dc.contributor.author |
Hamdan, Fatima Sami. |
dc.date.accessioned |
2013-10-02T09:24:34Z |
dc.date.available |
2013-10-02T09:24:34Z |
dc.date.issued |
2012 |
dc.identifier.uri |
http://hdl.handle.net/10938/9441 |
dc.description |
Thesis (M.E.)--American University of Beirut, Department of Electrical and Computer Engineeering, 2012. |
dc.description |
Advisor : Dr. Hassan Artail, Professor, Electrical and Computer Engineering--Co-Advisor: Dr. Wassim Masri, Asoociate Professor, Electrical and Computer Engineering--Committee Member : Dr. Hazem Hajj, Associate Professor, Electrical and Computer Engineering. |
dc.description |
Includes bibliographical references (leaves 54-56) |
dc.description.abstract |
SQL Injection Attacks (SQLIAs) aim at exploiting vulnerabilities in web applications in order to execute malicious SQL commands. It is established that prepared statements are resilient to SQLIA, but unfortunately their use is not as pervasive as it should be. This thesis presents SQLPIL (SQL injection Prevention by Input Labeling); an effective and light semi-automated tool that leverages prepared statements to defeat SQLIAs. SQLPIL steps proceed as follows: 1) The subject web application is instrumented; 2) At runtime, the (secured) instrumented application ensures that user inputs reaching the SQL query strings are labeled; and 3) The query strings to be executed are analyzed at runtime in order to identify the parts that originated from inputs and accordingly generate-execute safe prepared statements. We provide two implementations of SQLPIL, one for the Java platform and another for ASP.NET. We empirically evaluated our Java implementation using a benchmark that includes five JSP commercial applications and a large number of attacks and legitimate queries. The results were promising as all 1000 attacks were prevented, and all 1000 legitimate runs executed successfully; in other words, the technique exhibited no false alarms when applied on typical applications. Also, the runtime cost averaged percent6.5. Relying on the resilience of prepared statements to defeat SQLIA’s was shown to be a successful approach. And the overhead of achieving that through the use of a tool such as SQLPIL was shown to be acceptable. |
dc.format.extent |
xiii, 56 leaves : ill. ; 30 cm. |
dc.language.iso |
eng |
dc.relation.ispartof |
Theses, Dissertations, and Projects |
dc.subject.classification |
ET:005748 AUBNO |
dc.subject.lcsh |
SQL (Computer program language). |
dc.subject.lcsh |
SQL server. |
dc.subject.lcsh |
Client-server computing. |
dc.subject.lcsh |
Computer security. |
dc.subject.lcsh |
Web sites. |
dc.title |
Labeling user inputs to prevent SQL injection attacks |
dc.type |
Thesis |
dc.contributor.department |
American University of Beirut. Faculty of Engineering and Architecture. Department of Electrical and Computer Engineering. |