Indicating SQL injection attack vulnerability with a stored value
First Claim
1. A method, comprising:
- receiving a statement that contains an application input string that references a function which, when executed, stores a value; and
sending the statement to a database server for execution;
wherein the presence of the stored value indicates that the database server invoked the function.
1 Assignment
0 Petitions
Accused Products
Abstract
A web application receives a user input with a SQL injection attack string that references a function. The application generates a corresponding statement based on the user input string, which the application sends to a database server. Upon receiving the statement, the database server executes the statement that invokes the referenced function. When invoked, the referenced function stores a value. The presence of the stored value indicates that the database server invoked the function. Storing the value indicative of the function invocation identifies a vulnerability of the web application to SQL injection attacks, since the function reference is introduced solely through user input and function invocation is not intended by the application. This provides proof of SQL injection vulnerability of the application.
31 Citations
28 Claims
-
1. A method, comprising:
-
receiving a statement that contains an application input string that references a function which, when executed, stores a value; and sending the statement to a database server for execution; wherein the presence of the stored value indicates that the database server invoked the function. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
14. A method, comprising:
-
receiving a statement from an application that contains the one or more input strings that reference a function which, when executed, stores a value; invoking the function; and storing the value; wherein the presence of the stored value indicates that the function was invoked; and wherein the stored value comprises an audit record of a vulnerability of the middle tier application to SQL injection. - View Dependent Claims (28)
-
Specification