TL;DR
This paper introduces SQLBlock, a hybrid static-dynamic analysis tool for PHP web applications that effectively prevents SQL injection attacks without modifying existing web apps, demonstrated on popular platforms.
Contribution
It presents a novel hybrid analysis approach and a practical plugin implementation that enhances security for legacy PHP web applications against SQLi attacks.
Findings
Successfully prevented all tested SQLi exploits
Minimal performance overhead of up to 3%
Applicable to popular CMS platforms like Wordpress and Joomla
Abstract
SQL injection (SQLi) attacks pose a significant threat to the security of web applications. Existing approaches do not support object-oriented programming that renders these approaches unable to protect the real-world web apps such as Wordpress, Joomla, or Drupal against SQLi attacks. We propose a novel hybrid static-dynamic analysis for PHP web applications that limits each PHP function for accessing the database. Our tool, SQLBlock, reduces the attack surface of the vulnerable PHP functions in a web application to a set of query descriptors that demonstrate the benign functionality of the PHP function. We implement SQLBlock as a plugin for MySQL and PHP. Our approach does not require any modification to the web app. W evaluate SQLBlock on 11 SQLi vulnerabilities in Wordpress, Joomla, Drupal, Magento, and their plugins. We demonstrate that SQLBlock successfully prevents all 11 SQLi…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
