A Static Analysis Framework for Detecting SQL Injection Vulnerabilities

Recent studies have shown that SQL injection attack has been a major threat to web applications. Via carefully crafted user input, attackers can expose or manipulate contents of the back-end database of a web application. This paper outlines the design of a Static Analysis FramEwork (Called SAFELI) for identifying SQL injection vulnerabilities of a web application at compile time. SAFELI statically inspects the MSIL bytecode of an ASP.NET web application, using symbolic execution. At each hot-spot that submits SQL statements, based on a collection of attack patterns represented using regular expressions, a hybrid constraint is solved to find out the initial values of web form fields (e.g., Text-boxes) that lead to the breach of database security.