. Springer, Heidelberg (2006)

    Google Scholar 

  8. Wassermann, G., Su, Z.: Sound and precise analysis of web application for injection vulnerabilities. ACM SIGPLAN Not. 42(6), 32–41 (2007)

    Article  Google Scholar 

  9. Halfond, W.G.J., Choudhary, S.R., Orso, A.: Improving penetration testing through static and dynamic analysis. Softw. Test. Verif. Reliab. 21(3), 195–241 (2011)

    Article  Google Scholar 

  10. Bau, J., Bursztein, E., Gupta, D., Mitchell, J.: State of the art: automated black-box web application vulnerability testing, In: 2010 IEEE Symposium on Security and Privacy, pp. 332–345 (2010)

    Google Scholar 

  11. Doupé, A., Cova, M., Vigna, G.: Why Johnny can’t pentest: an analysis of black-box web vulnerability scanners. In: Detection of Intrusions and Malware, and Vulnerability Assessment - 7th International Conference, pp. 111–131 (2010)

    Google Scholar 

  12. Khoury, N., Zavarsky, P., Lindskog, D., Ruhl, R.: Testing and assessing web vulnerability scanners for persistent SQL injection attacks. In: Proceedings of the 1st International Workshop on Security and Privacy in e-Societies, pp. 12–18 (2011)

    Google Scholar 

  13. Halfond, W.G.J., Orso, A.: AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks. In: 20th IEEE/ACM International Conference on Automated Software Engineering, pp. 174–183 (2005)

    Google Scholar 

  14. Mohosina, A., Zulkernine, M.: DESERVE: a framework for detecting program security vulnerability exploitations. In: Proceedings of the 2012 IEEE Sixth International Conference on Software Security and Reliability, pp. 98–107 (2012)

    Google Scholar 

  15. Anley, C.: Advanced SQL injection in SQL server applications. An NGSSoftware Insight Security Research (2002)

    Google Scholar 

  16. Horwitz, S., Reps, T., Binkley, D.: Interprocedural slicing using dependence graphs. ACM Trans. Program. Lang. Syst. 12(1), 26–60 (1990)

    Article  Google Scholar 

  17. Tian, W., Yang, J.F., Xu J., Si G.N.: Attack model based penetration test for SQL injection vulnerability. In: Proceedings of the 2012 IEEE 36th IEEE Annual Computer Software and Applications Conference Workshops, pp. 589–594 (2012)

    Google Scholar 

  18. Wang, J., Phan, R.C.W., Whitley, J.N., Parish, D.J.: Augmented attack tree modeling of SQL injection attacks. In: ICIME 2010 - 2010 2nd IEEE International Conference on Information Management and Engineering, pp. 182–186 (2010)

    Google Scholar 

  19. IBM Rational AppScan. http://www-01.ibm.com/software/awdtools/appscan

Download references

Acknowledgement

This work is funded by the National Natural Science Foundation of China (No. 91118003, 61272106, 61003080) and 985 funds of Tianjin University.

Author information

Authors and Affiliations

  1. Tianjin Key Laboratory of Cognitive Computer and Application, School of Computer Science and Technology, Tianjin University, Tianjin, China

    Lu Yan, Xiaohong Li, Ruitao Feng, Zhiyong Feng & Jing Hu

Authors
  1. Lu Yan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Xiaohong Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ruitao Feng
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Zhiyong Feng
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Jing Hu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jing Hu .

Editor information

Editors and Affiliations

  1. Hosei University, Koganei-shi, Tokyo, Japan

    Shaoying Liu

  2. Technology, Xidian University, Xi’an, China

    Zhenhua Duan

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Yan, L., Li, X., Feng, R., Feng, Z., Hu, J. (2014). Detection Method of the Second-Order SQL Injection in Web Applications. In: Liu, S., Duan, Z. (eds) Structured Object-Oriented Formal Language and Method. SOFL+MSVL 2013. Lecture Notes in Computer Science(), vol 8332. Springer, Cham. https://doi.org/10.1007/978-3-319-04915-1_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-04915-1_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-04914-4

  • Online ISBN: 978-3-319-04915-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation