CANDID-Reference-Cited by-同舟云学术

CANDID

Published:2010-02 Issue:2 Volume:13 Page:1-39
ISSN:1094-9224
Container-title:ACM Transactions on Information and System Security
language:en
Short-container-title:ACM Trans. Inf. Syst. Secur.

Author:

Bisht Prithvi¹,Madhusudan P.²,Venkatakrishnan V. N.¹

Affiliation:

1. University of Illinois, Chicago

2. University of Illinois, Urbana-Champaign

Abstract

SQL injection attacks are one of the top-most threats for applications written for the Web. These attacks are launched through specially crafted user inputs, on Web applications that use low-level string operations to construct SQL queries. In this work, we exhibit a novel and powerful scheme for automatically transforming Web applications to render them safe against all SQL injection attacks. A characteristic diagnostic feature of SQL injection attacks is that they change the intended structure of queries issued. Our technique for detecting SQL injection is to dynamically mine the programmer-intended query structure on any input, and detect attacks by comparing it against the structure of the actual query issued. We propose a simple and novel mechanism, called Candid, for mining programmer intended queries by dynamically evaluating runs over benign candidate inputs. This mechanism is theoretically well founded and is based on inferring intended queries by considering the symbolic query computed on a program run. Our approach has been implemented in a tool called Candid that retrofits Web applications written in Java to defend them against SQL injection attacks. We have also implemented Candid by modifying a Java Virtual Machine, which safeguards applications without requiring retrofitting. We report extensive experimental results that show that our approach performs remarkably well in practice.

Funder

Division of Computer and Network Systems

Division of Computing and Communication Foundations

Publisher

Association for Computing Machinery (ACM)

Subject

Safety, Risk, Reliability and Quality,General Computer Science

Link

https://dl.acm.org/doi/pdf/10.1145/1698750.1698754

Reference32 articles.

1. Synthesis of interface specifications for Java classes

2. Mining specifications

3. Anley C. 2002. Advanced SQL injection in SQL server applications. Next Generation Security Software Ltd. Tech. rep. Anley C. 2002. Advanced SQL injection in SQL server applications. Next Generation Security Software Ltd. Tech. rep.

4. Multi-module vulnerability analysis of web-based applications

5. CANDID

Cited by 76 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. Sniping at web applications to discover input-handling vulnerabilities;Journal of Computer Virology and Hacking Techniques;2024-04-12

2. A deep learning approach based on multi-view consensus for SQL injection detection;International Journal of Information Security;2024-01-09

3. Review on Security Defense Technology Research in Edge Computing Environment;Chinese Journal of Electronics;2024-01

4. Data Leaks Using SQL Injection;International Journal of Advanced Research in Science, Communication and Technology;2023-12-16

5. Deep Learning-Based Detection Technology for SQL Injection Research and Implementation;Applied Sciences;2023-08-21