manolios@cc.gatech.edu
College of Computing
SQL injection attacks pose a serious security threat to Web
applications because they allow attackers to obtain unrestricted
access to the underlying databases and the potentially sensitive
information they contain. Although researchers and practitioners
have proposed various methods to address the SQL injection
problem, all current approaches have severe limitations. In this
paper, we propose a novel, automated approach to address the SQL
injection problem. Our approach marks as trusted only strings in
the program that are explicitly defined by the developer (e.g.,
string literals). We then prevent SQL-injection attacks by
parsing the SQL queries before they are submitted to the database
and only permitting queries in which all SQL keywords and
operators were created using trusted strings. To add and maintain
string-marking information, we developed MetaStrings, a set of
classes that can be transparently used in place of string-related
classes, but which provide functionality for storing and
automatically propagating string metadata. To evaluate our
approach, we developed a prototype implementation of our
technique and used it to protect several Web application from a
large set of attacks of various kinds. The evaluation was
successful, in that our tool successfully and efficiently stopped
all of the attacks without generating any false positives.
PDF (612K) © ACM
|
Last modified: Mon Oct 16 09:45:13 EDT 2006
manolios@cc.gatech.edu |
College of Computing |