SAFELI - SQL injection scanner using symbolic execution

TAV-WEB 2008 - Proceedings of the Workshop on Testing, Analysis and Verification of Web Software

Volumn , Issue , 2008, Pages 34-39

  Fu, Xiang ^a   Qian, Kai ^b  

^a GEORGIA SOUTHWESTERN STATE UNIVERSITY   (United States)

^b SOUTHERN POLYTECHNIC STATE UNIVERSITY   (United States)

Author keywords

Automated testing; Constraint solver; SQL injection attack; Symbolic execution

Indexed keywords

AUTOMATED TESTING; CONSTRAINT SOLVER; CURRENT PROGRESSES; DATABASE SECURITIES; INITIAL VALUES; OPEN PROBLEMS; SECURITY VULNERABILITIES; SQL INJECTION ATTACK; SQL INJECTIONS; SQL QUERIES; STEP BY STEPS; SYMBOLIC EXECUTION; SYMBOLIC EXECUTIONS; TEST CASES; WEB APPLICATIONS; WEB CONTROLS;

COMPUTER CRIME; COMPUTER SOFTWARE; INFORMATION THEORY; JAVA PROGRAMMING LANGUAGE; SOFTWARE TESTING; TECHNICAL PRESENTATIONS; VERIFICATION;

WORLD WIDE WEB;

EID: 57449084220     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1390832.1390838     Document Type: Conference Paper

References (21)

1. Saswat Anand, Corina S. Pasareanu, and Willem Visser. Jpf-se: A symbolic execution extension to java pathfinder. In International Conference on Tools and Algorithms for Construction and Analysis of Systems (TACAS 2007), pages 134-138, Braga, Portugal, March 2007.
2. C. Anley. Advanced SQL Injection In SQL Server Applications. Next Generation Security Software LTD. White Paper, 2002.
3. C. Anley. More Advanced SQL Injection. Next Generation Security Software LTD. White Paper, 2002.
4. S. W. Boyd and A. D. Keromytis. SQLrand: Preventing SQL injection attacks. In Proceedings of the 2nd Applied Cryptography and Network Security (ACNS) Conference, volume 3089 of Lecture Notes in Computer Science, pages 292-304. Springer, 2004.
5. G. Brat, K. Havelund, S. Park, and W. Visser. Java pathfinder - a second generation of a Java model checker. In Proceedings of the Workshop on Advances in Verification, 2000.
6. Shigeru Chiba. Java assist tutorial, http://www.csg.is.titech.ac.jp/- chiba/javassist/.
7. A. Christensen, A. Mller, and M. Schwartzbach. Precise analysis of string expressions. In Proceedings of the International Static Analysis Symposium (SAS'03), 2003.
8. SPI Dynamics. Webinspect: Security throughout the application lifecycle. SPI Dynamics. Datasheet. http://www.spidynamics.com/assets/documents/WebInspect- DataSheets.pdf.
9. Apache Software Foundation. Bytecode engineering library (bcel). http://Jakarta.apache.org/bcel/manual.html.
10. X. Fu, X. Lu, K. Qian, B. Peltsverger, and S. Chen. A Static Analysis Framework for Detecting SQL Injection Vulnerabilities. In Proceedings of 31st Annual International Computer Software and Applications Conference (COMPSAC2007), pages 87-96, 2007.
11. X. Fu, K. Qian, B. Peltsverger, L. Tao, and J. Liu. APOGEE - Automated Project Grading and Instant Feedback System for Web Based Computing. In Proceedings of the 39th SIGCSE Technical Symposium on Computer Science Education (SIGCSE 2008), pages 77 -81, Portland, OR, March 2008.
12. Y.W. Huang, S.K. Huang, T.P. Lin, and C.H. Tsai. Web application security assessment by fault injection and behavior monitoring. In Proceedings of the 11th International World Wide Web Conference (WWW 2003), 2003.
13. G. S. Kc, A. D. Keromytis, and V. Prevelakis. Countering code-injection attacks with instruction set randomization. In Proceedings of the ACM Conference on Computer and Communications Security (CCS'03), 2003.
14. S. Khurshid, C. S. Pasǎreǎnu, and W. Visser. Generalized symbolic execution for model checking and testing. In Proceedings of the 9th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS), volume 2619 of LNCS, 2003.
15. J. C. King. Symbolic execution and program testing. Communications of the ACM, 19(7):385-394, 1976.
16. Yukihiro Matsumoto. Ruby programming language. http://www.ruby-lang.org/ en/.
17. A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In Proceedings of the 20th IFIP International Information Security Conference, 2005.
18. D. Shannon, S. Hajra, A. Lee, D. Zhan, and S. Khurshid. Abstracting symbolic execution with string analysis. In Testing: Academic and Industrial Conference Practice and Research Techniques - MUTATION, 2007. (TAICPART-MUTATION 2007), pages 13-22, September 2007.
19. N. Tillmann and W. Schulte. Parameterized unit tests with unit meist. In Proceedings of the 10th European Software Engineering Conference Joint with 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering (ESEC/FSE), 2005.
20. Jeroen van Menen. Web application testing in .net.http://watin. sourceforge.net/.
21. J. Yang, C. Sar, P. Twohey, C. Cadar, and D. Engler. Automatically generating malicious disks using symbolic execution. In Proceedings of the 2006 IEEE Symposium on Security and Privacy (S&P 2006), 2006.