Information security – Monitoring or scanning of software or data including attack... – Vulnerability assessment
Reexamination Certificate
2007-05-24
2011-11-01
Shiferaw, Eleni (Department: 2437)
Information security
Monitoring or scanning of software or data including attack...
Vulnerability assessment
C726S022000
Reexamination Certificate
active
08051486
ABSTRACT:
A web application receives a user input with a SQL injection attack string that references a function. The application generates a corresponding statement based on the user input string, which the application sends to a database server. Upon receiving the statement, the database server executes the statement that invokes the referenced function. When invoked, the referenced function stores a value. The presence of the stored value indicates that the database server invoked the function. Storing the value indicative of the function invocation identifies a vulnerability of the web application to SQL injection attacks, since the function reference is introduced solely through user input and function invocation is not intended by the application. This provides proof of SQL injection vulnerability of the application.
REFERENCES:
patent: 5875334 (1999-02-01), Chow et al.
patent: 5987455 (1999-11-01), Cochrance et al.
patent: 7444331 (2008-10-01), Nachenberg et al.
patent: 7568229 (2009-07-01), Nachenberg et al.
patent: 7593974 (2009-09-01), Suzuki et al.
patent: 7702642 (2010-04-01), Wolfman et al.
patent: 7860842 (2010-12-01), Bronnikov et al.
patent: 2003/0093410 (2003-05-01), Couch et al.
patent: 2005/0027981 (2005-02-01), Baum-Waidner et al.
patent: 2005/0055565 (2005-03-01), Fournet et al.
patent: 2005/0203921 (2005-09-01), Newman et al.
patent: 2006/0031933 (2006-02-01), Costa et al.
patent: 2007/0156644 (2007-07-01), Johnson et al.
Litwin, Paul, “Data Security Stop SQL Injection Attacks Before They Stop You”, Microsoft Corporation, MSDN Magazine, 2007, retrieved from website: <http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection/>, 8 pages.
Huang, Y. et al., “Securing Web Application Code by Static Analysis and Runtime Protection”WWW(2004) pp. 40-52.
Wasserman, G. et al.. “Sound and Precise Analysis of Web Applications for Injection Vulnerabilities” (Jun. 2007)ACM, 10 pages.
Boyd et al., “Preventing SQL Injection Attacks”, SQLrand ACNS 2004, LNCS 3089, pp. 292-302.
Dogru et al, “A Graphical Data Flow Language for Retrieval, Analysis, and Visualization of Scientific Database.”, Journal of Visual languages and computing (1996) pp. 247-265.
Liu, “Architectures for intrusion tolerant database system”, Proceeding of the 18thannual computer security application conference, School of Information Science and Technology, Pennsylvania State, (ACSAC 2002) , 10 pages.
Gould et al., “Static Checking of Dynamically Generated Queries in Database Applications”, Proceeding of the 26thInternational Conference on Software Engineering, Department of Science University of California Davis, (ICSE 2004).10 pages.
Lubomir et al., AGM: “A Dataflow Database Machine”, University of California Irvine, vol. 14, No. 1, Mar. 1989, pp. 114-146.
Abyaneh Ali S
Hickman Palermo & Truong & Becker LLP
Oracle International Corporation
Shiferaw Eleni
LandOfFree
Indicating SQL injection attack vulnerability with a stored... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Indicating SQL injection attack vulnerability with a stored..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Indicating SQL injection attack vulnerability with a stored... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-4297586