11-02-2011, 07:17 AM
WASP (Web Application SQL-injection Preventer)
The basic idea of the WASP is to allow only the developer trusted stringsa to form the sensitive parts of the query. As a solution to the problem of SQL injection:
a)Positive tainting
b)Syntax-Aware evaluation
WEB applications are applications that can be accessed over the Internet by using any compliant Web browser that runs on any operating system and architecture. A variety of new threats are facing the web applications. Of this, the most significant one is the SQL Injection Attacks (SQLIAs). SQL queries are built by the Web applications to access the information stored in the databases. But, the attackers can gain complete access to such databases if inadequate input validation is performed. The specially encoded database commands can be input by the attackers. the attacker’s embedded commands are executed by the database when the web application builds the query using these strings, and the attack succeeds.
a new highly automated approach for dynamic detection and prevention of SQLIAs is proposed in this article. It involves identifying “trusted” strings in an application which are then used to form the semantically relevant parts of a SQL query.
Get full details here:
http://ccs.neu.edu/home/pete/pub/ieee-software-wasp.pdf
presentation:
http://cercs.gatech.edu/iucrc06/material/orso.pdf
The basic idea of the WASP is to allow only the developer trusted stringsa to form the sensitive parts of the query. As a solution to the problem of SQL injection:
a)Positive tainting
b)Syntax-Aware evaluation
WEB applications are applications that can be accessed over the Internet by using any compliant Web browser that runs on any operating system and architecture. A variety of new threats are facing the web applications. Of this, the most significant one is the SQL Injection Attacks (SQLIAs). SQL queries are built by the Web applications to access the information stored in the databases. But, the attackers can gain complete access to such databases if inadequate input validation is performed. The specially encoded database commands can be input by the attackers. the attacker’s embedded commands are executed by the database when the web application builds the query using these strings, and the attack succeeds.
a new highly automated approach for dynamic detection and prevention of SQLIAs is proposed in this article. It involves identifying “trusted” strings in an application which are then used to form the semantically relevant parts of a SQL query.
Get full details here:
http://ccs.neu.edu/home/pete/pub/ieee-software-wasp.pdf
presentation:
http://cercs.gatech.edu/iucrc06/material/orso.pdf
