English

You shall not pass: Mitigating SQL Injection Attacks on Legacy Web Applications

Cryptography and Security 2020-07-14 v3

Abstract

SQL injection (SQLi) attacks pose a significant threat to the security of web applications. Existing approaches do not support object-oriented programming that renders these approaches unable to protect the real-world web apps such as Wordpress, Joomla, or Drupal against SQLi attacks. We propose a novel hybrid static-dynamic analysis for PHP web applications that limits each PHP function for accessing the database. Our tool, SQLBlock, reduces the attack surface of the vulnerable PHP functions in a web application to a set of query descriptors that demonstrate the benign functionality of the PHP function. We implement SQLBlock as a plugin for MySQL and PHP. Our approach does not require any modification to the web app. W evaluate SQLBlock on 11 SQLi vulnerabilities in Wordpress, Joomla, Drupal, Magento, and their plugins. We demonstrate that SQLBlock successfully prevents all 11 SQLi exploits with negligible performance overhead (i.e., a maximum of 3% on a heavily-loaded web server)

Cite

@article{arxiv.2006.11996,
  title  = {You shall not pass: Mitigating SQL Injection Attacks on Legacy Web Applications},
  author = {Rasoul Jahanshahi and Adam Doupé and Manuel Egele},
  journal= {arXiv preprint arXiv:2006.11996},
  year   = {2020}
}

Comments

Accepted in ASIACCS 2020

R2 v1 2026-06-23T16:30:23.415Z