You shall not pass: Mitigating SQL Injection Attacks on Legacy Web Applications

Rasoul Jahanshahi, Adam Doupé, Manuel Egele

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Scopus citations

Abstract

SQL injection (SQLi) attacks pose a significant threat to the security of web applications. Existing approaches do not support object-oriented programming that renders these approaches unable to protect the real-world web apps such as Wordpress, Joomla, or Drupal against SQLi attacks. We propose a novel hybrid static-dynamic analysis for PHP web applications that limits each PHP function for accessing the database. Our tool, SQLBlock, reduces the attack surface of the vulnerable PHP functions in a web application to a set of query descriptors that demonstrate the benign functionality of the PHP function. We implement SQLBlock as a plugin for MySQL and PHP. Our approach does not require any modification to the web app. We evaluate SQLBlock on 11 SQLi vulnerabilities in Wordpress, Joomla, Drupal, Magento, and their plugins. We demonstrate that SQLBlock successfully prevents all 11 SQLi exploits with negligible performance overhead (i.e., a maximum of 3% on a heavily-loaded web server).

Original languageEnglish (US)
Title of host publicationProceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020
PublisherAssociation for Computing Machinery, Inc
Pages445-457
Number of pages13
ISBN (Electronic)9781450367509
DOIs
StatePublished - Oct 5 2020
Event15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020 - Virtual, Online, Taiwan, Province of China
Duration: Oct 5 2020Oct 9 2020

Publication series

NameProceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020

Conference

Conference15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020
Country/TerritoryTaiwan, Province of China
CityVirtual, Online
Period10/5/2010/9/20

Keywords

  • SQL injection
  • database
  • network security
  • web application

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'You shall not pass: Mitigating SQL Injection Attacks on Legacy Web Applications'. Together they form a unique fingerprint.

Cite this