Measuring the Absolute and Relative Prevalence of SQL Concatenations and SQL-Identifier Injections
摘要
SQL-Identifier Injection Vulnerabilities (SQL-IDIVs) are a class of SQL Injection Vulnerabilities (SQLIVs) that originate from the insertion of user-specified SQL identifiers into SQL code. SQL-IDIVs are noteworthy because prepared statements - the standard defense against SQLIVs - do not support placeholders for SQL identifiers. We verified this incompleteness of prepared statements through a survey of 10 public prepared statement implementations, finding that all of these implementations lack support for identifier insertion. This article measures the absolute prevalence of concatenation into SQL statements and SQL-IDIVs via what is, as far as we know, the most comprehensive study of publicly available code ever conducted. Using our automated GitHub crawler program, we obtained 4,762,175 source code files from 944,316 GitHub projects to uncover instances of concatenation into SQL statements. Our crawler program classified whether each concatenation constitutes a potential SQL-IDIV. The crawler flagged 63% of the obtained files as containing at least one instance of SQL statement concatenation. Of these files that concatenate into SQL code, 15% contain SQL-identifier concatenation. We manually verified these results, finding that our SQL-IDIV classifier exhibits an accuracy of 93.4%. In addition, we attempted to exploit a subset of the manually verified applications, finding that about 22.7% of these web applications meet all the additional requirements to be exploitable in practice via SQL-identifier injection. We also investigated the prevalence of SQL-IDIVs relative to other software vulnerabilities by analyzing all 3,757 CVE reports of SQLIVs published in 2022-2023, and finding that at least 8% of these reports pertain to SQL-IDIVs. We observed that the prevalence of SQL-IDIVs has risen from 2022 to 2023. Based on these results, we conclude that SQL-IDIVs are nontrivially represented in publicly available code and public vulnerability records.