{"title":"面向对象方法的SQL注入防护器","authors":"D. Giri, S. P. Kumar, L. Prasannakumar, R. Murthy","doi":"10.1109/ICCCNT.2012.6395979","DOIUrl":null,"url":null,"abstract":"Many web applications can be exposed to a variety of Web-based attacks. One of these attacks is SQL injection, which can give attackers unrestricted access to the databases and has become increasingly frequent and serious. This paper presents a new highly automated approach for protecting Web applications against SQL injection that has both theoretical and practical advantages over most existing techniques. From a theoretical view, the approach is based on the idea of positive tainting and on the concept of syntax-aware evaluation. From a practical view, our technique is efficient, has minimal deployment requirements, and has a negligible performance overhead in most cases. We have implemented our techniques in the Web Application SQL-injection Preventer (WASP) tool, where a wide range of Web applications were subjected to a large and varied set of attacks and legal accesses. We considered login validation of user in an online banking system. WASP was able to stop all of these attacks and did not generate any false positives.","PeriodicalId":364589,"journal":{"name":"2012 Third International Conference on Computing, Communication and Networking Technologies (ICCCNT'12)","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2012-07-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":"{\"title\":\"Object oriented approach to SQL injection preventer\",\"authors\":\"D. Giri, S. P. Kumar, L. Prasannakumar, R. Murthy\",\"doi\":\"10.1109/ICCCNT.2012.6395979\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Many web applications can be exposed to a variety of Web-based attacks. One of these attacks is SQL injection, which can give attackers unrestricted access to the databases and has become increasingly frequent and serious. This paper presents a new highly automated approach for protecting Web applications against SQL injection that has both theoretical and practical advantages over most existing techniques. From a theoretical view, the approach is based on the idea of positive tainting and on the concept of syntax-aware evaluation. From a practical view, our technique is efficient, has minimal deployment requirements, and has a negligible performance overhead in most cases. We have implemented our techniques in the Web Application SQL-injection Preventer (WASP) tool, where a wide range of Web applications were subjected to a large and varied set of attacks and legal accesses. We considered login validation of user in an online banking system. WASP was able to stop all of these attacks and did not generate any false positives.\",\"PeriodicalId\":364589,\"journal\":{\"name\":\"2012 Third International Conference on Computing, Communication and Networking Technologies (ICCCNT'12)\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2012-07-26\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"2\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2012 Third International Conference on Computing, Communication and Networking Technologies (ICCCNT'12)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ICCCNT.2012.6395979\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2012 Third International Conference on Computing, Communication and Networking Technologies (ICCCNT'12)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICCCNT.2012.6395979","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Object oriented approach to SQL injection preventer
Many web applications can be exposed to a variety of Web-based attacks. One of these attacks is SQL injection, which can give attackers unrestricted access to the databases and has become increasingly frequent and serious. This paper presents a new highly automated approach for protecting Web applications against SQL injection that has both theoretical and practical advantages over most existing techniques. From a theoretical view, the approach is based on the idea of positive tainting and on the concept of syntax-aware evaluation. From a practical view, our technique is efficient, has minimal deployment requirements, and has a negligible performance overhead in most cases. We have implemented our techniques in the Web Application SQL-injection Preventer (WASP) tool, where a wide range of Web applications were subjected to a large and varied set of attacks and legal accesses. We considered login validation of user in an online banking system. WASP was able to stop all of these attacks and did not generate any false positives.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
