Title :
A Static Analysis Framework For Detecting SQL Injection Vulnerabilities
Author :
Fu, Xiang ; Lu, Xin ; Peltsverger, Boris ; Chen, Shijun ; Qian, Kai ; Tao, Lixin
Author_Institution :
Georgia Southwestern State Univ., Americus
Abstract :
Recently SQL injection attack (SIA) has become a major threat to Web applications. Via carefully crafted user input, attackers can expose or manipulate the back-end database of a Web application. This paper proposes the construction and outlines the design of a static analysis framework (called SAFELI) for identifying SIA vulnerabilities at compile time. SAFELI statically inspects MSIL bytecode of an ASP.NET Web application, using symbolic execution. At each hotspot that submits SQL query, a hybrid constraint solver is used to find out the corresponding user input that could lead to breach of information security. Once completed, SAFELI has the future potential to discover more delicate SQL injection attacks than black-box Web security inspection tools.
Keywords :
Internet; SQL; network operating systems; program diagnostics; security of data; ASP.NET Web application; SQL injection attack; SQL injection vulnerability; back-end database manipulation; information security; static analysis; symbolic execution; Application software; Databases; Information analysis; Information security; Instruments; Intrusion detection; Libraries; Runtime; Software engineering; Testing;
Conference_Titel :
Computer Software and Applications Conference, 2007. COMPSAC 2007. 31st Annual International
Conference_Location :
Beijing
Print_ISBN :
0-7695-2870-8
DOI :
10.1109/COMPSAC.2007.43
