1 research outputs found
You shall not pass: Mitigating SQL Injection Attacks on Legacy Web Applications
SQL injection (SQLi) attacks pose a significant threat to the security of web
applications. Existing approaches do not support object-oriented programming
that renders these approaches unable to protect the real-world web apps such as
Wordpress, Joomla, or Drupal against SQLi attacks. We propose a novel hybrid
static-dynamic analysis for PHP web applications that limits each PHP function
for accessing the database. Our tool, SQLBlock, reduces the attack surface of
the vulnerable PHP functions in a web application to a set of query descriptors
that demonstrate the benign functionality of the PHP function. We implement
SQLBlock as a plugin for MySQL and PHP. Our approach does not require any
modification to the web app. W evaluate SQLBlock on 11 SQLi vulnerabilities in
Wordpress, Joomla, Drupal, Magento, and their plugins. We demonstrate that
SQLBlock successfully prevents all 11 SQLi exploits with negligible performance
overhead (i.e., a maximum of 3% on a heavily-loaded web server)Comment: Accepted in ASIACCS 202