Detecting SOQL-injection vulnerabilities in SalesForce applications

Author

Saxena, Ankur ; Sengupta, Sabyasachi ; Duraisamy, Prakash ; Kaulgud, Vikrant ; Chakraborty, Arpan

Author_Institution

Accenture Technol. Labs., Bangalore, India

fYear

2013

Firstpage

489

Lastpage

493

Abstract

The two most common web-attacks used by hackers to steal data are SQL-injection and cross-site scripting (XSS). These are examples of taint vulnerabilities where maliciously crafted code (for example, a SQL query) is injected into a Web application by embedding it inside innocuous looking user inputs. We present the design of TRAP (Taint Removal and Analysis Platform), a static data-flow analysis tool to detect SOQL-injection problems in SalesForce applications. TRAP is designed to be language independent as it uses an XML intermediate language called STAC (STatic Analysis Code), on which the analysis is done. Currently, we have implemented STAC compilers for Apex and Java.

Keywords

Java; SQL; cloud computing; computer crime; customer relationship management; data flow analysis; program compilers; Apex; Java; SOQL-injection problem detection; SOQL-injection vulnerability detection; SQL query; SQL-injection; STAC compilers; STatic Analysis Code; SalesForce application; TRAP design; Taint Removal and Analysis Platform; Web application; Web-attacks; XML intermediate language; XSS; could computing; cross-site scripting; customer relationship management; data stealing; hackers; innocuous looking user inputs; maliciously crafted code; static data-flow analysis tool; Cloning; Context; Informatics; Java; Reactive power; Security; XML;

fLanguage

English

Publisher

ieee

Conference_Titel

Advances in Computing, Communications and Informatics (ICACCI), 2013 International Conference on

Conference_Location

Mysore

Print_ISBN

978-1-4799-2432-5

Type

conf

DOI

10.1109/ICACCI.2013.6637220

Filename

6637220