SAFELI: SQL injection scanner using symbolic execution
TAV-WEB '08 Proceedings of the 2008 workshop on Testing, analysis, and verification of web services and applications
Symbolic String Verification: An Automata-Based Approach
SPIN '08 Proceedings of the 15th international workshop on Model Checking Software
Path Feasibility Analysis for String-Manipulating Programs
TACAS '09 Proceedings of the 15th International Conference on Tools and Algorithms for the Construction and Analysis of Systems: Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2009,
Symbolic String Verification: Combining String Analysis and Size Analysis
TACAS '09 Proceedings of the 15th International Conference on Tools and Algorithms for the Construction and Analysis of Systems: Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2009,
Automatic creation of SQL Injection and cross-site scripting attacks
ICSE '09 Proceedings of the 31st International Conference on Software Engineering
HAMPI: a solver for string constraints
Proceedings of the eighteenth international symposium on Software testing and analysis
Taxonomy and classification of automatic monitoring of program security vulnerability exploitations
Journal of Systems and Software
Relational string verification using multi-track automata
CIAA'10 Proceedings of the 15th international conference on Implementation and application of automata
Code-motion for API migration: fixing SQL injection vulnerabilities in Java
Proceedings of the 4th Workshop on Refactoring Tools
Patching vulnerabilities with sanitization synthesis
Proceedings of the 33rd International Conference on Software Engineering
HAMPI: a string solver for testing, analysis and vulnerability detection
CAV'11 Proceedings of the 23rd international conference on Computer aided verification
String abstractions for string verification
Proceedings of the 18th international SPIN conference on Model checking software
Automatically preparing safe SQL queries
FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security
SQL injection attack mechanisms and prevention techniques
ADCONS'11 Proceedings of the 2011 international conference on Advanced Computing, Networking and Security
On synchronized multi-tape and multi-head automata
Theoretical Computer Science
Verifying client-side input validation functions using string analysis
Proceedings of the 34th International Conference on Software Engineering
HAMPI: A solver for word equations over strings, regular expressions, and context-free grammars
ACM Transactions on Software Engineering and Methodology (TOSEM)
Proceedings of the 9th Central & Eastern European Software Engineering Conference in Russia
Automata-based symbolic string analysis for vulnerability detection
Formal Methods in System Design
| Hi-index | 0.00 |
Recently SQL Injection Attack (SIA) has become a major threat to Web applications. Via carefully crafted user input, attackers can expose or manipulate the back-end database of a Web application. This paper proposes the construction and outlines the design of a static analysis framework (called SAFELI) for identifying SIA vulnerabilities at compile time. SAFELI statically inspects MSIL bytecode of an ASP.NET Web application, using symbolic execution. At each hotspot that submits SQL query, a hybrid constraint solver is used to find out the corresponding user input that could lead to breach of information security. Once completed, SAFELI has the future potential to discover more delicate SQL injection attacks than black-box Web security inspection tools.