Research Commons
      • Browse 
        • Communities & Collections
        • Titles
        • Authors
        • By Issue Date
        • Subjects
        • Types
        • Series
      • Help 
        • About
        • Collection Policy
        • OA Mandate Guidelines
        • Guidelines FAQ
        • Contact Us
      • My Account 
        • Sign In
        • Register
      View Item 
      •   Research Commons
      • University of Waikato Research
      • Computing and Mathematical Sciences
      • Computing and Mathematical Sciences Papers
      • View Item
      •   Research Commons
      • University of Waikato Research
      • Computing and Mathematical Sciences
      • Computing and Mathematical Sciences Papers
      • View Item
      JavaScript is disabled for your browser. Some features of this site may not work without it.

      Escrow: A large-scale web vulnerability assessment tool

      Delamore, Baden; Ko, Ryan K.L.
      Thumbnail
      Files
      Ko - escrow-rkv02.pdf
      259.3Kb
      DOI
       10.1109/TrustCom.2014.130
      Find in your library  
      Citation
      Export citation
      Delamore, B., & Ko, R. K. L. (2015). Escrow: A large-scale web vulnerability assessment tool. In 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications (pp. 983–988). Washington, DC, USA: Institute of Electrical and Electronics Engineers Inc. http://doi.org/10.1109/TrustCom.2014.130
      Permanent Research Commons link: https://hdl.handle.net/10289/9336
      Abstract
      The reliance on Web applications has increased rapidly over the years. At the same time, the quantity and impact of application security vulnerabilities have grown as well. Amongst these vulnerabilities, SQL Injection has been classified as the most common, dangerous and prevalent web application flaw. In this paper, we propose Escrow, a large-scale SQL Injection detection tool with an exploitation module that is light-weight, fast and platform-independent. Escrow uses a custom search implementation together with a static code analysis module to find potential target web applications. Additionally, it provides a simple to use graphical user interface (GUI) to navigate through a vulnerable remote database. Escrow is implementation-agnostic, i.e. It can perform analysis on any web application regardless of the server-side implementation (PHP, ASP, etc.). Using our tool, we discovered that it is indeed possible to identify and exploit at least 100 databases per 100 minutes, without prior knowledge of their underlying implementation. We observed that for each query sent, we can scan and detect dozens of vulnerable web applications in a short space of time, while providing a means for exploitation. Finally, we provide recommendations for developers to defend against SQL injection and emphasise the need for proactive assessment and defensive coding practices.
      Date
      2015-01-15
      Type
      Conference Contribution
      Publisher
      Institute of Electrical and Electronics Engineers Inc.
      Rights
      This is an author’s accepted version of an article published in the journal: IEEE Microwave Magazine. ©2014 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.
      Collections
      • Computing and Mathematical Sciences Papers [1436]
      Show full item record  

      Usage

      Downloads, last 12 months
      112
       
       
       

      Usage Statistics

      For this itemFor all of Research Commons

      The University of Waikato - Te Whare Wānanga o WaikatoFeedback and RequestsCopyright and Legal Statement