Formal Analysis of Vulnerabilities of Web Applications Based on SQL Injection

  • Federico De MeoEmail author
  • Marco Rocchetto
  • Luca Viganò
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9871)


We present a formal approach for the analysis of attacks that exploit SQLi to violate security properties of web applications. We give a formal representation of web applications and databases, and show that our formalization effectively exploits SQLi attacks. We implemented our approach in a prototype tool called SQLfast and we show its efficiency on four real-world case studies, including the discovery of an attack on Joomla! that no other tool can find.


  1. 1.
    Akhawe, D., Barth, A., Lam, P., Mitchell, J., Song, D.: Towards a formal foundation of web security. In: CSF, pp. 290–304. IEEE (2010)Google Scholar
  2. 2.
    Apache software foundation. Apache HTTP Server Tutorial: .htaccess files.
  3. 3.
    Armando, A., et al.: The AVANTSSAR platform for the automated validation of trust and security of service-oriented architectures. In: Flanagan, C., König, B. (eds.) TACAS 2012. LNCS, vol. 7214, pp. 267–282. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  4. 4.
    Büchler, M., Oudinet, J., Pretschner, A.: Semi-automatic security testing of web applications from a secure model. In: SERE, pp. 253–262 (2012)Google Scholar
  5. 5.
    Calvi, A., Viganò, L.: An automated approach for testing the security of web applications against chained attacks. In: ACM/SIGAPP SAC. ACM Press (2016)Google Scholar
  6. 6.
    Christey, S.: The 2009 CWE/SANS Top 25 Most Dangerous Programming Errors.
  7. 7.
  8. 8.
    CWE. CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’).
  9. 9.
    Damele, B., Guimarães, A.: Advanced SQL injection to operating system full control. In: BlackHat EU (2009)Google Scholar
  10. 10.
    De Meo, F., Rocchetto, M., Viganò, L.: Formal Analysis of Vulnerabilities of Web Applications Based on SQL Injection (Extended Version) (2016). arXiv:1605.00358
  11. 11.
    Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Doupé, A., Cova, M., Vigna, G.: Why Johnny can’t pentest: an analysis of black-box web vulnerability scanners. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 111–131. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  13. 13.
    Damn Vulnerable Web Application (DVWA).
  14. 14.
    Forristal, J.: ODBC and MS SQL server 6.5. Phrack 8(54) (1998). Article 08Google Scholar
  15. 15.
    Halfond, W.G., Viegas, J., Orso, A.: A classification of SQL-injection attacks and countermeasures. In: SIGSOFT 2006/FSE-14 (2006)Google Scholar
  16. 16.
    Halfond, W.G.J., Orso, A.: AMNESIA: analysis and monitoring for NEutralizing SQL–injection attacks. In: ASE, pp. 174–183. IEEE (2005)Google Scholar
  17. 17.
    Homakov, E.: How I hacked Github again (2014).
  18. 18.
    Internet Engineering Task Force (IETF). HTTP Authentication: Basic and Digest Access Authentication (1999).
  19. 19.
    iSpiderLabs. Joomla SQL Injection Vulnerability Exploit Results in Full Administrative (2015). Accessed
  20. 20.
    Jackson, D., Abstractions, S.: Logic, Language, and Analysis. MIT Press, Cambridge (2012)Google Scholar
  21. 21.
    Jayathissa, O.M.: SQL Injection in Insert, Update and Delete StatementsGoogle Scholar
  22. 22.
  23. 23.
    Kieżun, A., Guo, P.J., Jayaraman, K., Ernst, M.D.: Automatic creation of SQL injection and cross-site scripting attacks. In: ICSE, pp. 199–209. IEEE (2009)Google Scholar
  24. 24.
    Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. In: USENIX, p. 18 (2005)Google Scholar
  25. 25.
    Martin, M., Lam, M.S.: Automatic generation of XSS and SQL injection attacks with goal-directed model checking. In: USENIX, pp. 31–43 (2008)Google Scholar
  26. 26.
  27. 27.
  28. 28.
  29. 29.
  30. 30.
  31. 31.
    Rocchetto, M., Ochoa, M., Torabi Dashti, M.: Model-based detection of CSRF. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds.) SEC 2014. IFIP AICT, vol. 428, pp. 30–43. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  32. 32.
    SQLfast: SQL Formal AnalisyS Tool (2015).
  33. 33.
    sqlmap: Automatic SQL injection and database takeover tool (2013).
  34. 34.
    sqlninja: a SQL Server injection & takeover tool (2013).
  35. 35.
    Stampar, M.: Data Retrieval over DNS in SQL Injection Attacks (2013).
  36. 36.
    Viganò, L.: The SPaCIoS project: secure provision and consumption in the internet of services. In: ICST, pp. 497–498 (2013)Google Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Federico De Meo
    • 1
    Email author
  • Marco Rocchetto
    • 2
  • Luca Viganò
    • 3
  1. 1.Dipartimento di InformaticaUniversità degli Studi di VeronaVeronaItaly
  2. 2.iTrustSingapore University of Technology and DesignSingaporeSingapore
  3. 3.Department of InformaticsKing’s College LondonLondonUK

Personalised recommendations