Formal Analysis of Vulnerabilities of Web Applications Based on SQL Injection

Abstract: We present a formal approach for the analysis of attacks that exploit SQLi to violate security properties of web applications. We give a formal representation of web applications and databases, and show that our formalization effectively exploits SQLi attacks. We implemented our approach in a prototype tool called SQLfast and we show its efficiency on four real-world case studies, including the discovery of an attack on Joomla! that no other tool can find.

“…This allows for functionalities such as blog posting, forum discussions, etc. Querying a database is performed using the Structured Query Language SQL and whenever a query is created using user-supplied data, SQLi attacks could be possible [10,17,26]. Most modern DMBSs provide APIs that extend SQL's expressiveness by allowing SQL code to access a web app's file-system for reading and writing purposes.…”

“…The idea behind the extension is to make the database able to perform a reading or writing request to the file-system whenever a query is valid. We also modified how sanitized queries are handled by removing the sanitization function sanitizedQuery() from the database specification of [10] and introducing a new uninterpreted function sanitized() that represents a general sanitization function (see § 3.4 for further details). For brevity, we give in § A a description of the database behavior as given in [10] while in this section we focus on the extension.…”

“…In our formalization, the web app can communicate with client, file-system and database. In [10] we also provided some guidelines on how to represent web apps, however, they were limited to basic interaction with the database. In this paper we provide extended guidelines that also take the file-system into consideration.…”

“…a constant representing the returned page (e.g., dashboard, admin etc), the function file() when the web app performs a reading operation on the file-system, and the function tuple() that, following [10], is returned only if the executed query is SELECT, UPDATE or DELETE.…”

“…First, we formally define file-system vulnerabilities and how to exploit them to violate security properties of web apps. A number of formal approaches based on the Dolev-Yao (DY) attacker model [12] have been developed for the security analysis of web apps, e.g., [1,3,5,10,30,35]. However, file-system vulnerabilities of web apps have never been taken into consideration by formal approaches before.…”

A Formal Approach to Exploiting Multi-stage Attacks Based on File-System Vulnerabilities of Web Applications

“…This allows for functionalities such as blog posting, forum discussions, etc. Querying a database is performed using the Structured Query Language SQL and whenever a query is created using user-supplied data, SQLi attacks could be possible [10,17,26]. Most modern DMBSs provide APIs that extend SQL's expressiveness by allowing SQL code to access a web app's file-system for reading and writing purposes.…”

“…The idea behind the extension is to make the database able to perform a reading or writing request to the file-system whenever a query is valid. We also modified how sanitized queries are handled by removing the sanitization function sanitizedQuery() from the database specification of [10] and introducing a new uninterpreted function sanitized() that represents a general sanitization function (see § 3.4 for further details). For brevity, we give in § A a description of the database behavior as given in [10] while in this section we focus on the extension.…”

“…In our formalization, the web app can communicate with client, file-system and database. In [10] we also provided some guidelines on how to represent web apps, however, they were limited to basic interaction with the database. In this paper we provide extended guidelines that also take the file-system into consideration.…”

“…a constant representing the returned page (e.g., dashboard, admin etc), the function file() when the web app performs a reading operation on the file-system, and the function tuple() that, following [10], is returned only if the executed query is SELECT, UPDATE or DELETE.…”

“…First, we formally define file-system vulnerabilities and how to exploit them to violate security properties of web apps. A number of formal approaches based on the Dolev-Yao (DY) attacker model [12] have been developed for the security analysis of web apps, e.g., [1,3,5,10,30,35]. However, file-system vulnerabilities of web apps have never been taken into consideration by formal approaches before.…”

A Formal Approach to Exploiting Multi-stage Attacks Based on File-System Vulnerabilities of Web Applications

Multi-device Login Monitoring for Google Meet Using Path Compressed Double-Trie and User Location

ADT-SQLi : An Automated Detection of SQL Injection Vulnerability in Web Applications