A Classification of SQL-Injection Attacks and Countermeasures
作者: William G.J. Halfond , Alessandro Orso , Jeremy Viegas
DOI:
关键词: SQL injection 、 Information sensitivity 、 Scope (computer science) 、 Strengths and weaknesses 、 Web application 、 Computer security 、 Computer science
摘要: SQL injection attacks pose a serious security threat to Web applications: they allow attackers obtain unrestricted access the databases underlying applications and potentially sensitive information these contain. Although researchers practitioners have proposed various methods address problem, current approaches either fail full scope of problem or limitations that prevent their use adoption. Many are familiar with only subset wide range techniques available who trying take advantage vulnerabilities. As consequence, many solutions in literature some issues related injection. To this we present an extensive review different types known date. For each type attack, provide descriptions examples how could be performed. We also analyze existing detection prevention against attacks. technique, discuss its strengths weaknesses addressing entire
usc.edu
unsw.edu.au 参考文章(20)
Fredrik Valeur, Darren Mutz, Giovanni Vigna, A learning-based approach to the detection of SQL attacks international conference on detection of intrusions and malware and vulnerability assessment. pp. 123- 140 ,(2005) , 10.1007/11506881_8
H. Frystyk, L. Masinter, J. Mogul, J. Gettys, R. Fielding, P. Leach, T. Berners-Lee, Hypertext Transfer Protocol -- HTTP/1.1 acm conference on hypertext. ,vol. 2068, pp. 1- 162 ,(1997)
Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai Lee, Sy-Yen Kuo, Securing web application code by static analysis and runtime protection Proceedings of the 13th conference on World Wide Web - WWW '04. pp. 40- 52 ,(2004) , 10.1145/988672.988679
William G. J. Halfond, Alessandro Orso, AMNESIA Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering - ASE '05. pp. 174- 183 ,(2005) , 10.1145/1101908.1101935
Yao-Wen Huang, Shih-Kun Huang, Tsung-Po Lin, Chung-Hung Tsai, Web application security assessment by fault injection and behavior monitoring Proceedings of the twelfth international conference on World Wide Web - WWW '03. pp. 148- 159 ,(2003) , 10.1145/775152.775174
David Scott, Richard Sharp, Abstracting application-level web security the web conference. pp. 396- 407 ,(2002) , 10.1145/511446.511498
Gregory T. Buehrer, Bruce W. Weide, Paolo A. G. Sivilotti, Using parse tree validation to prevent SQL injection attacks Proceedings of the 5th international workshop on Software engineering and middleware - SEM '05. pp. 106- 113 ,(2005) , 10.1145/1108473.1108496
William R. Cook, Siddhartha Rai, Safe query objects: statically typed objects as remotely executable queries international conference on software engineering. pp. 97- 106 ,(2005) , 10.1145/1062455.1062488
Russell A. McClure, Ingolf H. Krüger, SQL DOM: compile time checking of dynamic SQL statements international conference on software engineering. pp. 88- 96 ,(2005) , 10.1145/1062455.1062487
William G. J. Halfond, Alessandro Orso, Combining static analysis and runtime monitoring to counter SQL-injection attacks ACM SIGSOFT Software Engineering Notes. ,vol. 30, pp. 1- 7 ,(2005) , 10.1145/1082983.1083250