Defending against injection attacks through context-sensitive string evaluation

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 3858 LNCS, Issue , 2006, Pages 124-145

  Pietraszek, Tadeusz ^a   Berghe, Chris Vanden ^a,b  

^a IBM RESEARCH ZURICH   (Switzerland)

^b UNIVERSITY OF LEUVEN   (Belgium)

Author keywords

Injection attacks; Internal sensors; Intrusion prevention; PHP; Web applications

Indexed keywords

COMPUTER PROGRAMMING; ERROR ANALYSIS; METADATA; SECURITY OF DATA; SECURITY SYSTEMS; SOFTWARE PROTOTYPING; WORLD WIDE WEB;

INJECTION ATTACKS; INTERNAL SENSORS; INTRUSION PREVENTION; WEB APPLICATIONS;

COMPUTER CRIME;

EID: 33745661661     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/11663812_7     Document Type: Conference Paper

References (20)

1. Anley, C.: Advanced SQL Injection In SQL Server Applications. Technical report, NGSSoftware Insight Security Research (2002).
2. Anley, C.: (more) Advanced SQL Injection. Technical report, NGSSoftware Insight Security Research (2002).
3. Boyd, S., Keromytis, A.: SQLrand: Preventing SQL injection attacks. In Jakobsson, M., Yung, M., Zhou, J., eds.: Proceedings of the 2nd Applied Cryptography and Network Security (ACNS) Conference. Volume 3089 of Lecture Notes in Computer Science., Springer-Verlag (2004) 292-304.
4. Descartes, A., Bunce, T.: Perl DBI. O'Reilly (2000).
5. Kiczales, G., Lamping, J., Menhdhekar, A., Maeda, C., Lopes, C., Loingtier, J.M., Irwin, J.: Aspect-Oriented Programming. In Aksjt, M., Matsuoka, S., eds.: Proceedings European Conference on Object-Oriented Programming. Volume 1241 of Lecture Notes in Computer Science., Springer-Verlag (1997) 220-242.
6. Larson, E., Austin, T.: High coverage detection of input-related security faults. In: Proceedings of the 12th USENIX Security Symposium, Washington D.C., USENIX (2003) 121-136.
7. Lim, J.: ADOdb Database Abstraction Library for PHP (and Python). Web page at http://adodb.sourceforge.net (2000-2004).
8. Maor, O., Shulman, A.: SQL Injection Signatures Evasion. Technical report, Irnperva Application Defense Center (2004).
9. Meijer, E., Schulte, W., Bierman, G.: Unifying tables, objects and documents. In: Workshop on Declarative Programming in the Context of OO Languages (DP-COOL'03), Uppsala, Sweeden (2003) 145-166.
10. MITRE: Common Vulnerabilites and Exposures. Web page at http://cve.mitre.org (1999-2004).
11. NIST: ICAT Metabase. Web page at http://icat.nist.gov/ (2000-2004).
12. Ollmann, G.: HTML Code Injection and Cross-site Scripting. Technical report, Gunter Ollmann (2002).
13. Ollmann, G.: Second-order Code Injection Attacks. Technical report, NGSSoftware Insight Security Research (2004).
14. PHP Group, T.: PHP Hypertext Preprocessor. Web page at http://www.php.net (2001-2004).
15. phpBB Group, T.: phpBB.com. Web page at http://www.phpbb.com (2001-2004).
16. SecurityFocus: BugTraq. Web page at http://www.securityfocus.com/bid (1998-2004).
17. Shankar, U., Talwar, K., Poster, J.S., Wagner, D.: Detecting format string vulnerabilities with type qualifiers. In: Proceedings of the 10th USENIX Security Symposium, Washington D.C., USENIX (2001) 257-272.
18. Stamey, J.W., Saunders, B.T., Cameron, M.: Aspect Oriented PHP (AOPHP). Web page at http://www.aophp.net (2004-2005).
19. Valgrind Developers: Valgrind. Web page at http://valgrind.org (2000-2005).
20. Wall, L., Christiansen, T., Orwant, J.: Programming Perl. O'R.eilly (2000).