Preventing SQL Injection through Automatic Query Sanitization with ASSIST
Raymond Mui, Phyllis Frankl
TL;DR
This paper introduces ASSIST, a tool that automatically sanitizes SQL queries in Java web applications using static analysis and program transformation to prevent SQL injection attacks effectively.
Contribution
The paper presents a novel static analysis and program transformation approach for automatic query sanitization in web applications, implemented in the ASSIST tool.
Findings
Effective prevention of SQL injection vulnerabilities.
Low performance overhead in real-world applications.
Successful validation on Java web applications.
Abstract
Web applications are becoming an essential part of our everyday lives. Many of our activities are dependent on the functionality and security of these applications. As the scale of these applications grows, injection vulnerabilities such as SQL injection are major security challenges for developers today. This paper presents the technique of automatic query sanitization to automatically remove SQL injection vulnerabilities in code. In our technique, a combination of static analysis and program transformation are used to automatically instrument web applications with sanitization code. We have implemented this technique in a tool named ASSIST (Automatic and Static SQL Injection Sanitization Tool) for protecting Java-based web applications. Our experimental evaluation showed that our technique is effective against SQL injection vulnerabilities and has a low overhead.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsWeb Application Security Vulnerabilities · Security and Verification in Computing · Diamond and Carbon-based Materials Research