article

On automated prepared statement generation to remove SQL injection vulnerabilities

Authors:

Stephen Thomas,

Laurie Williams,

Tao XieAuthors Info & Claims

Information and Software Technology, Volume 51, Issue 3

Pages 589 - 598

https://doi.org/10.1016/j.infsof.2008.08.002

Published: 01 March 2009 Publication History

Abstract

Since 2002, over 10% of total cyber vulnerabilities were SQL injection vulnerabilities (SQLIVs). This paper presents an algorithm of prepared statement replacement for removing SQLIVs by replacing SQL statements with prepared statements. Prepared statements have a static structure, which prevents SQL injection attacks from changing the logical structure of a prepared statement. We created a prepared statement replacement algorithm and a corresponding tool for automated fix generation. We conducted four case studies of open source projects to evaluate the capability of the algorithm and its automation. The empirical results show that prepared statement code correctly replaced 94% of the SQLIVs in these projects.

References

[1]

C. Anley, Advanced SQL Injection in SQL Server Applications, 2002, <http://www.ngssoftware.com/papers/advanced_sql_injection.pdf>, accessed January 21, 2007.

[2]

N. Audsley, I. Bate, S. Crook-Dawkins, Automatic code generation for airborne systems, in: IEEE Aerospace Conference, New York, NY, 2003, pp. 6_2863-6_2873.

[3]

Barnum, S. and McGraw, G., Knowledge for software security. Security and Privacy Magazine, IEEE. v3 i2. 74-78.

[4]

M. Bordin, T. Vardanega, Real-time Java from an automated code generation perspective, in: International Workshop on Java Technologies for Real-Time and Embedded Systems, Vienna, Austria, 2007, pp. 63-72.

[5]

R.E. Bryant, S. Jha, T.W. Reps, S.A. Seshia, V. Ganapathy, Automatic discovery of API-level exploits, in: 27th International Conference on Software Engineering (ICSE'05), St. Louis, MO, 2005, pp. 312-321.

[6]

G. Buehrer, B.W. Weide, P.A.G. Sivilotti, Using parse tree validation to prevent SQL injection attacks, in: 5th International Workshop on Software Engineering and Middleware, Lisbon, Portugal, 2005, pp. 106-113.

Digital Library

[7]

Y. Cheon, G.T. Leavens, A simple and practical approach to unit testing: the JML and JUnit way, in: 16th European Conference on Object-Oriented Programming, Spain, 2002, p. 29.

[8]

Florescu, D., Hillery, C., Kossmann, D., Lucas, P., Riccardi, F., Westmann, T., Carey, J. and Sundararajan, A., The BEA streaming XQuery processor. The VLDB Journal. v13 i3. 294-315.

[9]

W.G.J. Halfond, A. Orso, AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks, in: 20th IEEE/ACM International Conference on Automated Software Engineering, Long Beach, CA, USA, 2005, pp. 174-183.

Digital Library

[10]

W.G.J. Halfond, A. Orso, Combining static analysis and runtime monitoring to counter SQL-injection attacks, in: Third International Workshop on Dynamic Analysis, St. Louis, MO, 2005, pp. 1-7.

Digital Library

[11]

W.G.J. Halfond, A. Orso, P. Manolios, Using positive tainting and syntax-aware evaluation to counter SQL-injection attacks, in: 14th ACM SIGSOFT International Symposium on Foundations of Software Engineering, Portland, Oregon, 2006, pp. 175-185.

Digital Library

[12]

Halfond, W.G.J., Orso, A. and Manolios, P., WASP: protecting web applications using positive tainting and syntax-aware evaluation. IEEE Transactions on Software Engineering. v34 i1. 65-81.

[13]

W.G.J. Halfond, J. Viegas, A. Orso, A classification of SQL-injection attacks and countermeasures, in: International Symposium on Secure Software Engineering Raleigh, NC, USA, 2006.

[14]

D. Hovemeyer, W. Pugh, Finding bugs is easy, in: 19th Annual ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages, and Applications, Vancouver, BC, Canada, 2004, pp. 92-106.

[15]

M. Howard, D. LeBlanc, Writing Secure Code, second ed., Microsoft Corporation, Redmond, 2003.

[16]

Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, S.-Y. Kuo, Securing web application code by static analysis and runtime protection, in: 13th International Conference on World Wide Web, New York, NY, 2004, pp. 40-52.

[17]

G. Keizer, One-at-a-time Hacker Grabs 22,000 IDs from University of Missouri, first ed., Retrieved Issue 1, vol. 1, 2007, <http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=cybercrime_and_hacking&articleId=9018982&taxonomyId=82&intsrc=kc_top>, accessed June 30, 2008.

[18]

J. Kirk, Databases Assaulted by SQL Injection Attacks, first ed., Retrieved Issue 1, Volume 1, 2006, <http://www.cio.com/article/23133/Databases_Assaulted_by_SQL_Injection_Attacks>, accessed June 30, 2008.

[19]

M.S. Lam, J. Whaley, V.B. Livshits, M. Martin, D. Avots, M. Carbin, C. Unkel, Context-sensitive program analysis as database queries, in: Principles of Database Systems (PODS), Baltimore, Maryland, 2005, p. 12.

[20]

B. Livshits, Defining a set of common benchmarks for web application security, in: Workshop on Defining the State of the Art in Software Security Tools, Baltimore, 2005, p. 1.

[21]

V.B. Livshits, Findings security errors in Java applications using lightweight static analysis, in: Computer Security Applications Conference, Tucson, AZ, 2004, p. 2.

[22]

V.B. Livshits, M.S. Lam, Finding security vulnerabilities in Java applications with static analysis, in: 14th Usenix Security Symposium, Baltimore, MD, 2005, pp. 271-286.

[23]

M. Martin, V.B. Livshits, M.S. Lam, Finding application errors and security flaws using PQL: a program query language, in: 20th ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications, San Diego, CA, 2005, p. 19.

[24]

A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, D. Evans, Automatically hardening web applications using precise tainting, in: 20th IFIP International Information Security Conference, Chiba, Japan, 2005, p. 12.

[25]

NIST, National Vulnerability Database, 2007, <http://nvd.nist.gov/>, accessed January 16, 2007.

[26]

Z. Su, G. Wassermann, The essence of command injection attacks in web applications, in: 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, Charleston, SC, USA, 2006, pp. 372-382.

Digital Library

Cited By

Fadolalkarim DBertino E(2025)DCAFixer: An Automatic Tool for Bug Detection and Repair for Database Java Client ApplicationsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2024.339666722:1(327-342)Online publication date: 1-Jan-2025
https://dl.acm.org/doi/10.1109/TDSC.2024.3396667
Schuckert FKatt BLangweg H(2023)Insecurity RefactoringComputers and Security10.1016/j.cose.2023.103121128:COnline publication date: 1-May-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103121
Pike MLee BTowey D(2022)TAFFIES: Tailored Automated Feedback Framework for Developing Integrated and Extensible Feedback SystemsSN Computer Science10.1007/s42979-022-01034-y3:2Online publication date: 10-Feb-2022
https://dl.acm.org/doi/10.1007/s42979-022-01034-y
Show More Cited By

Index Terms

On automated prepared statement generation to remove SQL injection vulnerabilities

Recommendations

Securing web applications from injection and logic vulnerabilities

Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...
Mitigation of SQL Injection Attacks using Threat Modeling

Day after day, SQL Injection (SQLI) attack is consistently proliferating across the globe. According to Open Web Application Security Project (OWASP) Top Ten Cheat Sheet-2014, SQLI is at top in the list of online attacks. The cause of spread of SQLI is ...
Using Automated Fix Generation to Mitigate SQL Injection Vulnerabilities

Comments

Information & Contributors

Information

Published In

cover image Information and Software Technology

Information and Software Technology Volume 51, Issue 3

March, 2009

124 pages

ISSN:0950-5849

Issue’s Table of Contents

Copyright © Elsevier B.V. © 2008.

Publisher

Butterworth-Heinemann

United States

Publication History

Published: 01 March 2009

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

14
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 18 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Fadolalkarim DBertino E(2025)DCAFixer: An Automatic Tool for Bug Detection and Repair for Database Java Client ApplicationsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2024.339666722:1(327-342)Online publication date: 1-Jan-2025
https://dl.acm.org/doi/10.1109/TDSC.2024.3396667
Schuckert FKatt BLangweg H(2023)Insecurity RefactoringComputers and Security10.1016/j.cose.2023.103121128:COnline publication date: 1-May-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103121
Pike MLee BTowey D(2022)TAFFIES: Tailored Automated Feedback Framework for Developing Integrated and Extensible Feedback SystemsSN Computer Science10.1007/s42979-022-01034-y3:2Online publication date: 10-Feb-2022
https://dl.acm.org/doi/10.1007/s42979-022-01034-y
Marchand-Melsom ANguyen Mai D(2020)Automatic repair of OWASP Top 10 security vulnerabilitiesProceedings of the IEEE/ACM 42nd International Conference on Software Engineering Workshops10.1145/3387940.3392200(23-30)Online publication date: 27-Jun-2020
https://dl.acm.org/doi/10.1145/3387940.3392200
(2018)Investigation framework of web applications vulnerabilities, attacks and protection techniques in structured query language injection attacksInternational Journal of Wireless and Mobile Computing10.1504/IJWMC.2018.09113714:2(103-122)Online publication date: 1-Jan-2018
https://dl.acm.org/doi/10.1504/IJWMC.2018.091137
Kar DPanigrahi SSundararajan S(2016)SQLiGoTComputers and Security10.1016/j.cose.2016.04.00560:C(206-225)Online publication date: 1-Jul-2016
https://dl.acm.org/doi/10.1016/j.cose.2016.04.005
Masri WSleiman S(2015)SQLPILSecurity and Communication Networks10.1002/sec.11998:15(2545-2560)Online publication date: 1-Oct-2015
https://dl.acm.org/doi/10.1002/sec.1199
Fioravanti MMayron LHoganson KHe S(2014)Measuring the effectiveness of output filtering against SQL injection attacksProceedings of the 2014 ACM Southeast Conference10.1145/2638404.2638457(1-6)Online publication date: 28-Mar-2014
https://dl.acm.org/doi/10.1145/2638404.2638457
Thomé JGorla AZeller AMcMinn PHarman M(2014)Search-based security testing of web applicationsProceedings of the 7th International Workshop on Search-Based Software Testing10.1145/2593833.2593835(5-14)Online publication date: 2-Jun-2014
https://dl.acm.org/doi/10.1145/2593833.2593835
Liu KTan HChen X(2013)Automated Insertion of Exception Handling for Key and Referential ConstraintsJournal of Database Management10.4018/jdm.201301010124:1(1-19)Online publication date: 1-Jan-2013
https://dl.acm.org/doi/10.4018/jdm.2013010101
Show More Cited By

View Options

View options

Figures

Tables

Media

View Issue’s Table of Contents