Abstracting application-level web security
Proceedings of the 11th international conference on World Wide Web
Writing Secure Code
Web application security assessment by fault injection and behavior monitoring
WWW '03 Proceedings of the 12th international conference on World Wide Web
Countering code-injection attacks with instruction-set randomization
Proceedings of the 10th ACM conference on Computer and communications security
Securing web application code by static analysis and runtime protection
Proceedings of the 13th international conference on World Wide Web
Static Checking of Dynamically Generated Queries in Database Applications
Proceedings of the 26th International Conference on Software Engineering
JDBC Checker: A Static Analysis Tool for SQL/JDBC Applications
Proceedings of the 26th International Conference on Software Engineering
SQL DOM: compile time checking of dynamic SQL statements
Proceedings of the 27th international conference on Software engineering
Safe query objects: statically typed objects as remotely executable queries
Proceedings of the 27th international conference on Software engineering
Combining static analysis and runtime monitoring to counter SQL-injection attacks
WODA '05 Proceedings of the third international workshop on Dynamic analysis
Finding application errors and security flaws using PQL: a program query language
OOPSLA '05 Proceedings of the 20th annual ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications
Finding security vulnerabilities in java applications with static analysis
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Precise analysis of string expressions
SAS'03 Proceedings of the 10th international conference on Static analysis
A learning-based approach to the detection of SQL attacks
DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Defending against injection attacks through context-sensitive string evaluation
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
The essence of command injection attacks in web applications
Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Preventing SQL injection attacks using AMNESIA
Proceedings of the 28th international conference on Software engineering
Understanding software application interfaces via string analysis
Proceedings of the 28th international conference on Software engineering
Bridging the gap between web application firewalls and web applications
Proceedings of the fourth ACM workshop on Formal methods in security
Using positive tainting and syntax-aware evaluation to counter SQL injection attacks
Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering
Application layer intrusion detection for SQL injection
Proceedings of the 44th annual Southeast regional conference
Sound and precise analysis of web applications for injection vulnerabilities
Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation
Using Automated Fix Generation to Secure SQL Statements
SESS '07 Proceedings of the Third International Workshop on Software Engineering for Secure Systems
Improving test case generation for web applications using automated interface discovery
Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering
Preventing injection attacks with syntax embeddings
GPCE '07 Proceedings of the 6th international conference on Generative programming and component engineering
Simple and safe SQL queries with c++ templates
GPCE '07 Proceedings of the 6th international conference on Generative programming and component engineering
Computer Networks: The International Journal of Computer and Telecommunications Networking
Secure web applications via automatic partitioning
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
CANDID: preventing sql injection attacks using dynamic candidate evaluations
Proceedings of the 14th ACM conference on Computer and communications security
Multi-module vulnerability analysis of web-based applications
Proceedings of the 14th ACM conference on Computer and communications security
Eliminating impedance mismatch in C++
VLDB '07 Proceedings of the 33rd international conference on Very large data bases
SIF: enforcing confidentiality and integrity in web applications
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
SQL-IDS: a specification-based approach for SQL-injection detection
Proceedings of the 2008 ACM symposium on Applied computing
Proposing SQL statement coverage metrics
Proceedings of the fourth international workshop on Software engineering for secure systems
Classification Agent-Based Techniques for Detecting Intrusions in Databases
HAIS '08 Proceedings of the 3rd international workshop on Hybrid Artificial Intelligence Systems
Building secure web applications with automatic partitioning
Communications of the ACM - Inspiring Women in Computing
On automated prepared statement generation to remove SQL injection vulnerabilities
Information and Software Technology
SQLProb: a proxy-based architecture towards preventing SQL injection attacks
Proceedings of the 2009 ACM symposium on Applied Computing
Automated Software Engineering
Idea: Automatic Security Testing for Web Applications
ESSoS '09 Proceedings of the 1st International Symposium on Engineering Secure Software and Systems
Automatic creation of SQL Injection and cross-site scripting attacks
ICSE '09 Proceedings of the 31st International Conference on Software Engineering
Locating need-to-translate constant strings for software internationalization
ICSE '09 Proceedings of the 31st International Conference on Software Engineering
Improving application security with data flow assertions
Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles
CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks
ACM Transactions on Information and System Security (TISSEC)
Higher-order multi-parameter tree transducers and recursion schemes for program verification
Proceedings of the 37th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Using an Evolutionary Neural Network for web intrusion detection
AIA '08 Proceedings of the 26th IASTED International Conference on Artificial Intelligence and Applications
Preventing drive-by download via inter-module communication monitoring
ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
Preventing injection attacks with syntax embeddings
Science of Computer Programming
Simple and safe SQL queries with C++ templates
Science of Computer Programming
Swaddler: an approach for the anomaly-based detection of state violations in web applications
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
A heuristic-based approach for detecting SQL-injection vulnerabilities in web applications
Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems
An empirical investigation into open source web applications' implementation vulnerabilities
Empirical Software Engineering
Static analysis for detecting taint-style vulnerabilities in web applications
Journal of Computer Security
Proceedings of the second annual workshop on Security and privacy in medical and home-care systems
Locating need-to-translate constant strings in web applications
Proceedings of the eighteenth ACM SIGSOFT international symposium on Foundations of software engineering
Linguistic security testing for text communication protocols
TAIC PART'10 Proceedings of the 5th international academic and industrial conference on Testing - practice and research techniques
Static checking of dynamically-varying security policies in database-backed applications
OSDI'10 Proceedings of the 9th USENIX conference on Operating systems design and implementation
Toward automated detection of logic vulnerabilities in web applications
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Strengthening XSRF defenses for legacy web applications using whitebox analysis and transformation
ICISS'10 Proceedings of the 6th international conference on Information systems security
Diesel: applying privilege separation to database access
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Code-motion for API migration: fixing SQL injection vulnerabilities in Java
Proceedings of the 4th Workshop on Refactoring Tools
Systematizing security test case planning using functional requirements phrases
Proceedings of the 33rd International Conference on Software Engineering
Practical elimination of external interaction vulnerabilities in web applications
Journal of Web Engineering
Preventing web application injections with complementary character coding
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
Model based hybrid approach to prevent SQL injection attacks in PHP
InfoSecHiComNet'11 Proceedings of the First international conference on Security aspects in information technology
PSIAQOP: preventing SQL injection attacks based on query optimization process
Proceedings of the Second Kuwait Conference on e-Services and e-Systems
SENTINEL: securing database from logic flaws in web applications
Proceedings of the second ACM conference on Data and Application Security and Privacy
Automatically preparing safe SQL queries
FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security
Idea: using system level testing for revealing SQL injection-related error message information leaks
ESSoS'10 Proceedings of the Second international conference on Engineering Secure Software and Systems
SQL injection attack mechanisms and prevention techniques
ADCONS'11 Proceedings of the 2011 international conference on Advanced Computing, Networking and Security
Protecting web applications from SQL injection attacks by using framework and database firewall
Proceedings of the International Conference on Advances in Computing, Communications and Informatics
International Journal of Computer Applications in Technology
SQLIA detection and prevention approach for RFID systems
Journal of Systems and Software
Static vulnerability detection in Java service-oriented components
Journal in Computer Virology
Inlined monitors for security policy enforcement in web applications
Proceedings of the 17th Panhellenic Conference on Informatics
SQL injection attacks with the AMPA suite
International Journal of Electronic Security and Digital Forensics
A survey on server-side approaches to securing web applications
ACM Computing Surveys (CSUR)
Efficient static checker for tainted variable attacks
Science of Computer Programming
Proceedings of the 23rd international conference on World wide web
Detection of cross site scripting attack in wireless networks using n-Gram and SVM
Mobile Information Systems - Advances in Network-Based Information Systems
Automated detection of parameter tampering opportunities and vulnerabilities in web applications
Journal of Computer Security
| Hi-index | 0.00 |
The use of web applications has become increasingly popular in our routine activities, such as reading the news, paying bills, and shopping on-line. As the availability of these services grows, we are witnessing an increase in the number and sophistication of attacks that target them. In particular, SQL injection, a class of code-injection attacks in which specially crafted input strings result in illegal queries to a database, has become one of the most serious threats to web applications. In this paper we present and evaluate a new technique for detecting and preventing SQL injection attacks. Our technique uses a model-based approach to detect illegal queries before they are executed on the database. In its static part, the technique uses program analysis to automatically build a model of the legitimate queries that could be generated by the application. In its dynamic part, the technique uses runtime monitoring to inspect the dynamically-generated queries and check them against the statically-built model. We developed a tool, AMNESIA, that implements our technique and used the tool to evaluate the technique on seven web applications. In the evaluation we targeted the subject applications with a large number of both legitimate and malicious inputs and measured how many attacks our technique detected and prevented. The results of the study show that our technique was able to stop all of the attempted attacks without generating any false positives.