Skip to main content
SpringerLink
Log in

Formal Analysis of Vulnerabilities of Web Applications Based on SQL Injection

  • Conference paper
  • First Online:
Book cover Security and Trust Management (STM 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9871))

Included in the following conference series:

Abstract

We present a formal approach for the analysis of attacks that exploit SQLi to violate security properties of web applications. We give a formal representation of web applications and databases, and show that our formalization effectively exploits SQLi attacks. We implemented our approach in a prototype tool called SQLfast and we show its efficiency on four real-world case studies, including the discovery of an attack on Joomla! that no other tool can find.

This work was carried out while Marco Rocchetto was at the Università di Verona.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Other possible attacks (e.g., by exploiting a Cross-Site Scripting (XSS) inside the payload of some SQLi) are outside the scope of our approach for now, cf. Sect. 6.

  2. 2.

    This formal representation is intended to work with tools that perform symbolic analysis. We don’t formalize the honest client behavior and we assume the DY intruder to be the only agent able to communicate with the web app. The DY intruder will eventually perform honest interactions if needed to achieve a particular configuration of the system. See [10] for more details.

  3. 3.

    Nothing prevents us from relaxing this assumption but this would give the DY intruder the possibility of performing attacks (e.g., man-in-the-middle attacks) that are rare in web app scenarios.

  4. 4.

    The web app applies a hash function to the password before checking whether credentials are correct because Joomla! stores the passwords hashed into the database.

  5. 5.

    We do not consider the possibility of brute forcing the hashed password, in accordance with the perfect cryptography assumption of the DY model.

  6. 6.

    We recall from Sect. 4.2 that tuple() represents an abstraction of any data that can be extracted from the database. This means that whenever a web app requires any data in the domain of the database, we can write them as a function of tuple().

  7. 7.

    Recall that we don’t represent SQL syntax in our models, so we don’t explicitly represent the type of the SQL according to the modeling guidelines in Sect. 4.3.

References

  1. Akhawe, D., Barth, A., Lam, P., Mitchell, J., Song, D.: Towards a formal foundation of web security. In: CSF, pp. 290–304. IEEE (2010)

    Google Scholar 

  2. Apache software foundation. Apache HTTP Server Tutorial: .htaccess files. https://httpd.apache.org/docs/current/howto/htaccess.html

  3. Armando, A., et al.: The AVANTSSAR platform for the automated validation of trust and security of service-oriented architectures. In: Flanagan, C., König, B. (eds.) TACAS 2012. LNCS, vol. 7214, pp. 267–282. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  4. Büchler, M., Oudinet, J., Pretschner, A.: Semi-automatic security testing of web applications from a secure model. In: SERE, pp. 253–262 (2012)

    Google Scholar 

  5. Calvi, A., Viganò, L.: An automated approach for testing the security of web applications against chained attacks. In: ACM/SIGAPP SAC. ACM Press (2016)

    Google Scholar 

  6. Christey, S.: The 2009 CWE/SANS Top 25 Most Dangerous Programming Errors. http://cwe.mitre.org/top25

  7. CVE-2015-7857. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7857

  8. CWE. CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’). https://cwe.mitre.org/data/definitions/89.html

  9. Damele, B., Guimarães, A.: Advanced SQL injection to operating system full control. In: BlackHat EU (2009)

    Google Scholar 

  10. De Meo, F., Rocchetto, M., Viganò, L.: Formal Analysis of Vulnerabilities of Web Applications Based on SQL Injection (Extended Version) (2016). arXiv:1605.00358

  11. Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983)

    Article  MathSciNet  MATH  Google Scholar 

  12. Doupé, A., Cova, M., Vigna, G.: Why Johnny can’t pentest: an analysis of black-box web vulnerability scanners. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 111–131. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  13. Damn Vulnerable Web Application (DVWA). http://www.dvwa.co.uk

  14. Forristal, J.: ODBC and MS SQL server 6.5. Phrack 8(54) (1998). Article 08

    Google Scholar 

  15. Halfond, W.G., Viegas, J., Orso, A.: A classification of SQL-injection attacks and countermeasures. In: SIGSOFT 2006/FSE-14 (2006)

    Google Scholar 

  16. Halfond, W.G.J., Orso, A.: AMNESIA: analysis and monitoring for NEutralizing SQL–injection attacks. In: ASE, pp. 174–183. IEEE (2005)

    Google Scholar 

  17. Homakov, E.: How I hacked Github again (2014). http://homakov.blogspot.it/2014/02/how-i-hacked-github-again.html

  18. Internet Engineering Task Force (IETF). HTTP Authentication: Basic and Digest Access Authentication (1999). https://www.ietf.org/rfc/rfc2617.txt

  19. iSpiderLabs. Joomla SQL Injection Vulnerability Exploit Results in Full Administrative (2015). https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/?page=1&year=0&month=0. Accessed

  20. Jackson, D., Abstractions, S.: Logic, Language, and Analysis. MIT Press, Cambridge (2012)

    Google Scholar 

  21. Jayathissa, O.M.: SQL Injection in Insert, Update and Delete Statements

    Google Scholar 

  22. Joomla! https://www.joomla.org

  23. Kieżun, A., Guo, P.J., Jayaraman, K., Ernst, M.D.: Automatic creation of SQL injection and cross-site scripting attacks. In: ICSE, pp. 199–209. IEEE (2009)

    Google Scholar 

  24. Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. In: USENIX, p. 18 (2005)

    Google Scholar 

  25. Martin, M., Lam, M.S.: Automatic generation of XSS and SQL injection attacks with goal-directed model checking. In: USENIX, pp. 31–43 (2008)

    Google Scholar 

  26. MySQL. https://www.mysql.com

  27. OWASP. Owasp top 10 for 2013. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

  28. OWASP. SQL Injection. https://www.owasp.org/index.php/SQL_Injection

  29. OWASP. WebGoat Project. https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

  30. PostgreSQL. http://www.postgresql.org

  31. Rocchetto, M., Ochoa, M., Torabi Dashti, M.: Model-based detection of CSRF. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds.) SEC 2014. IFIP AICT, vol. 428, pp. 30–43. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  32. SQLfast: SQL Formal AnalisyS Tool (2015). http://regis.di.univr.it/sqlfast/

  33. sqlmap: Automatic SQL injection and database takeover tool (2013). http://sqlmap.org

  34. sqlninja: a SQL Server injection & takeover tool (2013). http://sqlninja.sourceforge.net

  35. Stampar, M.: Data Retrieval over DNS in SQL Injection Attacks (2013). http://arxiv.org/abs/1303.3047

  36. Viganò, L.: The SPaCIoS project: secure provision and consumption in the internet of services. In: ICST, pp. 497–498 (2013)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Dipartimento di Informatica, Università degli Studi di Verona, Verona, Italy

    Federico De Meo

  2. iTrust, Singapore University of Technology and Design, Singapore, Singapore

    Marco Rocchetto

  3. Department of Informatics, King’s College London, London, UK

    Luca Viganò

Authors
  1. Federico De Meo
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Marco Rocchetto
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Luca Viganò
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Federico De Meo .

Editor information

Editors and Affiliations

  1. IMDEA Software Institute , Pozuelo de Alarcón, Madrid, Spain

    Gilles Barthe

  2. Dept Comp Sci, Vassilika Vouton, Univ of Crete Dept Comp Sci, Vassilika Vouton, Heraklion, Crete, Greece

    Evangelos Markatos

  3. Dipto di Informatica, Univ degli Studi di Milano Dipto di Informatica, Crema, Italy

    Pierangela Samarati

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing AG

About this paper

Cite this paper

De Meo, F., Rocchetto, M., Viganò, L. (2016). Formal Analysis of Vulnerabilities of Web Applications Based on SQL Injection. In: Barthe, G., Markatos, E., Samarati, P. (eds) Security and Trust Management. STM 2016. Lecture Notes in Computer Science(), vol 9871. Springer, Cham. https://doi.org/10.1007/978-3-319-46598-2_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-46598-2_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-46597-5

  • Online ISBN: 978-3-319-46598-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation