Augmented attack tree modeling of SQL injection attacks
conference contributionposted on 05.08.2010 by Jie Wang, Raphael C.-W. Phan, John N. Whitley, David Parish
Any type of content contributed to an academic conference, such as papers, presentations, lectures or proceedings.
The SQL injection attacks (SQLIAs) vulnerability is extremely widespread and poses a serious security threat to web applications with built-in access to databases. The SQLIA adversary intelligently exploits the SQL statement parsing operation by web servers via specially constructed SQL statements that subtly lead to non-explicit executions or modifications of corresponding database tables. In this paper, we present a formal and methodical way of modeling SQLIAs by way of augmented attack trees. This modeling explicitly captures the particular subtle incidents triggered by SQLIA adversaries and corresponding state transitions. To the best of our knowledge, this is the first known attack tree modelling of SQL injection attacks.
- Mechanical, Electrical and Manufacturing Engineering