Automated protection of php applications against SQL-injection attacks

Proceedings of the European Conference on Software Maintenance and Reengineering, CSMR

Volumn , Issue , 2007, Pages 191-200

  Merlo, Ettore ^a   Letarte, Dominic ^a   Antoniol, Giuliano ^a  

^a ÉCOLE POLYTECHNIQUE DE MONTRÉAL   (Canada)

Author keywords

Software re engineering; Software security analysis; SQL injection

Indexed keywords

SOFTWARE REENGINEERING; SOFTWARE SECURITY ANALYSIS; SQL-INJECTION;

DYNAMIC ANALYSIS; INFORMATION RETRIEVAL; QUERY LANGUAGES; SOFTWARE ENGINEERING; STATIC ANALYSIS; WEBSITES;

COMPUTER CRIME;

EID: 34547655711     PISSN: 15345351     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/CSMR.2007.16     Document Type: Conference Paper

References (23)

1. JavaCC. https://javacc.dev.java.net.
2. PHP grammar. https://javacc.dev.java.net//files/documents/17/14269/ php.jj.
3. mySql. http://dev.mysql.com/doc.
4. phpBB. http://www.phpbb.com.
5. SQL. http://www.iso.org.
6. XPath. http://www.w3.org/TR/xpath.
7. C. Anley. Advanced SQL injection. In Technical report. NGSSoftware Insight Security Research, 2002.
8. C. Anley. Advanced SQL injection in SQL server applications. In Technical report, 2002.
9. S. W. Boyd and A. D. Keromytis. SQLrand: Preventing SQL injection attacks. In Proc. of the 2nd Applied Cryptography and Network Security (ACNS) Conference, volume 3089, pages 292-304. Lecture Notes in Computer Science, Springer-Verlag, 2004.
10. G. Buehrer, B. W. Weide, and P. A. G. Sivilotti. Using parse tree validation to prevent SQL injection attacks. In Proc. International Workshop on Software Engineering and Middleware (SEM), pages 106 - 113. ACM Press, 2005.
11. A. S. Christensen, A. Moller, and M. I. Schwartzbach. Precise analysis of string expressions. In Proc. of the 10th International Static Analysis Symposium, SAS, pages 1-18. Springer-Verlag, June 2003.
12. W. R. Cook and S. Rai. Safe query objects: Statically typed objects as remotely executable queries. In Proc. of the 27th International Conference on Software Engineering (ICSE). IEEE Computer Society Press, 2005.
13. C. Gould, Z. Su, and P. Devanbu. JDBC checker: A static analysis tool for SQL/JDBC applications. In Proc. of the 26th International Conference on Software Engineering (ICSE) - Formal Demos, pages 697-698. IEEE Computer Society Press, 2004.
14. W. G. J. Halfond and A. Orso. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In Automated Software Engineering (ASE). Association for Computing Machinery (ACM), Nov 2005.
15. W. G. J. Halfond and A. Orso. Combining static analysis and runtime monitoring to counter SQL-injection attacks. In Proc. of the 3rd International ICSE Workshop on Dynamic Analysis (WODA). IEEE Computer Society Press, May 2005.
16. Y.-W. Huang, S.-K. Huang, T.-P. Lin, and C-H. Tsai. Web application security assessment by fault injection and behavior. In Proc. of the 11th International World Wide Web Conference (WWW), May 2003.
17. Y.-W. Huang, F. Yu, C. Hang, C-H. Tsai, D. T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In Proc. of the 12th International World Wide Web Conference (WWW), May 2004.
18. R. McClure and I. Kruger. SQL DOM: Compile time checking of dynamic SQL statements. In Proc. of the 27th International Conference on Software Engineering (ICSE), pages 88-96. IEEE Computer Society Press, 2005.
19. E. Merlo, D. Letarte, and G. Antoniol. Insider and ousider threat-sensitive SQL injection vulnerability analysis in PHP. In Proceedings of IEEE Working Conference on Reverse Engineering. IEEE Computer Society Press, 2006 (to appear).
20. G. Ollmann. Second-order code injection attacks. In Technical report. NGSSoftware Insight Security Research, 2004.
21. T. Pietraszek and C. V. Berghe. Defending against injection attacks through context-sensitive string evaluation. In Proc. of Recent Advances in Intrusion Detection (RAID), 2005.
22. F. Valeur, D. Mutz, and G. Vigna. A learning-based approach to the detection of SQL attacks. In Proc. Detection of Intrusions and Malware Vulnerability Assessment Conference (DIMVA), pages 123-140. IEEE Computer Society press, July 2005.
23. K. Wei, M. Muthuprasanna, and S. Kothari. Preventing SQL injection attacks in stored procedures. In Proc. Australian Software Engineering Conference (ASWEC), pages 191 - 198. IEEE Computer Society Press, 2006.