More Web Proxy on the site http://driver.im/

research-article

Source Code Patterns of SQL Injection Vulnerabilities

Authors:

Felix Schuckert,

Hanno LangwegAuthors Info & Claims

ARES '17: Proceedings of the 12th International Conference on Availability, Reliability and Security

Article No.: 72, Pages 1 - 7

https://doi.org/10.1145/3098954.3103173

Published: 29 August 2017 Publication History

Abstract

Many secure software development methods and tools are well-known and understood. Still, the same software security vulnerabilities keep occurring. To find out if new source code patterns evolved or the same patterns are reoccurring, we investigate SQL injections in PHP open source projects. SQL injections are well-known and a core part of software security education. For each common part of SQL injections, the source code patterns are analysed. Examples are pointed out showing that developers had software security in mind, but nevertheless created vulnerabilities. A comparison to earlier work shows that some categories are not found as often as expected. Our main contribution is the categorization of source code patterns.

References

[1]

2017. ADOdb. (2017). Retrieved April 27, 2017 from https://github.com/ADOdb/ADOdb

[2]

2017. Common Vulnerabilities and Exposures. (2017). Retrieved April 27, 2017 from https://cve.mitre.org/

[3]

2017. Common Weakness Enumeration. (2017). Retrieved April 27, 2017 from https://cwe.mitre.org/

[4]

2017. CVE Details. (2017). Retrieved April 27, 2017 from https://www.cvedetails.com/

[5]

2017. GitHub. (2017). Retrieved April 27, 2017 from https://github.com/

[6]

2017. OWASP Top Ten Project. (2017). Retrieved April 27, 2017 from https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

[7]

2017. PHP manual - function.header.php. (2017). Retrieved April 27, 2017 from http://php.net/manual/en/function.header.php

[8]

2017. PHP manual - sprintf. (2017). Retrieved April 27, 2017 from http://php.net/manual/en/function.sprintf.php

[9]

2017. PHP manual - string conversion. (2017). Retrieved April 27, 2017 from http://php.net/manual/en/language.types.string.php#language.types.string.conversion

[10]

2017. PhpStorm. (2017). Retrieved April 27, 2017 from https://www.jetbrains.com/phpstorm

[11]

2017. SAMATE - SARD. (2017). Retrieved April 27, 2017 from https://samate.nist.gov/SARD

[12]

Robert P Abbott, Janet S Chin, James E Donnelley, William L Konigsford, S Tokubo, and Douglas A Webb. 1976. Security analysis and enhancements of computer operating systems. Technical Report. DTIC Document.

[13]

Emery D. Berger and Benjamin G. Zorn. 2006. DieHard: Probabilistic Memory Safety for Unsafe Languages. SIGPLAN Not. 41, 6 (June 2006), 158--168.

Digital Library

[14]

Richard Bisbey and Dennis Hollingworth. 1978. Protection analysis: Final report. University of Southern California Information 90291, 2223 (1978).

[15]

Zhanwei Hui, Song Huang, Bin Hu, and Zhengping Ren. 2010. A taxonomy of software security defects for SST. Proceedings - 2010 International Conference on Intelligent Computing and Integrated Systems, ICISS2010 (2010), 99--103.

[16]

Pornchai Lerthathairat and Nakornthip Prompoon. 2011. An approach for source code classification to enhance maintainability. Proceedings of the 2011 8th International Joint Conference on Computer Science and Software Engineering, JCSSE 2011 (2011), 319--324.

[17]

Fabio Massacci and Viet Hung Nguyen. 2010. Which is the right source for vulnerability studies?: An empirical analysis on Mozilla Firefox. Proceedings of the 6th International Workshop on Security Measurements and Metrics (2010), 4:1--4:8.

Digital Library

[18]

Gary McGraw. 2006. Software Security: Building Security In. Addison-Wesley Professional.

Digital Library

[19]

Iberia Medeiros, Nuno Neves, and Miguel Correia. 2016. Detecting and Removing Web Application Vulnerabilities with Static Analysis and Data Mining. IEEE Transactions on Reliability 65, 1 (2016), 54--69.

[20]

Robert C. Seacord and Allen D. Householder. 2005. A Structured Approach to Classifying Security Vulnerabilities. Carnegie-Mellon Univ Pittsburgh Pa Software Engineering Inst January (2005), 1--39.

[21]

Lwin Khin Shar, Hee Beng Kuan Tan, and Lionel C. Briand. 2013. Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis. Proceedings - International Conference on Software Engineering (2013), 642--651.

Digital Library

[22]

Lwin Khin Shar and Hee Kuan Tan. 2012. Mining Input Sanitization Patterns for Predicting SQL Injection and Cross Site Scripting Vulnerabilities. (2012), 1293--1296.

Digital Library

[23]

Bertrand Stivalet and Elizabeth Fong. 2016. Large Scale Generation of Complex and Faulty PHP Test Cases. Proceedings - 2016 IEEE International Conference on Software Testing, Verification and Validation, ICST2016 (2016), 409--415.

[24]

Yan Wu, Harvey Siy, and Robin Gandhi. 2011. Empirical results on the study of software vulnerabilities. Proceedings of the 33rd International Conference on Software Engineering (ICSE) (2011), 964--967.

Digital Library

Cited By

Brust CSonnekalb TGruner B(2023)ROMEOComputers and Security10.1016/j.cose.2023.103165128:COnline publication date: 1-May-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103165
Aaby PGiuffrida MBuchanan WTan Z(2023)An omnidirectional approach to touch-based continuous authenticationComputers and Security10.1016/j.cose.2023.103146128:COnline publication date: 1-May-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103146
Ling XWu LZhang JQu ZDeng WChen XQian YWu CJi SLuo TWu JWu Y(2023)Adversarial attacks against Windows PE malware detectionComputers and Security10.1016/j.cose.2023.103134128:COnline publication date: 1-May-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103134
Show More Cited By

Recommendations

Mitigation of SQL Injection Attacks using Threat Modeling

Day after day, SQL Injection (SQLI) attack is consistently proliferating across the globe. According to Open Web Application Security Project (OWASP) Top Ten Cheat Sheet-2014, SQLI is at top in the list of online attacks. The cause of spread of SQLI is ...
Securing web applications from injection and logic vulnerabilities

Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...
Semi-Automated Verification of Defense against SQL Injection in Web Applications
APSEC '12: Proceedings of the 2012 19th Asia-Pacific Software Engineering Conference - Volume 01

Recent reports reveal that majority of the attacks to Web applications are input manipulation attacks. Among these attacks, SQL injection attack malicious input is submitted to manipulate the database in a way that was unintended by the applications' ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '17: Proceedings of the 12th International Conference on Availability, Reliability and Security

August 2017

853 pages

ISBN:9781450352574

DOI:10.1145/3098954

Copyright © 2017 ACM.

© 2017 Association for Computing Machinery. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of a national government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 29 August 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ARES '17

ARES '17: International Conference on Availability, Reliability and Security

August 29 - September 1, 2017

Reggio Calabria, Italy

Acceptance Rates

ARES '17 Paper Acceptance Rate 100 of 191 submissions, 52%;

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
462
Total Downloads

Downloads (Last 12 months)39
Downloads (Last 6 weeks)2

Reflects downloads up to 11 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Brust CSonnekalb TGruner B(2023)ROMEOComputers and Security10.1016/j.cose.2023.103165128:COnline publication date: 1-May-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103165
Aaby PGiuffrida MBuchanan WTan Z(2023)An omnidirectional approach to touch-based continuous authenticationComputers and Security10.1016/j.cose.2023.103146128:COnline publication date: 1-May-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103146
Ling XWu LZhang JQu ZDeng WChen XQian YWu CJi SLuo TWu JWu Y(2023)Adversarial attacks against Windows PE malware detectionComputers and Security10.1016/j.cose.2023.103134128:COnline publication date: 1-May-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103134
Costa GDegano PGalletta LSoderi S(2023)Formally verifying security protocols built on watermarking and jammingComputers and Security10.1016/j.cose.2023.103133128:COnline publication date: 1-May-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103133
Qamar SAnwar ZAfzal M(2023)A systematic threat analysis and defense strategies for the metaverse and extended reality systemsComputers and Security10.1016/j.cose.2023.103127128:COnline publication date: 1-May-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103127
Wu YLi MZeng QYang TWang JFang ZCheng L(2023)DroidRLComputers and Security10.1016/j.cose.2023.103126128:COnline publication date: 1-May-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103126
Schuckert FKatt BLangweg H(2023)Insecurity RefactoringComputers and Security10.1016/j.cose.2023.103121128:COnline publication date: 1-May-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103121
Forootani SDi Sorbo AVisaggio C(2022)An Exploratory Study on Self-Fixed Software Vulnerabilities in OSS Projects2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER53432.2022.00023(90-100)Online publication date: Mar-2022
https://doi.org/10.1109/SANER53432.2022.00023
Schuckert FLangweg HKatt B(2022)Systematic Generation of XSS and SQLi Vulnerabilities in PHP as Test Cases for Static Code Analysis2022 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW)10.1109/ICSTW55395.2022.00053(261-268)Online publication date: Apr-2022
https://doi.org/10.1109/ICSTW55395.2022.00053
Canfora GDi Sorbo AForootani SMartinez MVisaggio C(2022)PatchworkingInformation and Software Technology10.1016/j.infsof.2021.106745142:COnline publication date: 1-Feb-2022
https://dl.acm.org/doi/10.1016/j.infsof.2021.106745

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents