Obfuscation-based analysis of SQL injection attacks
- 1 June 2010
- conference paper
- conference paper
- Published by Institute of Electrical and Electronics Engineers (IEEE)
Abstract
In this paper, we propose an obfuscation/ deobfuscation based technique to detect the presence of possible SQL Injection Attacks (SQLIA) in a query before submitting it to a DBMS. This technique combines static and dynamic analysis. In the static phase, the queries in the application are replaced by queries in obfuscated form. The main idea behind obfuscation is to isolate all the atomic formulas from other control elements of the query. During the dynamic phase, the user inputs are merged into the obfuscated atomic formulas, and the dynamic verifier analysis the presence of possible SQLIA at atomic formula level. Finally, a deobfuscation step is performed to recover the original query before submitting it to the DBMS.Keywords
This publication has 14 references indexed in Scilit:
- MUSIC: Mutation-based SQL Injection Vulnerability CheckingPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2008
- An Automatic Mechanism for Adjusting Validation FunctionPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2008
- Sania: Syntactic and Semantic Analysis for Automated Testing against SQL InjectionPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2007
- The essence of command injection attacks in web applicationsPublished by Association for Computing Machinery (ACM) ,2006
- Dynamic Taint Propagation for JavaPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2006
- AMNESIAPublished by Association for Computing Machinery (ACM) ,2005
- A Learning-Based Approach to the Detection of SQL AttacksLecture Notes in Computer Science, 2005
- Securing web application code by static analysis and runtime protectionPublished by Association for Computing Machinery (ACM) ,2004
- Web application security assessment by fault injection and behavior monitoringPublished by Association for Computing Machinery (ACM) ,2003
- Abstracting application-level web securityPublished by Association for Computing Machinery (ACM) ,2002