• DocumentCode
    119419
  • Title

    SQLR: Grammar-Guided Validation of SQL Injection Sanitizers

  • Author

    Sathyanarayan, Sai ; Dawei Qi ; Zhenkai Liang ; Roychoudary, Abhik

  • Author_Institution
    Sch. of Comput., Nat. Univ. of Singapore, Singapore, Singapore
  • fYear
    2014
  • fDate
    4-7 Aug. 2014
  • Firstpage
    154
  • Lastpage
    157
  • Abstract
    The SQL injection attack is one of the major threats to web applications. Through malicious inputs, attackers can cause data leakage and damage, and even remote code execution on the victim servers. A common solution is to use input sanitizers to filter out inputs that can result in SQL injection attacks. In this paper, we propose a novel solution, SQLR, to validate SQL sanitizers by systematically generating SQL injection attack patterns. Our approach uses the SQL grammar to guide the enumeration of malicious SQL queries efficiently, and summarizes the queries into patterns that can be used by existing solutions. SQLR successfully identified new attack patterns and weaknesses in sanitizers used in several real-world web applications.
  • Keywords
    Internet; SQL; grammars; query processing; security of data; SQL grammar; SQL injection attack patterns; SQL injection sanitizers; SQLR; Web applications; data damage; data leakage; grammar-guided validation; input sanitizers; malicious SQL queries; malicious inputs; remote code execution; victim servers; Art; Concrete; Databases; Educational institutions; Grammar; Security; Servers;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Engineering of Complex Computer Systems (ICECCS), 2014 19th International Conference on
  • Conference_Location
    Tianjin
  • Print_ISBN
    978-1-4799-5481-0
  • Type

    conf

  • DOI
    10.1109/ICECCS.2014.29
  • Filename
    6923131
    • Link To Document
    https://search.isc.ac/dl/search/defaultta.aspx?DTC=49&DC=119419