Large-Scale Analysis of GitHub and CVEs to Determine Prevalence of SQL Concatenations

Kevin Dennis; Bianca Dehaan; Parisa Momeni; Gabriel Laverghetta; Jay Ligatti

doi:10.5220/0012835200003767

Large-Scale Analysis of GitHub and CVEs to Determine Prevalence of SQL Concatenations

Kevin Dennis, Bianca Dehaan, Parisa Momeni, Gabriel Laverghetta, Jay Ligatti

2024

Abstract

SQL Injection Attacks (SQLIAs) remain one of the top security risks in modern web applications. Vulnerabilities to SQLIAs arise when unsanitized input is concatenated into dynamically constructed SQL statements. Because existing prepared statement implementations cannot insert identifiers into prepared statements, programmers have no choice but to concatenate dynamically determined identifiers directly into SQL statements. If an identifier is not sanitized before concatenation, a kind of SQLIA called a SQL Identifier Injection Attack (SQL-IDIA) is possible. To investigate the prevalence of SQL concatenations in real code, we conducted, to our knowledge, the largest analysis of open-source software to date. We crawled 4,762,175 files in 944,316 projects on GitHub to identify SQL statements constructed using concatenation and potential SQL-IDIAs. Our crawler classified 42% of Java, 91% of PHP, and 56% of C# files as constructing SQL statements via concatenation. It further found that 27% of the Java, 6% of the PHP, and 22% of the C# files of these concatenations contain identifiers. Manual analysis indicates that the automated SQL-IDIA classifier achieved an overall accuracy of 93.4%. Further testing suggests approximately 22.7% of web applications may be exploitable via a SQL-IDIA. PHP applications were particularly exploitable at 38% of applications.

Download

Paper Citation

in Harvard Style

Dennis K., Dehaan B., Momeni P., Laverghetta G. and Ligatti J. (2024). Large-Scale Analysis of GitHub and CVEs to Determine Prevalence of SQL Concatenations. In Proceedings of the 21st International Conference on Security and Cryptography - Volume 1: SECRYPT; ISBN 978-989-758-709-2, SciTePress, pages 286-297. DOI: 10.5220/0012835200003767

in Bibtex Style

@conference{secrypt24,
author={Kevin Dennis and Bianca Dehaan and Parisa Momeni and Gabriel Laverghetta and Jay Ligatti},
title={Large-Scale Analysis of GitHub and CVEs to Determine Prevalence of SQL Concatenations},
booktitle={Proceedings of the 21st International Conference on Security and Cryptography - Volume 1: SECRYPT},
year={2024},
pages={286-297},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0012835200003767},
isbn={978-989-758-709-2},
}

in EndNote Style

TY - CONF

JO - Proceedings of the 21st International Conference on Security and Cryptography - Volume 1: SECRYPT
TI - Large-Scale Analysis of GitHub and CVEs to Determine Prevalence of SQL Concatenations
SN - 978-989-758-709-2
AU - Dennis K.
AU - Dehaan B.
AU - Momeni P.
AU - Laverghetta G.
AU - Ligatti J.
PY - 2024
SP - 286
EP - 297
DO - 10.5220/0012835200003767
PB - SciTePress