Sciweavers

TSE
2008

WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation

14 years 10 days ago
WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation
Many software systems have evolved to include a Web-based component that makes them available to the public via the Internet and can expose them to a variety of Web-based attacks. One of these attacks is SQL injection, which can give attackers unrestricted access to the databases that underlie Web applications and has become increasingly frequent and serious. This paper presents a new highly automated approach for protecting Web applications against SQL injection that has both conceptual and practical advantages over most existing techniques. From a conceptual standpoint, the approach is based on the novel idea of positive tainting and on the concept of syntax-aware evaluation. From a practical standpoint, our technique is precise and efficient, has minimal deployment requirements, and incurs a negligible performance overhead in most cases. We have implemented our techniques in the Web Application SQL-injection Preventer (WASP) tool, which we used to perform an empirical evaluation on ...
William G. J. Halfond, Alessandro Orso, Pete Manol
Added 15 Dec 2010
Updated 15 Dec 2010
Type Journal
Year 2008
Where TSE
Authors William G. J. Halfond, Alessandro Orso, Pete Manolios
Comments (0)