Automatic Whitelist Generation for SQL Queries Using Web Application Tests
| Title | Automatic Whitelist Generation for SQL Queries Using Web Application Tests |
| Publication Type | Conference Paper |
| Year of Publication | 2019 |
| Authors | Nomura, Komei, Rikitake, Kenji, Matsumoto, Ryosuke |
| Conference Name | 2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC) |
| Keywords | application-specific implementations, automated generation, Automatic testing, automatic whitelist generation, blacklisting, Collaboration, composability, confidential information, Database Security, Databases, development process, Human Behavior, Internet, large-scale Web applications, legitimate queries, Metrics, policy-based governance, privacy, pubcrawl, query detection, query patterns, query processing, Registers, relational database security, relational databases, research and development, resilience, Resiliency, security of data, severe vulnerability issue, SQL, SQL detection, SQL Injection, SQL queries, Web application test, Web application tests, Whitelist, Whitelists |
| Abstract | Stealing confidential information from a database has become a severe vulnerability issue for web applications. The attacks can be prevented by defining a whitelist of SQL queries issued by web applications and detecting queries not in list. For large-scale web applications, automated generation of the whitelist is conducted because manually defining numerous query patterns is impractical for developers. Conventional methods for automated generation are unable to detect attacks immediately because of the long time required for collecting legitimate queries. Moreover, they require application-specific implementations that reduce the versatility of the methods. As described herein, we propose a method to generate a whitelist automatically using queries issued during web application tests. Our proposed method uses the queries generated during application tests. It is independent of specific applications, which yields improved timeliness against attacks and versatility for multiple applications. |
| DOI | 10.1109/COMPSAC.2019.10250 |
| Citation Key | nomura_automatic_2019 |
- severe vulnerability issue
- query patterns
- query processing
- Registers
- relational databases
- relational database security
- research and development
- resilience
- Resiliency
- security of data
- query detection
- SQL
- SQL detection
- SQL injection
- SQL queries
- Web application test
- Web application tests
- Whitelist
- Whitelists
- development process
- automated generation
- Automatic testing
- automatic whitelist generation
- blacklisting
- collaboration
- composability
- confidential information
- Database Security
- Databases
- application-specific implementations
- Human behavior
- internet
- large-scale Web applications
- legitimate queries
- Metrics
- policy-based governance
- privacy
- pubcrawl