Title :
Detecting SOQL-injection vulnerabilities in SalesForce applications
Author :
Saxena, Ankur ; Sengupta, Sabyasachi ; Duraisamy, Prakash ; Kaulgud, Vikrant ; Chakraborty, Arpan
Author_Institution :
Accenture Technol. Labs., Bangalore, India
Abstract :
The two most common web-attacks used by hackers to steal data are SQL-injection and cross-site scripting (XSS). These are examples of taint vulnerabilities where maliciously crafted code (for example, a SQL query) is injected into a Web application by embedding it inside innocuous looking user inputs. We present the design of TRAP (Taint Removal and Analysis Platform), a static data-flow analysis tool to detect SOQL-injection problems in SalesForce applications. TRAP is designed to be language independent as it uses an XML intermediate language called STAC (STatic Analysis Code), on which the analysis is done. Currently, we have implemented STAC compilers for Apex and Java.
Keywords :
Java; SQL; cloud computing; computer crime; customer relationship management; data flow analysis; program compilers; Apex; Java; SOQL-injection problem detection; SOQL-injection vulnerability detection; SQL query; SQL-injection; STAC compilers; STatic Analysis Code; SalesForce application; TRAP design; Taint Removal and Analysis Platform; Web application; Web-attacks; XML intermediate language; XSS; could computing; cross-site scripting; customer relationship management; data stealing; hackers; innocuous looking user inputs; maliciously crafted code; static data-flow analysis tool; Cloning; Context; Informatics; Java; Reactive power; Security; XML;
Conference_Titel :
Advances in Computing, Communications and Informatics (ICACCI), 2013 International Conference on
Conference_Location :
Mysore
Print_ISBN :
978-1-4799-2432-5
DOI :
10.1109/ICACCI.2013.6637220
