Enhanced pushdown automaton based static analysis for detection of SQL injection Hotspots in web application
SQL injection Hotspots (SQLiHs) are Application’s Entry Points (AEPs) through which SQL injection is possible, subject to the application’s internal sanitization or validation capabilities. Since not all AEPs are SQLiHs, one serious challenge during testing of very large web application for detectio...
| Main Authors: | , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Indian Society for Education and Environment
2016
|
| Subjects: | |
| Online Access: | http://psasir.upm.edu.my/id/eprint/54163/ http://psasir.upm.edu.my/id/eprint/54163/1/Enhanced%20pushdown%20automaton%20based%20static%20analysis%20for%20detection%20of%20SQL%20injection%20Hotspots%20in%20web%20application.pdf |
| _version_ | 1848852470795599872 |
|---|---|
| author | Umar, Kabir Md Sultan, Abu Bakar Zulzalil, Hazura Admodisastro, Novia Indriaty Abdullah @ Selimun, Mohd Taufik |
| author_facet | Umar, Kabir Md Sultan, Abu Bakar Zulzalil, Hazura Admodisastro, Novia Indriaty Abdullah @ Selimun, Mohd Taufik |
| author_sort | Umar, Kabir |
| building | UPM Institutional Repository |
| collection | Online Access |
| description | SQL injection Hotspots (SQLiHs) are Application’s Entry Points (AEPs) through which SQL injection is possible, subject to the application’s internal sanitization or validation capabilities. Since not all AEPs are SQLiHs, one serious challenge during testing of very large web application for detection of SQL Injection Vulnerabilities (SQLIVs) is how to reliably decide which AEPs to consider for the test and which AEPs are unnecessary? In this paper, we propose a new Pushdown Automaton (PDA) based static analysis technique for detection of SQLiHs in web applications. The goal is to produce concrete information that can reliably and confidently guide both human tester/developer and SQLIVs detection tools/techniques as to which part of the source code to concentrate their efforts during detection and fixing of SQL injection flaws in an application. The proposed technique is an integral part of an on-going research on automated method for detection and removal of SQLIVs in web application. Experimental evaluation of the method is in progress. However, preliminary results show that the proposed technique is both feasible and effective. |
| first_indexed | 2025-11-15T10:38:36Z |
| format | Article |
| id | upm-54163 |
| institution | Universiti Putra Malaysia |
| institution_category | Local University |
| language | English |
| last_indexed | 2025-11-15T10:38:36Z |
| publishDate | 2016 |
| publisher | Indian Society for Education and Environment |
| recordtype | eprints |
| repository_type | Digital Repository |
| spelling | upm-541632018-03-01T08:37:20Z http://psasir.upm.edu.my/id/eprint/54163/ Enhanced pushdown automaton based static analysis for detection of SQL injection Hotspots in web application Umar, Kabir Md Sultan, Abu Bakar Zulzalil, Hazura Admodisastro, Novia Indriaty Abdullah @ Selimun, Mohd Taufik SQL injection Hotspots (SQLiHs) are Application’s Entry Points (AEPs) through which SQL injection is possible, subject to the application’s internal sanitization or validation capabilities. Since not all AEPs are SQLiHs, one serious challenge during testing of very large web application for detection of SQL Injection Vulnerabilities (SQLIVs) is how to reliably decide which AEPs to consider for the test and which AEPs are unnecessary? In this paper, we propose a new Pushdown Automaton (PDA) based static analysis technique for detection of SQLiHs in web applications. The goal is to produce concrete information that can reliably and confidently guide both human tester/developer and SQLIVs detection tools/techniques as to which part of the source code to concentrate their efforts during detection and fixing of SQL injection flaws in an application. The proposed technique is an integral part of an on-going research on automated method for detection and removal of SQLIVs in web application. Experimental evaluation of the method is in progress. However, preliminary results show that the proposed technique is both feasible and effective. Indian Society for Education and Environment 2016-07 Article PeerReviewed text en http://psasir.upm.edu.my/id/eprint/54163/1/Enhanced%20pushdown%20automaton%20based%20static%20analysis%20for%20detection%20of%20SQL%20injection%20Hotspots%20in%20web%20application.pdf Umar, Kabir and Md Sultan, Abu Bakar and Zulzalil, Hazura and Admodisastro, Novia Indriaty and Abdullah @ Selimun, Mohd Taufik (2016) Enhanced pushdown automaton based static analysis for detection of SQL injection Hotspots in web application. Indian Journal of Science and Technology, 9 (28). pp. 1-10. ISSN 0974-6846; ESSN: 0974-5645 http://www.indjst.org/index.php/indjst/article/view/97808 Context free grammar; Data flow path; Sensitive sink; Vulnerabilities 10.17485/ijst/2016/v9i28/97808 |
| spellingShingle | Context free grammar; Data flow path; Sensitive sink; Vulnerabilities Umar, Kabir Md Sultan, Abu Bakar Zulzalil, Hazura Admodisastro, Novia Indriaty Abdullah @ Selimun, Mohd Taufik Enhanced pushdown automaton based static analysis for detection of SQL injection Hotspots in web application |
| title | Enhanced pushdown automaton based static analysis for detection of SQL injection Hotspots in web application |
| title_full | Enhanced pushdown automaton based static analysis for detection of SQL injection Hotspots in web application |
| title_fullStr | Enhanced pushdown automaton based static analysis for detection of SQL injection Hotspots in web application |
| title_full_unstemmed | Enhanced pushdown automaton based static analysis for detection of SQL injection Hotspots in web application |
| title_short | Enhanced pushdown automaton based static analysis for detection of SQL injection Hotspots in web application |
| title_sort | enhanced pushdown automaton based static analysis for detection of sql injection hotspots in web application |
| topic | Context free grammar; Data flow path; Sensitive sink; Vulnerabilities |
| url | http://psasir.upm.edu.my/id/eprint/54163/ http://psasir.upm.edu.my/id/eprint/54163/ http://psasir.upm.edu.my/id/eprint/54163/ http://psasir.upm.edu.my/id/eprint/54163/1/Enhanced%20pushdown%20automaton%20based%20static%20analysis%20for%20detection%20of%20SQL%20injection%20Hotspots%20in%20web%20application.pdf |