Eliminating SQL Injection Attacks - A Transparent Defense Mechanism

2006 Eighth IEEE International Symposium on Web Site Evolution (WSE'06) Pub Date : 2006-09-23 DOI:10.1109/WSE.2006.9

M. Muthuprasanna, Ke Wei, S. Kothari

{"title":"Eliminating SQL Injection Attacks - A Transparent Defense Mechanism","authors":"M. Muthuprasanna, Ke Wei, S. Kothari","doi":"10.1109/WSE.2006.9","DOIUrl":null,"url":null,"abstract":"The widespread adoption of Web services as an instant means of information dissemination and various other transactions, has essentially made them a key component of today's Internet infrastructure. Web-based systems comprise both of infrastructure components and of application-specific code. Various organizations have started extensively deploying intrusion detection/prevention systems and Firewalls as a means of securing their vital installations. However, very little emphasis is laid on securing the applications that run on these systems, apart from frequent updates and patching. SQL-injection attacks are a class of attacks that many of these systems are highly vulnerable to, and there is no known fool-proof defense against such attacks. In this paper, we propose a technique, which combines static application code analysis with runtime validation to detect the occurrence of such attacks. The deployment of this technique eliminates the need to modify source code of application scripts, additionally allowing seamless integration with currently-deployed systems. We provide various optimizations improving overall efficiency, and also preliminary evaluation of prototype developed","PeriodicalId":174396,"journal":{"name":"2006 Eighth IEEE International Symposium on Web Site Evolution (WSE'06)","volume":"37 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2006-09-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"53","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2006 Eighth IEEE International Symposium on Web Site Evolution (WSE'06)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/WSE.2006.9","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 53

Abstract

The widespread adoption of Web services as an instant means of information dissemination and various other transactions, has essentially made them a key component of today's Internet infrastructure. Web-based systems comprise both of infrastructure components and of application-specific code. Various organizations have started extensively deploying intrusion detection/prevention systems and Firewalls as a means of securing their vital installations. However, very little emphasis is laid on securing the applications that run on these systems, apart from frequent updates and patching. SQL-injection attacks are a class of attacks that many of these systems are highly vulnerable to, and there is no known fool-proof defense against such attacks. In this paper, we propose a technique, which combines static application code analysis with runtime validation to detect the occurrence of such attacks. The deployment of this technique eliminates the need to modify source code of application scripts, additionally allowing seamless integration with currently-deployed systems. We provide various optimizations improving overall efficiency, and also preliminary evaluation of prototype developed

查看原文本刊更多论文

消除SQL注入攻击——一个透明的防御机制

Web服务作为信息传播和各种其他事务的即时手段的广泛采用，实质上使其成为当今Internet基础设施的关键组成部分。基于web的系统包括基础设施组件和特定于应用程序的代码。各种组织已经开始广泛部署入侵检测/防御系统和防火墙，作为保护其重要设施的手段。但是，除了频繁的更新和修补之外，很少强调在这些系统上运行的应用程序的安全性。sql注入攻击是许多此类系统非常容易受到的一类攻击，并且没有已知的针对此类攻击的万无一失的防御措施。在本文中，我们提出了一种结合静态应用程序代码分析和运行时验证的技术来检测此类攻击的发生。该技术的部署消除了修改应用程序脚本源代码的需要，另外还允许与当前部署的系统无缝集成。我们提供了各种优化，提高了整体效率，并对开发的原型进行了初步评估

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2006 Eighth IEEE International Symposium on Web Site Evolution (WSE'06)

自引率

0.00%

发文量