Ettore Merlo, Dominic Letarte and Giuliano Antoniol
Technical Report (2006)
Open Acess document in PolyPublie and at official publisher |
|
Open Access to the full text of this document Published Version Terms of Use: All rights reserved Download (476kB) |
Abstract
Web sites are either static sites, programs, or databases. Very often they are a mixture of these three aspects integrating relational databases as a back-end. Web sites require configuration and programming attention to assure security, confidentiality, and trustiness of the published information. SQL-injection attacks rely on some weak validation of textual input used to build database queries. Maliciously crafted input may threaten the confidentiality and the security policies of Web sites relying on a database to store and retrieve information. Furthermore, insiders may introduce malicious code in a Web application, code that, when triggered by some specific input, for example, would violate security policies. This paper presents an original approach that combines static analysis, dynamic analysis, and code reengineering to automatically protect applications written in PHP from both malicious input (outsider threats) and malicious code (insider threats) that carry SQLinjection attacks. The paper also reports preliminary results about experiments performed on an old SQL-injection prone version of phpBB (version 2.0.0, 37193 LOC of PHP version 4.2.2 code). Results show that our approach successfully improved phpBB-2.0.0 resistance to SQLinjection attacks.
Uncontrolled Keywords
SQL-injection, software security analysis, sofware re-engineering
Subjects: |
2700 Information technology > 2700 Information technology 2700 Information technology > 2711 Database management |
---|---|
Department: | Department of Computer Engineering and Software Engineering |
Funders: | National Sciences and Engineering Research Council of Canada (NSERC) |
PolyPublie URL: | https://publications.polymtl.ca/3138/ |
Report number: | EPM-RT-2006-04 |
Date Deposited: | 12 Jun 2018 10:46 |
Last Modified: | 30 Sep 2024 23:05 |
Cite in APA 7: | Merlo, E., Letarte, D., & Antoniol, G. (2006). Insider threat resistant SQL-injection prevention in PHP. (Technical Report n° EPM-RT-2006-04). https://publications.polymtl.ca/3138/ |
---|---|
Statistics
Total downloads
Downloads per month in the last year
Origin of downloads