DETECTION OF SQL INJECTION VULNERABILITY IN CODEIGNITER FRAMEWORK USING STATIC ANALYSIS

Muhammad Fahmi Al Azhar* -  Universitas Indonesia, Indonesia
Ruki Harwahyu -  Universitas Indonesia, Indonesia

DOI : 10.24269/mtkind.v17i1.7267

SQL Injection attacks are still one type of attack that often occurs in web-based applications. The causes and ways to prevent SQL Injection have been widely explained in various sources. Unfortunately, until now, SQL Injection vulnerabilities are still often found in multiple applications. Web-based application frameworks that already have functions to protect against attacks are often not used optimally. This is inseparable from the role of programmers, who often forget the rules for writing program code to prevent SQL Injection attacks. We conducted this research to detect SQL Injection vulnerabilities in source code using a case study of the PHP CodeIgniter framework. We compared this research with static analysis tools like RIPS, Synopsys Coverity, and Sonarqube. The tool we have developed can detect SQL Injection vulnerabilities that cannot be detected by the two tools with an accuracy of 88.8%. The results of our research can provide suggestions for programmers so that they can improve the code they write.

Keywords
static analysis, sql injection, php, codeigniter
  1. REFERENCES
  2. M. Liu, K. Li, and T. Chen, “Security testing of web applications: A search-based approach for detecting SQL injection vulnerabilities,” in GECCO 2019 Companion - Proceedings of the 2019 Genetic and Evolutionary Computation Conference Companion, Association for Computing Machinery, Inc, Jul. 2019, pp. 417–418. doi: 10.1145/3319619.3322026.
  3. N. Larson, “OWASP Top Ten 2021: Where we’ve been and where we are,” 2022.
  4. P. Vats and A. Saha, “An Overview of SQL Injection Attacks,” SSRN Electronic Journal, May 2019, doi: 10.2139/ssrn.3479001.
  5. A. Ibrahim, M. El-Ramly, and A. Badr, “Beware of the Vulnerability! How Vulnerable are GitHub’s Most Popular PHP Applications?,” in 2019 IEEE/ACS 16th International Conference on Computer Systems and Applications (AICCSA), 2019, pp. 1–7. doi: 10.1109/AICCSA47632.2019.9035265.
  6. I. Medeiros and N. Neves, “Effect of Coding Styles in Detection of Web Application Vulnerabilities,” in 2020 16th European Dependable Computing Conference (EDCC), 2020, pp. 111–118. doi: 10.1109/EDCC51268.2020.00027.
  7. W3Techs, “Usage Statistics and Market Share of PHP for Websites, May 2023,” 2023. https://w3techs.com/technologies/details/pl-php
  8. S. Tenzin, “PHP Framework for Web Application Development,” IARJSET International Advanced Research Journal in Science, vol. 9, no. 2, 2022, doi: 10.17148/IARJSET.2022.9218.
  9. B. Gautam, J. Tripathi, S. Singh, and M. T. Student, “A Secure Coding Approach For Prevention of SQL Injection Attacks,” 2018. [Online]. Available: http://www.ripublication.com
  10. M. L. Siddiq, Md. R. R. Jahin, M. R. Ul Islam, R. Shahriyar, and A. Iqbal, “SQLIFIX: Learning Based Approach to Fix SQL Injection Vulnerabilities in Source Code,” in 2021 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 2021, pp. 354–364. doi: 10.1109/SANER50967.2021.00040.
  11. Synopsys, “Managing Web Application Security With Coverity,” 2021.
  12. Sonar, “Code Quality Tool & Secure Analysis with SonarQube,” 2023. https://www.sonarsource.com/products/sonarqube/
  13. Synopsys, “Coverity SAST Software | Synopsys,” 2023. https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html
  14. CodeIgniter, “CodeIgniter User Guide,” 2023. https://www.codeigniter.com/userguide3/ (accessed May 31, 2023).
  15. M. Nashaat, K. Ali, and J. Miller, “Detecting Security Vulnerabilities in Object-Oriented PHP Programs,” in 2017 IEEE 17th International Working Conference on Source Code Analysis and Manipulation (SCAM), 2017, pp. 159–164. doi: 10.1109/SCAM.2017.20.
  16. N. Jovanovic, C. Kruegel, and E. Kirda, “Pixy: a static analysis tool for detecting Web application vulnerabilities,” in 2006 IEEE Symposium on Security and Privacy (S&P’06), 2006, pp. 6 pp. – 263. doi: 10.1109/SP.2006.29.
  17. JetBrains, “PHP Programming - The State of Developer Ecosystem in 2021 Infographic,” 2023. https://www.jetbrains.com/lp/devecosystem-2021/php/

Full Text:
Article Info
Submitted: 2023-06-06
Published: 2023-07-31
Section: Artikel
Article Statistics: