Conference proceeding
Detection Method of the Second-Order SQL Injection in Web Applications
Structured Object-Oriented Formal Language and Method: Third International Workshop, SOFL+MSVL 2013, Queenstown, New Zealand, October 29, 2013, Revised Selected Papers, pp.154-165
Lecture Notes in Computer Science
Third International Workshop, SOFL+MSVL (Queenstown, New Zealand, 29/10/2013 - 30/10/2013)
2014
Metrics
1 Record Views
Abstract
Web applications are threatened seriously by SQL injection attacks. Even though a number of methods and tools have been put forward to detect or prevent SQL injections, there is a lack of effective method for detecting second-order SQL injection which stores user inputs into the back-end database. This paper proposes a detecting solution that combines both static and dynamic methods for second-order SQL injection. This solution first analyzes source code to find out the vulnerable data item pair which probably has second-order SQL injection vulnerability and then transforms it into an effective test sequence. After that, test sequence and malicious inputs are combined together for testing. Assessment of this solution in four applications and practical use show its effectiveness in the detection of second-order SQL injection.
Details
- Title
- Detection Method of the Second-Order SQL Injection in Web Applications
- Creators
- Lu Yan - Tianjin UniversityXiaohong Li - Tianjin UniversityRuitao Feng - Tianjin UniversityZhiyong Feng - Tianjin UniversityJing Hu - Tianjin University
- Contributors
- Shaoying Liu (Editor)Zhenhua Duan (Editor)
- Publication Details
- Structured Object-Oriented Formal Language and Method: Third International Workshop, SOFL+MSVL 2013, Queenstown, New Zealand, October 29, 2013, Revised Selected Papers, pp.154-165
- Conference
- Third International Workshop, SOFL+MSVL (Queenstown, New Zealand, 29/10/2013 - 30/10/2013)
- Series
- Lecture Notes in Computer Science
- Publisher
- Springer International Publishing
- Identifiers
- 991013214582802368
- Copyright
- © 2014 Springer International Publishing Switzerland.
- Academic Unit
- Information Technology; Faculty of Science and Engineering
- Language
- English
- Resource Type
- Conference proceeding