You shall not pass: Mitigating SQL Injection Attacks on Legacy Web Applications
This addresses security vulnerabilities in widely used web applications like WordPress and Drupal, offering a practical solution without requiring app modifications.
The paper tackled SQL injection attacks on legacy web applications by proposing a hybrid static-dynamic analysis tool called SQLBlock, which successfully prevented all 11 tested exploits with a maximum performance overhead of 3%.
SQL injection (SQLi) attacks pose a significant threat to the security of web applications. Existing approaches do not support object-oriented programming that renders these approaches unable to protect the real-world web apps such as Wordpress, Joomla, or Drupal against SQLi attacks. We propose a novel hybrid static-dynamic analysis for PHP web applications that limits each PHP function for accessing the database. Our tool, SQLBlock, reduces the attack surface of the vulnerable PHP functions in a web application to a set of query descriptors that demonstrate the benign functionality of the PHP function. We implement SQLBlock as a plugin for MySQL and PHP. Our approach does not require any modification to the web app. W evaluate SQLBlock on 11 SQLi vulnerabilities in Wordpress, Joomla, Drupal, Magento, and their plugins. We demonstrate that SQLBlock successfully prevents all 11 SQLi exploits with negligible performance overhead (i.e., a maximum of 3% on a heavily-loaded web server)