Detecting SQL Injection Vulnerabilities Using FreeST

Bibliographic Details
Main Author: Silvestre, António Rebelo Mendes
Publication Date: 2024
Format: Master thesis
Language: eng
Source: Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)
Download full: http://hdl.handle.net/10400.5/95868
Summary: Tese de mestrado, Segurança Informática , 2024, Universidade de Lisboa, Faculdade de Ciências
id RCAP_2d853d99af8c407a5d605260676e702c
oai_identifier_str oai:repositorio.ulisboa.pt:10400.5/95868
network_acronym_str RCAP
network_name_str Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)
repository_id_str https://opendoar.ac.uk/repository/7160
spelling Detecting SQL Injection Vulnerabilities Using FreeSTVulnerabilidades de Injeção SQLTipos de SessãoVerificação de TiposAnálise EstáticaSegurança de SoftwareTeses de mestrado - 2024Departamento de InformáticaTese de mestrado, Segurança Informática , 2024, Universidade de Lisboa, Faculdade de CiênciasWeb applications are integral to modern life, facilitating access to essential services. However, their handling of sensitive information makes them prime targets for attackers, particularly through vulnerabilities such as SQL injections (SQLi). SQLi exploits allow attackers to submit malicious SQL queries through invalidated entry points in web applications, compromising data security. To mitigate these vulnerabilities, various tools have been developed to automatically detect them during the development process, with static analysis being a prevalent approach. However, traditional static analysis tools often face limitations, such as high false positive rates and difficulties adapting to new functions and frameworks. This dissertation introduces a novel static analysis technique designed to address these limitations by leveraging session types, which allow the specification and verification of communication protocols between different parties (in our case, the server, client, and database). Our approach focuses on PHP, the most widely used server-side language for web development. It involves two distinct phases: a translation phase, where the PHP source code is translated into FreeST, a strongly typed language that implements session types, and a vulnerability detection phase, where our tool uses the FreeST compiler to verify protocol adherence and detect inconsistencies indicative of SQLi vulnerabilities. The effectiveness of this approach is demonstrated through a proof-of-concept implementation in the FREESQLI prototype. FREESQLI was evaluated using a dataset of small programs from NIST SARD and a smaller dataset with specific cases involving vulnerabilities within conditional statements. Overall, the effectiveness of our tool was excellent in both standard and specific cases. This dissertation contributes to the field of computer security by introducing a novel approach that utilizes session types for SQLi detection, a method for translating PHP into FreeST, a customizable function set for the tool, and an open-source tool capable of detecting SQLi vulnerabilities.Rodrigues, Andreia Filipa Torcato MordidoMedeiros, Ibéria Vitória de Sousa, 1971-Repositório da Universidade de LisboaSilvestre, António Rebelo Mendes2024-12-02T18:25:04Z202420242024-01-01T00:00:00Zinfo:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/masterThesisapplication/pdfhttp://hdl.handle.net/10400.5/95868enginfo:eu-repo/semantics/openAccessreponame:Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)instname:FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologiainstacron:RCAAP2025-03-17T16:29:10Zoai:repositorio.ulisboa.pt:10400.5/95868Portal AgregadorONGhttps://www.rcaap.pt/oai/openaireinfo@rcaap.ptopendoar:https://opendoar.ac.uk/repository/71602025-05-29T04:16:34.594671Repositórios Científicos de Acesso Aberto de Portugal (RCAAP) - FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologiafalse
dc.title.none.fl_str_mv Detecting SQL Injection Vulnerabilities Using FreeST
title Detecting SQL Injection Vulnerabilities Using FreeST
spellingShingle Detecting SQL Injection Vulnerabilities Using FreeST
Silvestre, António Rebelo Mendes
Vulnerabilidades de Injeção SQL
Tipos de Sessão
Verificação de Tipos
Análise Estática
Segurança de Software
Teses de mestrado - 2024
Departamento de Informática
title_short Detecting SQL Injection Vulnerabilities Using FreeST
title_full Detecting SQL Injection Vulnerabilities Using FreeST
title_fullStr Detecting SQL Injection Vulnerabilities Using FreeST
title_full_unstemmed Detecting SQL Injection Vulnerabilities Using FreeST
title_sort Detecting SQL Injection Vulnerabilities Using FreeST
author Silvestre, António Rebelo Mendes
author_facet Silvestre, António Rebelo Mendes
author_role author
dc.contributor.none.fl_str_mv Rodrigues, Andreia Filipa Torcato Mordido
Medeiros, Ibéria Vitória de Sousa, 1971-
Repositório da Universidade de Lisboa
dc.contributor.author.fl_str_mv Silvestre, António Rebelo Mendes
dc.subject.por.fl_str_mv Vulnerabilidades de Injeção SQL
Tipos de Sessão
Verificação de Tipos
Análise Estática
Segurança de Software
Teses de mestrado - 2024
Departamento de Informática
topic Vulnerabilidades de Injeção SQL
Tipos de Sessão
Verificação de Tipos
Análise Estática
Segurança de Software
Teses de mestrado - 2024
Departamento de Informática
description Tese de mestrado, Segurança Informática , 2024, Universidade de Lisboa, Faculdade de Ciências
publishDate 2024
dc.date.none.fl_str_mv 2024-12-02T18:25:04Z
2024
2024
2024-01-01T00:00:00Z
dc.type.status.fl_str_mv info:eu-repo/semantics/publishedVersion
dc.type.driver.fl_str_mv info:eu-repo/semantics/masterThesis
format masterThesis
status_str publishedVersion
dc.identifier.uri.fl_str_mv http://hdl.handle.net/10400.5/95868
url http://hdl.handle.net/10400.5/95868
dc.language.iso.fl_str_mv eng
language eng
dc.rights.driver.fl_str_mv info:eu-repo/semantics/openAccess
eu_rights_str_mv openAccess
dc.format.none.fl_str_mv application/pdf
dc.source.none.fl_str_mv reponame:Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)
instname:FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologia
instacron:RCAAP
instname_str FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologia
instacron_str RCAAP
institution RCAAP
reponame_str Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)
collection Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)
repository.name.fl_str_mv Repositórios Científicos de Acesso Aberto de Portugal (RCAAP) - FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologia
repository.mail.fl_str_mv info@rcaap.pt
_version_ 1833602001922949120

Similar Items