Authors:
Kevin Dennis
;
Bianca Dehaan
;
Parisa Momeni
;
Gabriel Laverghetta
and
Jay Ligatti
Affiliation:
Computer Science and Engineering, University of South Florida, Tampa, Florida, U.S.A.
Keyword(s):
Security Metrics, Web Applications, Structured Query Language, Code Injection Attacks.
Abstract:
SQL Injection Attacks (SQLIAs) remain one of the top security risks in modern web applications. Vulnerabilities to SQLIAs arise when unsanitized input is concatenated into dynamically constructed SQL statements. Because existing prepared statement implementations cannot insert identifiers into prepared statements, programmers have no choice but to concatenate dynamically determined identifiers directly into SQL statements. If an identifier is not sanitized before concatenation, a kind of SQLIA called a SQL Identifier Injection Attack (SQL-IDIA) is possible. To investigate the prevalence of SQL concatenations in real code, we conducted, to our knowledge, the largest analysis of open-source software to date. We crawled 4,762,175 files in 944,316 projects on GitHub to identify SQL statements constructed using concatenation and potential SQL-IDIAs. Our crawler classified 42% of Java, 91% of PHP, and 56% of C# files as constructing SQL statements via concatenation. It further found that 2
7% of the Java, 6% of the PHP, and 22% of the C# files of these concatenations contain identifiers. Manual analysis indicates that the automated SQL-IDIA classifier achieved an overall accuracy of 93.4%. Further testing suggests approximately 22.7% of web applications may be exploitable via a SQL-IDIA. PHP applications were particularly exploitable at 38% of applications.
(More)