Free Online Productivity Tools
i2Speak
i2Symbol
i2OCR
iTex2Img
iWeb2Print
iWeb2Shot
i2Type
iPdf2Split
iPdf2Merge
i2Bopomofo
i2Arabic
i2Style
i2Image
i2PDF
iLatex2Rtf
Sci2ools
ICSE
2009
IEEE-ACM
2009
IEEE-ACM
Automatic creation of SQL Injection and cross-site scripting attacks
We present a technique for finding security vulnerabilities in Web applications. SQL Injection (SQLI) and crosssite scripting (XSS) attacks are widespread forms of attack in which the attacker crafts the input to the application to access or modify user data and execute malicious code. In the most serious attacks (called second-order, or persistent, XSS), an attacker can corrupt a database so as to cause subsequent users to execute malicious code. This paper presents an automatic technique for creating inputs that expose SQLI and XSS vulnerabilities. The technique generates sample inputs, symbolically tracks taints through execution (including through database accesses), and mutates the inputs to produce concrete exploits. Ours is the first analysis of which we are aware that precisely addresses second-order XSS attacks. Our technique creates real attack vectors, has few false positives, incurs no runtime overhead for the deployed application, works without requiring modification o...
Real-time TrafficRelated Content
| Added | 20 May 2010 |
| Updated | 20 May 2010 |
| Type | Conference |
| Year | 2009 |
| Where | ICSE |
| Authors | Adam Kiezun, Philip J. Guo, Karthick Jayaraman, Michael D. Ernst |
Comments (0)
Researcher Info
|
