000000205 001__ 205
000000205 005__ 20130522141940.0
000000205 037__ $$aLERSSE-RefJnlPaper-2009-012
000000205 041__ $$aeng
000000205 100__ $$aSan-Tsai Sun
000000205 245__ $$aRetrofitting Existing Web Applications with Effective Dynamic Protection Against SQL Injection Attacks
000000205 260__ $$c2009-06-15
000000205 300__ $$a21
000000205 520__ $$aThis paper presents an approach for retrofitting existing web applications with run-time protection against known as well as unseen SQL injection attacks (SQLIAs) without the involvement of application developers. The precision of the approach is also enhanced with a method for reducing the rate of false positives in the SQLIA detection logic, via runtime discovery of the developers' intention for individual SQL statements made by web applications. The proposed approach is implemented in the form of protection mechanisms for J2EE, ASP.NET, and ASP applications. Named SQLPrevent, these mechanisms intercept both HTTP requests and SQL statements, mark and track parameter values originating from HTTP requests, and perform SQLIA detection and prevention on the intercepted SQL statements. The AMNESIA testbed is extended to contain false-positive testing traces, and is used to evaluate SQLPrevent. In our experiments, SQLPrevent produced no false positives or false negatives, and imposed a maximum 3.6% performance overhead with 30 milliseconds response time for the tested applications.
000000205 6531_ $$aSQLPrevent
000000205 6531_ $$aSQL Injection Attacks
000000205 6531_ $$aWeb Application Security
000000205 700__ $$aKonstantin Beznosov
000000205 8560_ $$fsantsais@ece.ubc.ca
000000205 8564_ $$uhttp://lersse-dl.ece.ubc.ca/record/205/files/205.pdf$$yTransfer from CDS 0.99.7
000000205 909C4 $$pSun-Tsai Sun and Konstantin Beznosov. Retrofitting Existing Web Applications with Effective Dynamic Protection Against SQL Injection Attacks. In International Journal of Secure Software Engineering, pages 20-40, 1(1), January 2010.
000000205 980__ $$aRefJnlPaper