Australian Software Engineering Conference (ASWEC'06)最新文献

筛选

英文中文

Checking conformance between business processes and Web service contract in service oriented applications 在面向服务的应用程序中检查业务流程和Web服务契约之间的一致性

Australian Software Engineering Conference (ASWEC'06) Pub Date : 2006-04-18 DOI: 10.1109/ASWEC.2006.20

Jenny Bhuiyan, S. Nepal, J. Zic

引用次数: 6

Preventing SQL injection attacks in stored procedures 防止存储过程中的SQL注入攻击

Australian Software Engineering Conference (ASWEC'06) Pub Date : 2006-04-18 DOI: 10.1109/ASWEC.2006.40

Ke Wei, M. Muthuprasanna, S. Kothari

{"title":"Preventing SQL injection attacks in stored procedures","authors":"Ke Wei, M. Muthuprasanna, S. Kothari","doi":"10.1109/ASWEC.2006.40","DOIUrl":"https://doi.org/10.1109/ASWEC.2006.40","url":null,"abstract":"An SQL injection attack targets interactive Web applications that employ database services. These applications accept user inputs and use them to form SQL statements at runtime. During an SQL injection attack, an attacker might provide malicious SQL query segments as user input which could result in a different database request. By using SQL injection attacks, an attacker could thus obtain and/or modify confidential/sensitive information. An attacker could even use a SQL injection vulnerability as a rudimentary IP/Port scanner of the internal corporate network. Several papers in literature have proposed ways to prevent SQL injection attacks in the application layer by examining dynamic SQL query semantics at runtime. However, very little emphasis is laid on securing stored procedures in the database layer which could also suffer from SQL injection attacks. Some papers in literature even refer to stored procedures as a remedy against SQL injection attacks. As stored procedures reside on the database front, the methods proposed by them cannot be applied to secure stored procedures themselves. In this paper, we propose a novel technique to defend against the attacks targeted at stored procedures. This technique combines static application code analysis with runtime validation to eliminate the occurrence of such attacks. In the static part, we design a stored procedure parser, and for any SQL statement which depends on user inputs, we use this parser to instrument the necessary statements in order to compare the original SQL statement structure to that including user inputs. The deployment of this technique can be automated and used on a need-only basis. We also provide a preliminary evaluation of the results of the technique proposed, as performed on several stored procedures in the SQL Server 2005 database.","PeriodicalId":285684,"journal":{"name":"Australian Software Engineering Conference (ASWEC'06)","volume":"28 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-04-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133190919","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 140

首页上一页