Development of a String Injection Vulnerability Analyzer for Web Application Programs

Joon Seon Ahn; Yeong Min Kim; Jang Wu Jo

Development of a String Injection Vulnerability Analyzer for Web Application Programs

Joon Seon Ahn

Yeong Min Kim

Jang Wu Jo

The KIPS Transactions:PartA, Vol. 15, No. 3, pp. 181-188, Jun. 2008

10.3745/KIPSTA.2008.15.3.181, PDF Download:

Abstract

Nowadays, most web sites are developed using dynamic web pages where web pages are generated and transmitted by web application programs. Therefore, the ratio of attacks injecting malevolent strings to vulnerable web applications is increasing. In this paper, we present a static program analyzer which analyzes whether a web application program has vulnerabilities to the SQL injection attack and the cross site scripting(XSS) attack. To analyze programs using abstract interpretation framework, we designed an abstract domain which models potential string set along with excluded strings and developed an abstract interpreter for the PHP language. Also, based on them, we implemented a static analyzer. According to our experiments, our analyzer has competitive analysis speed and accuracy compared with related research results.

Statistics

Show / Hide Statistics

Statistics (Cumulative Counts from September 1st, 2017)
Multiple requests among the same browser session are counted as one view.
If you mouse over a chart, the values of data points will be shown.

Cite this article

[IEEE Style]

J. S. Ahn, Y. M. Kim, J. W. Jo, "Development of a String Injection Vulnerability Analyzer for Web Application Programs," The KIPS Transactions:PartA, vol. 15, no. 3, pp. 181-188, 2008. DOI: 10.3745/KIPSTA.2008.15.3.181.

[ACM Style]

Joon Seon Ahn, Yeong Min Kim, and Jang Wu Jo. 2008. Development of a String Injection Vulnerability Analyzer for Web Application Programs. The KIPS Transactions:PartA, 15, 3, (2008), 181-188. DOI: 10.3745/KIPSTA.2008.15.3.181.