Formal Analysis of Vulnerabilities of Web Applications Based on SQL Injection

Conference paper

DOI: 10.1007/978-3-319-46598-2_13

Part of the Lecture Notes in Computer Science book series (LNCS, volume 9871)
Cite this paper as:
De Meo F., Rocchetto M., Viganò L. (2016) Formal Analysis of Vulnerabilities of Web Applications Based on SQL Injection. In: Barthe G., Markatos E., Samarati P. (eds) Security and Trust Management. STM 2016. Lecture Notes in Computer Science, vol 9871. Springer, Cham

Abstract

We present a formal approach for the analysis of attacks that exploit SQLi to violate security properties of web applications. We give a formal representation of web applications and databases, and show that our formalization effectively exploits SQLi attacks. We implemented our approach in a prototype tool called SQLfast and we show its efficiency on four real-world case studies, including the discovery of an attack on Joomla! that no other tool can find.

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Federico De Meo
    • 1
  • Marco Rocchetto
    • 2
  • Luca Viganò
    • 3
  1. 1.Dipartimento di InformaticaUniversità degli Studi di VeronaVeronaItaly
  2. 2.iTrustSingapore University of Technology and DesignSingaporeSingapore
  3. 3.Department of InformaticsKing’s College LondonLondonUK

Personalised recommendations