Visible to the public Biblio

Filters: Author is Goldgof, Dmitry  [Clear All Filters]
2020-02-10
Cetin, Cagri, Goldgof, Dmitry, Ligatti, Jay.  2019.  SQL-Identifier Injection Attacks. 2019 IEEE Conference on Communications and Network Security (CNS). :151–159.
This paper defines a class of SQL-injection attacks that are based on injecting identifiers, such as table and column names, into SQL statements. An automated analysis of GitHub shows that 15.7% of 120,412 posted Java source files contain code vulnerable to SQL-Identifier Injection Attacks (SQL-IDIAs). We have manually verified that some of the 18,939 Java files identified during the automated analysis are indeed vulnerable to SQL-ID IAs, including deployed Electronic Medical Record software for which SQL-IDIAs enable discovery of confidential patient information. Although prepared statements are the standard defense against SQL injection attacks, existing prepared-statement APIs do not protect against SQL-IDIAs. This paper therefore proposes and evaluates an extended prepared-statement API to protect against SQL-IDIAs.