• DocumentCode
    1799860
  • Title

    Escrow: A Large-Scale Web Vulnerability Assessment Tool

  • Author

    Delamore, Baden ; Ko, Ryan K. L.

  • Author_Institution
    Cyber Security Lab., Univ. of Waikato, Hamilton, New Zealand
  • fYear
    2014
  • fDate
    24-26 Sept. 2014
  • Firstpage
    983
  • Lastpage
    988
  • Abstract
    The reliance on Web applications has increased rapidly over the years. At the same time, the quantity and impact of application security vulnerabilities have grown as well. Amongst these vulnerabilities, SQL Injection has been classified as the most common, dangerous and prevalent web application flaw. In this paper, we propose Escrow, a large-scale SQL Injection detection tool with an exploitation module that is light-weight, fast and platform-independent. Escrow uses a custom search implementation together with a static code analysis module to find potential target web applications. Additionally, it provides a simple to use graphical user interface (GUI) to navigate through a vulnerable remote database. Escrow is implementation-agnostic, i.e. It can perform analysis on any web application regardless of the server-side implementation (PHP, ASP, etc.). Using our tool, we discovered that it is indeed possible to identify and exploit at least 100 databases per 100 minutes, without prior knowledge of their underlying implementation. We observed that for each query sent, we can scan and detect dozens of vulnerable web applications in a short space of time, while providing a means for exploitation. Finally, we provide recommendations for developers to defend against SQL injection and emphasise the need for proactive assessment and defensive coding practices.
  • Keywords
    Internet; SQL; graphical user interfaces; program diagnostics; security of data; Escrow; SQL injection detection tool; Web application flaw; application security vulnerabilities; custom search implementation; defensive coding practice; exploitation module; graphical user interface; large-scale Web vulnerability assessment tool; server-side implementation; static code analysis module; vulnerable remote database; Databases; Google; Graphical user interfaces; Search engines; Security; Servers; Uniform resource locators;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Trust, Security and Privacy in Computing and Communications (TrustCom), 2014 IEEE 13th International Conference on
  • Conference_Location
    Beijing
  • Type

    conf

  • DOI
    10.1109/TrustCom.2014.130
  • Filename
    7011356