Scheduled System Maintenance on May 29th, 2015:
IEEE Xplore will be upgraded between 11:00 AM and 10:00 PM EDT. During this time there may be intermittent impact on performance. We apologize for any inconvenience.
By Topic

Semi-Automated Verification of Defense against SQL Injection in Web Applications

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

3 Author(s)
Kaiping Liu ; Sch. of Electr. & Electron. Eng., Nanyang Technol. Univ., Singapore, Singapore ; Hee Beng Kuan Tan ; Shar, L.K.

Recent reports reveal that majority of the attacks to Web applications are input manipulation attacks. Among these attacks, SQL injection attack malicious input is submitted to manipulate the database in a way that was unintended by the applications' developers is one such attack. This paper proposes an approach for assisting to code verification process on the defense against SQL injection. The approach extracts all such defenses implemented in code. With the use of the proposed approach, developers, testers or auditors can then check the defenses extracted from code to verify their adequacy. We have evaluated the feasibility, effectiveness, and usefulness of the proposed approach by a set of open-source systems. Our experiment results showed that the proposed approach is effective in extracting all the possible defenses implemented/adopted by Web applications. We observed that the proposed approach would be useful in identifying the false positive cases resulting from other related approaches and auditing the code in order to fix the actual vulnerable cases.

Published in:

Software Engineering Conference (APSEC), 2012 19th Asia-Pacific  (Volume:1 )

Date of Conference:

4-7 Dec. 2012