ABSTRACT
SQL injection (SQLi) attacks pose a significant threat to the security of web applications. Existing approaches do not support object-oriented programming that renders these approaches unable to protect the real-world web apps such as Wordpress, Joomla, or Drupal against SQLi attacks. We propose a novel hybrid static-dynamic analysis for PHP web applications that limits each PHP function for accessing the database. Our tool, SQLBlock, reduces the attack surface of the vulnerable PHP functions in a web application to a set of query descriptors that demonstrate the benign functionality of the PHP function. We implement SQLBlock as a plugin for MySQL and PHP. Our approach does not require any modification to the web app. We evaluate SQLBlock on 11 SQLi vulnerabilities in Wordpress, Joomla, Drupal, Magento, and their plugins. We demonstrate that SQLBlock successfully prevents all 11 SQLi exploits with negligible performance overhead (i.e., a maximum of 3% on a heavily-loaded web server).
- Akamai. 2019. https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet.Google Scholar
- Beans Erik Balde Samit, Barantsev Alexei. 2018. Selenium - Web Browser Automation. https://docs.seleniumhq.org/.Google Scholar
- Sruthi Bandhakavi, Prithvi Bisht, P Madhusudan, and VN Venkatakrishnan. 2007. CANDID: preventing sql injection attacks using dynamic candidate evaluations. In Proceedings of the 14th ACM conference on Computer and communications security. 12--24.Google ScholarDigital Library
- G. Bernardo and S. Miroslav. 2019. sqlmap: automatic SQL injection tool. https://sqlmap.org.Google Scholar
- Stephen W Boyd and Angelos D Keromytis. 2004. SQLrand: Preventing SQL injection attacks. In International Conference on Applied Cryptography and Network Security. 292--302.Google ScholarCross Ref
- Gregory Buehrer, Bruce W Weide, and Paolo AG Sivilotti. 2005. Using parse tree validation to prevent SQL injection attacks. In Proceedings of the 5th international workshop on Software engineering and middleware. 106--113.Google ScholarDigital Library
- G. Cleary, M. Corpin, O. Cox, H. Lau, B. Nahorney, D. O'Brien, B. O'Gorman, J.Power, S. Wallace, P. Wood, and Wueest C. 2019. Internet Security Threat Report. Technical Report 24. Symantec Corporation.Google Scholar
- The MITRE Corp. 2014. CVE-2014--3704. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014--3704.Google Scholar
- Oracle Corporation. 2019. https://dev.mysql.com/doc/refman/8.0/en/.Google Scholar
- Johannes Dahse and Thorsten Holz. 2014. Simulation of Built-in PHP Features for Precise Static Code Analysis. In Proceedings of the Network and Distributed System Security Symposium.Google ScholarCross Ref
- Johannes Dahse and Thorsten Holz. 2014. Static Detection of Second-order Vulnerabilities in Web Applications. In Proceedings of the 23rd USENIX Conference on Security Symposium. 989--1003.Google Scholar
- Dataanyze. 2019. MySQL Market Share and Competitor Report. https://www.datanyze.com/market-share/databases/mysql-market-share.Google Scholar
- Drupal. 2016. https://www.drupal.org/docs/7/api/database-api.Google Scholar
- Apache Software Foundation. 2018. ab - Apache HTTP server benchmarking tool. https://httpd.apache.org/docs/2.4/programs/ab.html.Google Scholar
- W. Halfond, A. Orso, and P. Manolios. 2008. WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation. IEEE Transactions on Software Engineering34 (2008), 65--81.Google Scholar
- William G Halfond, Jeremy Viegas, Alessandro Orso, et al. 2006. A classification of SQL-injection attacks and countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering. 13--15.Google Scholar
- William G. J. Halfond and Alessandro Orso. 2005. AMNESIA: Analysis and Monitoring for NEutralizing SQL-injection Attacks. In Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering. 174--183.Google Scholar
- Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai Lee, and Sy-Yen Kuo. 2004. Securing Web Application Code by Static Analysis and Runtime Protection. In Proceedings of the 13th International Conference on World Wide Web. 40--52.Google ScholarDigital Library
- Docker Inc. 2018. Docker: Enterprise Container Platform.Google Scholar
- Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. 2006. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper). In IEEE Symposium on Security and Privacy. 258--263.Google Scholar
- Anyi Liu, Yi Yuan, Duminda Wijesekera, and Angelos Stavrou. 2009. SQLProb: a proxy-based architecture towards preventing SQL injection attacks. In Proceedings of the 2009 ACM symposium on Applied Computing. 2054--2061.Google ScholarDigital Library
- V Benjamin Livshits and Monica S Lam. 2005. Finding Security Vulnerabilities in Java Applications with Static Analysis. In USENIX Security Symposium. 18--18.Google Scholar
- Port Swigger Ltd. 2019. https://portswigger.net/burp.Google Scholar
- Ibéria Medeiros, Miguel Beatriz, Nuno Neves, and Miguel Correia. 2016. Hacking the DBMS to prevent injection attacks. In Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy. 295--306.Google ScholarDigital Library
- Ibéria Medeiros, Miguel Beatriz, Nuno Neves, and Miguel Correia. 2019. SEP-TIC: Detecting Injection Attacks and Vulnerabilities Inside the DBMS. IEEE Transactions on Reliability(2019).Google Scholar
- Ettore Merlo, Dominic Letarte, and Giuliano Antoniol. 2007. Automated protection of php applications against SQL-injection attacks. In11th European Conference on Software Maintenance and Reengineering (CSMR'07). IEEE, 191--202.Google ScholarDigital Library
- Metasploit. 2019. metasploit. https://www.metasploit.com.Google Scholar
- Abbas Naderi-Afooshteh, Anh Nguyen-Tuong, Mandana Bagheri-Marzijarani, Jason D Hiser, and Jack W Davidson. 2015. Joza: Hybrid taint inference for defeating web application sql injection attacks. In 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 172--183.Google ScholarDigital Library
- Q-Success. 2019. Usage Statistics and Market Share of Content Management Systems for Websites, August 2019. https://w3techs.com/technologies/overview/content_management/all.Google Scholar
- Q-Success. 2019. Usage Statistics and Market Share of PHP for Websites, August 2019. https://w3techs.com/technologies/details/pl-php/all/all.Google Scholar
- Donald Ray and Jay Ligatti. 2012. Defining code-injection attacks. In Acm Sigplan Notices. 179--190.Google Scholar
- Offensive Security. 2019. Exploit Database. https://exploit-db.com.Google Scholar
- Vadym Slizov. 2019. php-parser. https://github.com/z7zmey/php-parser.Google Scholar
- Sooel Son, Kathryn S. McKinley, and Vitaly Shmatikov. 2013. Diglossia: detecting code injection attacks with precision and efficiency. In Proceedings of the 20thACM SIGSAC conference on Computer. 1181--1192.Google ScholarDigital Library
- Sooel Son and Vitaly Shmatikov. 2011. SAFERPHP: Finding Semantic Vulnerabilities in PHP Applications. In Proceedings of the ACM SIGPLAN 6th Workshop on Programming Languages and Analysis for ecurity. 1--13.Google ScholarDigital Library
- Zhendong Su and Gary Wassermann. 2006. The Essence of Command Injection Attacks in Web Applications. In Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. 372--382.Google Scholar
- San-Tsai Sun and Konstantin Beznosov. 2008. Sqlprevent: Effective dynamic detection and prevention of sql injection attacks without access to the application source code.Google Scholar
- Gary Wassermann and Zhendong Su. 2007. Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation. 32--41.Google ScholarDigital Library
Recommendations
A Survey on SQL Injection Attacks, Detection and Prevention
ICMLC '20: Proceedings of the 2020 12th International Conference on Machine Learning and ComputingSince the uses of Web in daily life is increasing in past 20 years and becoming trend now, almost every Web application has its own database to store important data. An attacker can get or even modify the data from database through SQL injection ...
Mitigation of SQL Injection Attacks using Threat Modeling
Day after day, SQL Injection (SQLI) attack is consistently proliferating across the globe. According to Open Web Application Security Project (OWASP) Top Ten Cheat Sheet-2014, SQLI is at top in the list of online attacks. The cause of spread of SQLI is ...
Securing web applications from injection and logic vulnerabilities
Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...
Comments