Augmented attack tree modeling of SQL injection attacks

The SQL injection attacks (SQLIAs) vulnerability is extremely widespread and poses a serious security threat to web applications with built-in access to databases. The SQLIA adversary intelligently exploits the SQL statement parsing operation by web servers via specially constructed SQL statements that subtly lead to non-explicit executions or modifications of corresponding database tables. In this paper, we present a formal and methodical way of modeling SQLIAs by way of augmented attack trees. This modeling explicitly captures the particular subtle incidents triggered by SQLIA adversaries and corresponding state transitions. To the best of our knowledge, this is the first known attack tree modelling of SQL injection attacks.

[1]  Supriya Madan Shielding against SQL Injection Attacks Using ADMIRE Model , 2009, 2009 First International Conference on Computational Intelligence, Communication Systems and Networks.

[2]  Parvaiz Ahmed Khand System level security modeling using attack trees , 2009, 2009 2nd International Conference on Computer, Control and Communication.

[3]  Ana R. Cavalli,et al.  Security Protocol Testing Using Attack Trees , 2009, 2009 International Conference on Computational Science and Engineering.

[4]  Indrajit Ray,et al.  Using Attack Trees to Identify Malicious Attacks from Authorized Insiders , 2005, ESORICS.

[5]  Vamsi Paruchuri,et al.  Threat modeling using attack trees , 2008 .

[6]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[7]  Dirk Fox,et al.  Open Web Application Security Project , 2006, Datenschutz und Datensicherheit - DuD.

[8]  E. Byres,et al.  The Use of Attack Trees in Assessing Vulnerabilities in SCADA Systems , 2004 .

[9]  Larry Wall,et al.  Learning Perl , 1993 .

[10]  Pavol Zavarsky,et al.  Threat Modeling for CSRF Attacks , 2009, 2009 International Conference on Computational Science and Engineering.

[11]  Robert J. Ellison,et al.  Attack Trees , 2009, Encyclopedia of Biometrics.

[12]  Indrajit Ray,et al.  Investigating Computer Attacks Using Attack Trees , 2007, IFIP Int. Conf. Digital Forensics.

[13]  Wang Hui,et al.  An improved model of attack probability prediction system , 2008, Wuhan University Journal of Natural Sciences.