Authentication and SQL-Injection Prevention Techniques in Web Applications

Cetin, Cagri

17 June 2019

This dissertation addresses the top two “most critical web-application security risks” by combining two high-level contributions. The first high-level contribution introduces and evaluates collaborative authentication, or coauthentication, a single-factor technique in which multiple registered devices work together to authenticate a user. Coauthentication provides security benefits similar to those of multi-factor techniques, such as mitigating theft of any one authentication secret, without some of the inconveniences of multi-factor techniques, such as having to enter passwords or biometrics. Coauthentication provides additional security benefits, including: preventing phishing, replay, and man-in-the-middle attacks; basing authentications on high-entropy secrets that can be generated and updated automatically; and availability protections against, for example, device misplacement and denial-of-service attacks. Coauthentication is amenable to many applications, including m-out-of-n, continuous, group, shared-device, and anonymous authentications. The principal security properties of coauthentication have been formally verified in ProVerif, and implementations have performed efficiently compared to password-based authentication. The second high-level contribution defines a class of SQL-injection attacks that are based on injecting identifiers, such as table and column names, into SQL statements. An automated analysis of GitHub shows that 15.7% of 120,412 posted Java source files contain code vulnerable to SQL-Identifier Injection Attacks (SQL-IDIAs). We have manually verified that some of the 18,939 Java files identified during the automated analysis are indeed vulnerable to SQL-IDIAs, including deployed Electronic Medical Record software for which SQL-IDIAs enable discovery of confidential patient information. Although prepared statements are the standard defense against SQL injection attacks, existing prepared-statement APIs do not protect against SQL-IDIAs. This dissertation therefore proposes and evaluates an extended prepared-statement API to protect against SQL-IDIAs.

Authentication methods

Formal verification

GitHub analysis

Prepared statements

SQL-Injection attacks

Computer Engineering

Computer Sciences

Password Management : A Study about Current Challenges with Password Management

Jalali, Ali, Assadi, Laila, Osman, Asma

January 2023

Effective password management is crucial for safeguarding online accounts and sensitive information. This research examines the current challenges and provides alternative solutions for better password management. This study encompasses a comprehensive survey and interviews conducted with individuals across various professional backgrounds. A total of 137 online users participated in the survey, which spanned over a duration of 15 days. Additionally, four individuals were interviewed to gather more indepth data. The study aimed to understand password selection behaviors and the factors influencing them. The goal is to develop practical strategies to enhance password security and mitigate unauthorized access to sensitive information. The purpose of the study is to provide valuable insights into the complexities of password management and contribute to the development of informed approaches for stronger password security. The study emphasizes the significance of password management and highlights the importance of educating users about the risks associated with weak passwords. The findings have implications not only for the research community but also for individuals and organizations seeking to understand user behavior and attitudes towards password systems. By gaining a deeper understanding of these aspects, it becomes possible to design more effective strategies to protect online accounts and sensitive data.

Password managers

password management

password security

user behavior

authentication methods

Computer Sciences

Datavetenskap (datalogi)