[WEB SECURITY] Automatically Preparing Safe SQL Queries
venkat at cs.uic.edu
Wed Jun 16 19:32:32 EDT 2010
We'd like to announce an important and exciting result from my research group at the University of Illinois at Chicago that will be of interest to this community. This work addresses a long standing open problem in web security.
The recommended defense for eliminating SQL injection from web applications is the use of PREPARE statements.The process of converting a web application's source code to make use of PREPARE statements has so far been through human labor, typically done by developers. The question of whether it is possible to come up with a correct method that would enable a computer program to do this source conversion automatically has so far remained open.
In our recent work, we have developed a method to address this long standing problem. Our method develops a novel algorithm based on symbolic execution to do the conversion. A paper that describes this technology appeared recently in the Financial Crypto & Data Security (FC'10) conference, and a copy can be found here: http://cs.uic.edu/~venkat/research/papers/Taps-fc10.pdf
A tool called TAPS has been developed as part this research. The tool takes as input a PHP-based web application and converts all its SQL query locations into PREPARE statements. Try a demo of TAPS online at http://sisl.rites.uic.edu/rearch/index.html
A test harness with many tricky PHP code snippets is available at the above site that illustrates how the tool works. TAPS has been applied to successfully transform several open source apps.
We can now claim that push-button technology is available to eliminate SQL injection from web applications!
TAPS is part of doctoral dissertation work of my PhD advisee Prithvi Bisht, who is also cc'd on this email. We solicit your feedback and comments.
University of Illinois at Chicago
venkat at uic.edu
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
To unsubscribe email websecurity-unsubscribe at webappsec.org and reply to
the confirmation email
Join WASC on LinkedIn
More information about the websecurity