loading
Papers Papers/2022 Papers Papers/2022

Research.Publish.Connect.

Paper

Authors: António Silvestre ; Ibéria Medeiros and Andreia Mordido

Affiliation: LASIGE, Departamento de Informática, Faculdade de Ciências, Universidade de Lisboa, Portugal

Keyword(s): SQL Injection Vulnerabilities, Session Types, Type Checking, Static Analysis, Software Security.

Abstract: Vulnerabilities in web applications pose a risk for organisations. Among them, SQL injections (SQLi) give the attacker access to private data by submitting malicious SQL queries to the database via invalidated entry points. Although there are various techniques for detecting SQLi, static analysis is widely used as it inspects the application code without executing it. However, static analysis tools are not always precise. In this work, we explore an avenue that links the detection of SQLi to type checking, thus providing stronger guarantees of their existence. We propose a novel approach which consists of interpreting the behaviour of a web application as if it was a communication protocol and uses session types to specify this behaviour. We leverage FreeST, a functional programming language for session types, to implement FREESQLI, a seminal detector of SQLi in PHP web applications. The tool translates the PHP code into FreeST code and capitalizes on FreeST’s type checker to verify protocol adherence and detect inconsistencies associated with the presence of SQLi. (More)

CC BY-NC-ND 4.0

Sign In Guest: Register as new SciTePress user now for free.

Sign In SciTePress user: please login.

PDF ImageMy Papers

You are not signed in, therefore limits apply to your IP address 216.73.216.157

In the current month:
Recent papers: 100 available of 100 total
2+ years older papers: 200 available of 200 total

Paper citation in several formats:
Silvestre, A., Medeiros, I., Mordido and A. (2024). Towards a SQL Injection Vulnerability Detector Based on Session Types. In Proceedings of the 19th International Conference on Evaluation of Novel Approaches to Software Engineering - ENASE; ISBN 978-989-758-696-5; ISSN 2184-4895, SciTePress, pages 711-718. DOI: 10.5220/0012732500003687

@conference{enase24,
author={António Silvestre and Ibéria Medeiros and Andreia Mordido},
title={Towards a SQL Injection Vulnerability Detector Based on Session Types},
booktitle={Proceedings of the 19th International Conference on Evaluation of Novel Approaches to Software Engineering - ENASE},
year={2024},
pages={711-718},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0012732500003687},
isbn={978-989-758-696-5},
issn={2184-4895},
}

TY - CONF

JO - Proceedings of the 19th International Conference on Evaluation of Novel Approaches to Software Engineering - ENASE
TI - Towards a SQL Injection Vulnerability Detector Based on Session Types
SN - 978-989-758-696-5
IS - 2184-4895
AU - Silvestre, A.
AU - Medeiros, I.
AU - Mordido, A.
PY - 2024
SP - 711
EP - 718
DO - 10.5220/0012732500003687
PB - SciTePress

- Science and Technology Publications, Lda.
RESOURCES

Proceedings

Papers

Authors

Ontology

CONTACTS

Science and Technology Publications, Lda
Avenida de S. Francisco Xavier, Lote 7 Cv. C,
2900-616 Setúbal, Portugal.

Phone: +351 265 520 185 (National fixed network call)
Fax: +351 265 520 186
Email: info@scitepress.org

EXTERNAL LINKS

PRIMORIS

INSTICC

SCITEVENTS

CROSSREF

PROCEEDINGS SUBMITTED FOR INDEXATION BY:

dblp

Ei Compendex

SCOPUS

Semantic Scholar

Google Scholar

Microsoft Academic