Writing Secure Code
Web application security assessment by fault injection and behavior monitoring
WWW '03 Proceedings of the 12th international conference on World Wide Web
Securing web application code by static analysis and runtime protection
Proceedings of the 13th international conference on World Wide Web
AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks
Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering
The essence of command injection attacks in web applications
Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation
IEEE Transactions on Software Engineering
The 6th International Workshop on Software Engineering for Secure Systems (SESS'10)
Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering - Volume 2
| Hi-index | 0.00 |
SQL injection is one amongst the most dangerous vulnerabilities for Web applications, and it is becoming a frequent cause of attacks as many systems are migrating towards the Web. This paper proposes an approach and a tool-named V1p3R ("viper") for Web application penetration testing. The approach is based on pattern matching of error messages and on outputs produced by the application under test, and relies upon an extensible knowledge base consisting in a large set of templates. Results of an empirical study carried out on 12 real Web applications and aimed at comparing V1p3R with SQLMap showed the higher performances of the proposed approach with respect to the existing state-of-the-practice.