Preventing SQL Injection through Automatic Query Sanitization with ASSIST

Raymond Mui
Phyllis Frankl

Web applications are becoming an essential part of our everyday lives. Many of our activities are dependent on the functionality and security of these applications. As the scale of these applications grows, injection vulnerabilities such as SQL injection are major security challenges for developers today. This paper presents the technique of automatic query sanitization to automatically remove SQL injection vulnerabilities in code. In our technique, a combination of static analysis and program transformation are used to automatically instrument web applications with sanitization code. We have implemented this technique in a tool named ASSIST (Automatic and Static SQL Injection Sanitization Tool) for protecting Java-based web applications. Our experimental evaluation showed that our technique is effective against SQL injection vulnerabilities and has a low overhead.

In Gwen Salaün, Xiang Fu and Sylvain Hallé : Proceedings Fourth International Workshop on Testing, Analysis and Verification of Web Software (TAV-WEB 2010), Antwerp, Belgium, 21 September 2010, Electronic Proceedings in Theoretical Computer Science 35, pp. 27–38.
Published: 17th September 2010.

ArXived at: http://dx.doi.org/10.4204/EPTCS.35.3 bibtex PDF

Comments and questions to: eptcs@eptcs.org
For website issues: webmaster@eptcs.org