{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T04:41:54Z","timestamp":1750308114379,"version":"3.41.0"},"reference-count":22,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2005,5,17]],"date-time":"2005-05-17T00:00:00Z","timestamp":1116288000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["SIGSOFT Softw. Eng. Notes"],"published-print":{"date-parts":[[2005,7]]},"abstract":"<jats:p>Our dependence on web applications has steadily increased, and we continue to integrate them into our everyday routine activities. When we are making reservations, paying bills, and shopping on-line, we expect these web applications to be secure and reliable. However, as the availability of these services has increased, there has been a corresponding increase in the number and sophistication of attacks that target them. One of the most serious types of attack against web applications is SQL injection. SQL injection is a class of code-injection attacks in which user input is included in a SQL query in such a way that part of the input is treated as code. Using SQL injection. attackers can leak confidential information, such as credit card numbers, from web applications' databases and even corrupt the database. In this paper, we propose a novel technique to counter SQL-injection. The technique combines conservative static analysis and runtime monitoring to detect and stop illegal queries before they are executed on the database. In its static part, the technique builds a conservative model of the legitimate queries that could be generated by the application. In its dynamic part, the technique inspects the dynamically generated queries for compliance with the statically-built model. We also present a preliminary evaluation of the technique performed on two small web applications. The results of the evaluation are promising---our technique was able to prevent all of the attacks that we performed on the two applications.<\/jats:p>","DOI":"10.1145\/1082983.1083250","type":"journal-article","created":{"date-parts":[[2005,11,7]],"date-time":"2005-11-07T19:28:32Z","timestamp":1131391712000},"page":"1-7","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":13,"title":["Combining static analysis and runtime monitoring to counter SQL-injection attacks"],"prefix":"10.1145","volume":"30","author":[{"given":"William G. J.","family":"Halfond","sequence":"first","affiliation":[]},{"given":"Alessandro","family":"Orso","sequence":"additional","affiliation":[{"name":"Georgia Institute of Technology"}]}],"member":"320","published-online":{"date-parts":[[2005,5,17]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.5555\/829514.830533"},{"key":"e_1_2_1_2_1","unstructured":"D. Aucsmith. Creating and maintaining software that resists malicious attack. http:\/\/www.gtisc.gatech.edu\/aucsmith_bio.htm September 2004. Distinguished lecture.  D. Aucsmith. Creating and maintaining software that resists malicious attack. http:\/\/www.gtisc.gatech.edu\/aucsmith_bio.htm September 2004. Distinguished lecture."},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-24852-1_21"},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/1022494.1022533"},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.5555\/1760267.1760269"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.5555\/324119.324126"},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.5555\/1947337.1947356"},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.5555\/998675.999476"},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.5555\/998675.999468"},{"volume-title":"Java Architecture for Bytecode Analysis (JABA)","year":"2004","author":"A. R. Group","key":"e_1_2_1_10_1"},{"key":"e_1_2_1_11_1","volume-title":"Writing Secure Code","author":"Howard M.","year":"2003","edition":"2"},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/775152.775174"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/988672.988679"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/948109.948146"},{"key":"e_1_2_1_15_1","first-page":"121","volume-title":"Proceedings of the 12th USENIX Security Symposium","author":"Larson E.","year":"2003"},{"key":"e_1_2_1_16_1","unstructured":"O. Maor and A. Shulman. Sql injection signatures evasion. http:\/\/www.imperva.com\/application_defense_center\/white_papers\/sql_inje%ction_signatures_evasion.html April 2004. White paper.  O. Maor and A. Shulman. Sql injection signatures evasion. http:\/\/www.imperva.com\/application_defense_center\/white_papers\/sql_inje%ction_signatures_evasion.html April 2004. White paper."},{"key":"e_1_2_1_17_1","unstructured":"S. McDonald. Sql injection: Modes of attack defense and why it matters. http:\/\/www.governmentsecurity.org\/articles\/SQLInjectionModesofAttackDef%enceandWhyItMatters.php April 2004. White paper.  S. McDonald. Sql injection: Modes of attack defense and why it matters. http:\/\/www.governmentsecurity.org\/articles\/SQLInjectionModesofAttackDef%enceandWhyItMatters.php April 2004. White paper."},{"key":"e_1_2_1_18_1","unstructured":"OWASPD - Open Web Application Security Project. Top ten most critical web application vulnerabilities. http:\/\/www.owasp.org\/documentation\/topten.html 2005.  OWASPD - Open Web Application Security Project. Top ten most critical web application vulnerabilities. http:\/\/www.owasp.org\/documentation\/topten.html 2005."},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/511446.511498"},{"key":"e_1_2_1_20_1","unstructured":"SecuriTeam. Sql injection walkthrough. http:\/\/www.securiteam.com\/securityreviews\/5DPON1P76E.html May 2002. White paper.  SecuriTeam. Sql injection walkthrough. http:\/\/www.securiteam.com\/securityreviews\/5DPON1P76E.html May 2002. White paper."},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.5555\/882495.884434"},{"key":"e_1_2_1_22_1","first-page":"70","volume-title":"Proceedings of the FSE Workshop on Specification and Verification of Component-Based Systems (SAVCBS 2004","author":"Wassermann G.","year":"2004"}],"container-title":["ACM SIGSOFT Software Engineering Notes"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1082983.1083250","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/1082983.1083250","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T16:08:14Z","timestamp":1750262894000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1082983.1083250"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2005,5,17]]},"references-count":22,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2005,7]]}},"alternative-id":["10.1145\/1082983.1083250"],"URL":"https:\/\/doi.org\/10.1145\/1082983.1083250","relation":{"is-identical-to":[{"id-type":"doi","id":"10.1145\/1083246.1083250","asserted-by":"subject"}]},"ISSN":["0163-5948"],"issn-type":[{"type":"print","value":"0163-5948"}],"subject":[],"published":{"date-parts":[[2005,5,17]]},"assertion":[{"value":"2005-05-17","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}