TY  - CHAP
U1  - Konferenzveröffentlichung
A1  - Schuckert, Felix
A1  - Katt, Basel
A1  - Langweg, Hanno
T1  - Difficult SQLi Code Patterns for Static Code Analysis Tools
T2  - NISK 2020 - Proceedings of the 13th Norwegian Information Security Conference, Nov. 24-25, 2020, virtual
(NISK Norsk informasjonssikkerhetskonferanse ; No.3, 2020)
N2  - We compared vulnerable and fixed versions of the source code of 50 different PHP open source projects based on CVE reports for SQL injection vulnerabilities. We scanned the source code with commercial and open source tools for static code analysis. Our results show that five current state-of-the-art tools have issues correctly marking vulnerable and safe code. We identify 25 code patterns that are not detected as a vulnerability by at least one of the tools and 6 code patterns that are mistakenly reported as a vulnerability that cannot be confirmed by manual code inspection. Knowledge of the patterns could help vendors of static code analysis tools, and software developers could be instructed to avoid patterns that confuse automated tools.
Y1  - 2021
UR  - https://ojs.bibsys.no/index.php/NIK/article/view/892/753
SP  - 16
S1  - 16
PB  - Open Journal Systems
ER  -