Abstract
We present a formal approach for the analysis of attacks that exploit SQLi to violate security properties of web applications. We give a formal representation of web applications and databases, and show that our formalization effectively exploits SQLi attacks. We implemented our approach in a prototype tool called SQLfast and we show its efficiency on four real-world case studies, including the discovery of an attack on Joomla! that no other tool can find.
This work was carried out while Marco Rocchetto was at the Università di Verona.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Other possible attacks (e.g., by exploiting a Cross-Site Scripting (XSS) inside the payload of some SQLi) are outside the scope of our approach for now, cf. Sect. 6.
- 2.
This formal representation is intended to work with tools that perform symbolic analysis. We don’t formalize the honest client behavior and we assume the DY intruder to be the only agent able to communicate with the web app. The DY intruder will eventually perform honest interactions if needed to achieve a particular configuration of the system. See [10] for more details.
- 3.
Nothing prevents us from relaxing this assumption but this would give the DY intruder the possibility of performing attacks (e.g., man-in-the-middle attacks) that are rare in web app scenarios.
- 4.
The web app applies a hash function to the password before checking whether credentials are correct because Joomla! stores the passwords hashed into the database.
- 5.
We do not consider the possibility of brute forcing the hashed password, in accordance with the perfect cryptography assumption of the DY model.
- 6.
We recall from Sect. 4.2 that tuple() represents an abstraction of any data that can be extracted from the database. This means that whenever a web app requires any data in the domain of the database, we can write them as a function of tuple().
- 7.
Recall that we don’t represent SQL syntax in our models, so we don’t explicitly represent the type of the SQL according to the modeling guidelines in Sect. 4.3.
References
Akhawe, D., Barth, A., Lam, P., Mitchell, J., Song, D.: Towards a formal foundation of web security. In: CSF, pp. 290–304. IEEE (2010)
Apache software foundation. Apache HTTP Server Tutorial: .htaccess files. https://httpd.apache.org/docs/current/howto/htaccess.html
Armando, A., et al.: The AVANTSSAR platform for the automated validation of trust and security of service-oriented architectures. In: Flanagan, C., König, B. (eds.) TACAS 2012. LNCS, vol. 7214, pp. 267–282. Springer, Heidelberg (2012)
Büchler, M., Oudinet, J., Pretschner, A.: Semi-automatic security testing of web applications from a secure model. In: SERE, pp. 253–262 (2012)
Calvi, A., Viganò, L.: An automated approach for testing the security of web applications against chained attacks. In: ACM/SIGAPP SAC. ACM Press (2016)
Christey, S.: The 2009 CWE/SANS Top 25 Most Dangerous Programming Errors. http://cwe.mitre.org/top25
CVE-2015-7857. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7857
CWE. CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’). https://cwe.mitre.org/data/definitions/89.html
Damele, B., Guimarães, A.: Advanced SQL injection to operating system full control. In: BlackHat EU (2009)
De Meo, F., Rocchetto, M., Viganò, L.: Formal Analysis of Vulnerabilities of Web Applications Based on SQL Injection (Extended Version) (2016). arXiv:1605.00358
Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983)
Doupé, A., Cova, M., Vigna, G.: Why Johnny can’t pentest: an analysis of black-box web vulnerability scanners. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 111–131. Springer, Heidelberg (2010)
Damn Vulnerable Web Application (DVWA). http://www.dvwa.co.uk
Forristal, J.: ODBC and MS SQL server 6.5. Phrack 8(54) (1998). Article 08
Halfond, W.G., Viegas, J., Orso, A.: A classification of SQL-injection attacks and countermeasures. In: SIGSOFT 2006/FSE-14 (2006)
Halfond, W.G.J., Orso, A.: AMNESIA: analysis and monitoring for NEutralizing SQL–injection attacks. In: ASE, pp. 174–183. IEEE (2005)
Homakov, E.: How I hacked Github again (2014). http://homakov.blogspot.it/2014/02/how-i-hacked-github-again.html
Internet Engineering Task Force (IETF). HTTP Authentication: Basic and Digest Access Authentication (1999). https://www.ietf.org/rfc/rfc2617.txt
iSpiderLabs. Joomla SQL Injection Vulnerability Exploit Results in Full Administrative (2015). https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/?page=1&year=0&month=0. Accessed
Jackson, D., Abstractions, S.: Logic, Language, and Analysis. MIT Press, Cambridge (2012)
Jayathissa, O.M.: SQL Injection in Insert, Update and Delete Statements
Joomla! https://www.joomla.org
Kieżun, A., Guo, P.J., Jayaraman, K., Ernst, M.D.: Automatic creation of SQL injection and cross-site scripting attacks. In: ICSE, pp. 199–209. IEEE (2009)
Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. In: USENIX, p. 18 (2005)
Martin, M., Lam, M.S.: Automatic generation of XSS and SQL injection attacks with goal-directed model checking. In: USENIX, pp. 31–43 (2008)
MySQL. https://www.mysql.com
OWASP. Owasp top 10 for 2013. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
OWASP. SQL Injection. https://www.owasp.org/index.php/SQL_Injection
OWASP. WebGoat Project. https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
PostgreSQL. http://www.postgresql.org
Rocchetto, M., Ochoa, M., Torabi Dashti, M.: Model-based detection of CSRF. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds.) SEC 2014. IFIP AICT, vol. 428, pp. 30–43. Springer, Heidelberg (2014)
SQLfast: SQL Formal AnalisyS Tool (2015). http://regis.di.univr.it/sqlfast/
sqlmap: Automatic SQL injection and database takeover tool (2013). http://sqlmap.org
sqlninja: a SQL Server injection & takeover tool (2013). http://sqlninja.sourceforge.net
Stampar, M.: Data Retrieval over DNS in SQL Injection Attacks (2013). http://arxiv.org/abs/1303.3047
Viganò, L.: The SPaCIoS project: secure provision and consumption in the internet of services. In: ICST, pp. 497–498 (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
De Meo, F., Rocchetto, M., Viganò, L. (2016). Formal Analysis of Vulnerabilities of Web Applications Based on SQL Injection. In: Barthe, G., Markatos, E., Samarati, P. (eds) Security and Trust Management. STM 2016. Lecture Notes in Computer Science(), vol 9871. Springer, Cham. https://doi.org/10.1007/978-3-319-46598-2_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-46598-2_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-46597-5
Online ISBN: 978-3-319-46598-2
eBook Packages: Computer ScienceComputer Science (R0)