Automated Exploit Generation for SQL Injection Attacks
Date Issued
2010
Date
2010
Author(s)
Wu, Ko-Chih
Abstract
Automated static analysis tools are widely used today for finding input manipulation vulnerabilities in web applications, such as SQL injection. However, these tools may produce many false positives and these reported vulnerabilities cannot be verified easily. To verify these reported vulnerabilities, concrete attack requests need to be constructed and to be submitted to the target application, just like what hackers or black-box tools will do. Our approach is to send concrete exploits and to inspect SQL queries that are executed at run-time. Thus, it is possible to declare the reported vulnerability valid (along with true exploitable SQL commands) or bogus (i.e., false positive). Our technique is proved to be effective after the evaluation against several real-world examples.
Subjects
Web application security
SQL injection attacks
vulnerability testing
Type
thesis
File(s)![Thumbnail Image]()
Loading...
Name
ntu-99-R96943117-1.pdf
Size
23.32 KB
Format
Adobe PDF
Checksum
(MD5):fe4c44c50334e39d807132a33a5c45b4