• DocumentCode
    3280509
  • Title

    A Static Analysis Framework For Detecting SQL Injection Vulnerabilities

  • Author

    Fu, Xiang ; Lu, Xin ; Peltsverger, Boris ; Chen, Shijun ; Qian, Kai ; Tao, Lixin

  • Author_Institution
    Georgia Southwestern State Univ., Americus
  • Volume
    1
  • fYear
    2007
  • fDate
    24-27 July 2007
  • Firstpage
    87
  • Lastpage
    96
  • Abstract
    Recently SQL injection attack (SIA) has become a major threat to Web applications. Via carefully crafted user input, attackers can expose or manipulate the back-end database of a Web application. This paper proposes the construction and outlines the design of a static analysis framework (called SAFELI) for identifying SIA vulnerabilities at compile time. SAFELI statically inspects MSIL bytecode of an ASP.NET Web application, using symbolic execution. At each hotspot that submits SQL query, a hybrid constraint solver is used to find out the corresponding user input that could lead to breach of information security. Once completed, SAFELI has the future potential to discover more delicate SQL injection attacks than black-box Web security inspection tools.
  • Keywords
    Internet; SQL; network operating systems; program diagnostics; security of data; ASP.NET Web application; SQL injection attack; SQL injection vulnerability; back-end database manipulation; information security; static analysis; symbolic execution; Application software; Databases; Information analysis; Information security; Instruments; Intrusion detection; Libraries; Runtime; Software engineering; Testing;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Computer Software and Applications Conference, 2007. COMPSAC 2007. 31st Annual International
  • Conference_Location
    Beijing
  • ISSN
    0730-3157
  • Print_ISBN
    0-7695-2870-8
  • Type

    conf

  • DOI
    10.1109/COMPSAC.2007.43
  • Filename
    4290988
    • Link To Document
    https://search.isc.ac/dl/search/defaultta.aspx?DTC=49&DC=3280509