A Static Detection Method for SQL Injection Vulnerability Based on Program Transformation-Reference-Cited by-同舟云学术

A Static Detection Method for SQL Injection Vulnerability Based on Program Transformation

Published:2023-10-27 Issue:21 Volume:13 Page:11763
ISSN:2076-3417
Container-title:Applied Sciences
language:en
Short-container-title:Applied Sciences

Author:

Yuan Ye¹²,Lu Yuliang¹²,Zhu Kailong¹²,Huang Hui¹²,Yu Lu¹²,Zhao Jiazhen¹²

Affiliation:

1. College of Electronic Engineering, National University of Defense Technology, Hefei 230037, China

2. Anhui Province Key Laboratory of Cyberspace Security Situation Awareness and Evaluation, Hefei 230037, China

Abstract

Static analysis is popular for detecting SQL injection vulnerabilities. However, due to the lack of accurate modeling of object-oriented database extensions, current methods fail to accurately detect SQL injection vulnerabilities in applications that use object-oriented database extensions. We propose a program transformation-based SQL injection vulnerability detection method to address this issue. This method consists of two stages: program transformation and vulnerability detection. In the first stage, object-oriented database extensions are automatically transformed into semantically equivalent procedural database extensions through the identification of key statements, call relation verification, and program transformation. In the second stage, application programs are automatically scanned using a combination of control flow graph construction and taint analysis techniques to detect SQL injection vulnerabilities. Based on the proposed method, we have implemented the OODBE-SCAN prototype system and performed experimental analysis on eight modern PHP applications. We compare OODBE-SCAN with two related static analysis tools, RIPS and Seay. The results show that OODBE-SCAN can detect more real-world vulnerabilities and has higher accuracy than existing methods.

Publisher

MDPI AG

Subject

Fluid Flow and Transfer Processes,Computer Science Applications,Process Chemistry and Technology,General Engineering,Instrumentation,General Materials Science

Link

https://www.mdpi.com/2076-3417/13/21/11763/pdf

Reference40 articles.

1. (2023, September 12). CNVD. Available online: https://www.cnvd.org.cn/.

2. Analysis and Implementation of SQL Injection Vulnerability Mining Technology Based on Machine Learning;Hu;Inf. Netw. Secur.,2019

3. Dahse, J., and Holz, T. (2014, January 23). Simulation of Built-in PHP Features for Precise Static Code Analysis. Proceedings of the NDSS, San Diego, CA, USA.

4. Jovanovic, N., Kruegel, C., and Kirda, E. (2006, January 21–24). Pixy: A static analysis tool for detecting web application vulnerabilities. Proceedings of the 2006 IEEE Symposium on Security and Privacy (S&P’06), Oakland, CA, USA.

5. Nunes, P.J.C., Fonseca, J., and Vieira, M. (2015, January 22–25). phpSAFE: A security analysis tool for OOP web application plugins. Proceedings of the 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, Ashington, DC, USA.

Cited by 2 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. SqliGPT: Evaluating and Utilizing Large Language Models for Automated SQL Injection Black-Box Detection;Applied Sciences;2024-08-07

2. sqlFuzz: Directed Fuzzing for SQL Injection Vulnerability;Electronics;2024-07-26