Automated Testing for SQL Injection Vulnerabilities: An Input Mutation Approach

APPELT, Dennis; NGUYEN, Duy Cu; BRIAND, Lionel; ALSHAHWAN, Nadia

Demander un accès

Communication publiée dans un ouvrage (Colloques, congrès, conférences scientifiques et actes)

Automated Testing for SQL Injection Vulnerabilities: An Input Mutation Approach

APPELT, Dennis; NGUYEN, Duy Cu; BRIAND, Lionel et al.

2014 • In Proc. of the International Symposium on Software Testing and Analysis 2014

Peer reviewed

Permalien
https://hdl.handle.net/10993/16407

Documents (1)Envoyer vers Détails Statistiques Bibliographie Publications similaires

Documents

Texte intégral

main.pdf

Postprint Éditeur (483.37 kB)

Demander un accès

Tous les documents dans ORBilu sont protégés par une licence d'utilisation.

Envoyer vers

RIS BibTex APA Chicago Permalink X Linkedin

Détails

Mots-clés :

Mutation testing; SQL Injection; Test Generation

Résumé :

[en] Web services are increasingly adopted in various domains, from finance and e-government to social media. As they are built on top of the web technologies, they suffer also an unprecedented amount of attacks and exploitations like the Web. Among the attacks, those that target SQL injection vulnerabilities have consistently been top-ranked for the last years. Testing to detect such vulnerabilities before making web services public is crucial. We present in this paper an automated testing approach, namely μ4SQLi, and its underpinning set of mutation operators. μ4SQLi can produce effective inputs that lead to executable and harmful SQL statements. Executability is key as otherwise no injection vulnerability can be exploited. Our evaluation demonstrated that the approach is effective to detect SQL injection vulnerabilities and to produce inputs that bypass application firewalls, which is a common configuration in real world.

Disciplines :

Sciences informatiques

Auteur, co-auteur :

APPELT, Dennis ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

NGUYEN, Duy Cu ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

BRIAND, Lionel ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)

ALSHAHWAN, Nadia ; University College London - UCL > Department of Computer Science

Co-auteurs externes :

yes

Langue du document :

Anglais

Titre :

Automated Testing for SQL Injection Vulnerabilities: An Input Mutation Approach

Date de publication/diffusion :

21 juillet 2014

Nom de la manifestation :

International Symposium on Software Testing and Analysis

Lieu de la manifestation :

San Jose, CA, Etats-Unis

Date de la manifestation :

July 21-25

Manifestation à portée :

International

Titre de l'ouvrage principal :

Proc. of the International Symposium on Software Testing and Analysis 2014

Peer reviewed :

Peer reviewed

Disponible sur ORBilu :

depuis le 22 avril 2014

Statistiques

Nombre de vues

572 (dont 45 Unilu)

Nombre de téléchargements

14 (dont 11 Unilu)

Voir plus de statistiques

citations Scopus^®

citations Scopus^®
sans auto-citations

Bibliographie

N. Antunes, N. Laranjeiro, M. Vieira, and H. Madeira. Effective detection of SQL/XPath injection vulnerabilities in web services. In Proceedings of the 6th IEEE International Conference on Services Computing (SCC '09), pages 260-267, 2009.
N. Antunes and M. Vieira. Detecting SQL injection vulnerabilities in web services. In Proceedings of the 4th Latin-American Symposium on Dependable Computing (LADC '09), pages 17-24, 2009.
D. Appelt, N. Alshahwan, and L. Briand. Assessing the impact of firewalls and database proxies on sql injection testing. In Proceedings of the 1st International Workshop on Future Internet Testing, 2013.
D. Appelt, N. Alshahwan, C. D. Nguyen, and L. Briand. Black-box sql injection testing. Technical report, University of Luxembourg and University College London, 2014.
C. Bartolini, A. Bertolino, E. Marchetti, and A. Polini. Ws-taxi: A wsdl-based testing tool for web services. In ICST, pages 326-335, 2009.
T. Beery and N. Niv. Web application attack report, 2013.
A. Ciampa, C. A. Visaggio, and M. Di-Penta. A heuristic-based approach for detecting SQL-injection vulnerabilities in web applications. In Proceedings of the ICSE Workshop on Software Engineering for Secure Systems (SESS '10), pages 43-49, 2010.
J. Coffey, L. White, N. Wilde, and S. Simmons. Locating software features in a soa composite application. In Web Services (ECOWS), 2010 IEEE 8th European Conference on, pages 99-106, 2010.
M. Cova, V. Felmetsger, and G. Vigna. Vulnerability analysis of web-based applications. In L. Baresi and E. Nitto, editors, Test and Analysis of Web Services, pages 363-394. Springer Berlin Heidelberg, 2007.
B. Efron and R. Tibshirani. An Introduction To The Bootstrap, volume 57. CRC press, 1993.
I. A. Elia, J. Fonseca, and M. Vieira. Comparing sql injection detection tools using attack injection: An experimental study. In Proceedings of the IEEE 21st International Symposium on Software Reliability Engineering (ISSRE '10), pages 289-298, 2010.
J. Fonseca, M. Vieira, and H. Madeira. Testing and comparing web vulnerability scanning tools for SQL injection and XSS attacks. In Proceedings of the 13th Pacific Rim International Symposium on Dependable Computing (PRDC '07), pages 365-372, 2007.
M. Fossi and E. Johnson. Symantec global internet security threat report, volume xiv, 2009.
X. Fu and K. Qian. SAFELI: SQL injection scanner using symbolic execution. In Proceedings of the workshop on Testing, Analysis, and Verification of Web Services and Applications (TAV-WEB '08), pages 34-39, 2008.
W. G. Halfond, J. Viegas, and A. Orso. A classification of sql-injection attacks and countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering (ISSSE '06), pages 13-15, 2006.
W. G. J. Halfond and A. Orso. Amnesia: Analysis and monitoring for neutralizing SQL-injection attacks. In Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering (ASE '05), pages 174-183, 2005.
W. G. J. Halfond and A. Orso. Preventing SQL injection attacks using AMNESIA. In Proceedings of the 28th International Conference on Software Engineering (ICSE' 06), pages 795-798, 2006.
C. Holler, K. Herzig, and A. Zeller. Fuzzing with code fragments. In Proceedings of the 21st Usenix Security Symposium, 2012.
Y.-W. Huang, S.-K. Huang, T.-P. Lin, and C.-H. Tsai. Web application security assessment by fault injection and behavior monitoring. In Proceedings of the 12th International Conference on World Wide Web (WWW '03), pages 148-159, 2003.
Y. Jia and M. Harman. An analysis and survey of the development of mutation testing. IEEE Transactions on Software Engineering, 37(5):649-678, 2011.
A. Kieyzun, P. J. Guo, K. Jayaraman, and M. D. Ernst. Automatic creation of SQL injection and cross-site scripting attacks. In Proceedings of the 31st International Conference on Software Engineering (ICSE '09), pages 199-209, 2009.
I. Lee, S. Jeong, S. Yeo, and J. Moon. A novel method for SQL injection attack detection based on removing SQL query attribute values. Mathematical and Computer Modelling, 55(1):58-68, 2012.
R. Sekar. An effcient black-box technique for defeating web application attacks. In Proceedings of the 16th Annual Network and Distributed System Security Symposium, 2009.
H. Shahriar and M. Zulkernine. MUSIC: Mutation-based SQL injection vulnerability checking. In Proceedings of the 8th International Conference on Quality Software (QSIC'08), pages 77-86. IEEE, 2008.
L. K. Shar, H. B. K. Tan, and L. Briand. Mining sql injection and cross site scripting vulnerabilities using hybrid program analysis. In Software Engineering (ICSE), 2013 35th International Conference on, pages 642-651, 2013.
Y. Shin. Improving the identification of actual input manipulation vulnerabilities. In Proceedings of the 14th ACM SIGSOFT Symposium on Foundations of Software Engineering, 2006.
Y. Shin, L. Williams, and T. Xie. Sqlunitgen: Test case generation for sql injection detection. North Carolina State University, Raleigh Technical report, NCSU CSC TR, 21, 2006.
B. Smith, L. Williams, and A. Austin. Idea: using system level testing for revealing SQL injection-related error message information leaks. In Proceedings of the 2nd International Conference on Engineering Secure Software and Systems (ESSoS '10), pages 192-200, 2010.
SQL Injection Wiki. SQL injection cheat sheet. http://www.sqlinjectionwiki.com/2013.
The Open Web Application Security Project (OWASP). Testing for SQL injection (owasp-dv-005). http://www.owasp.org, 2013.
M. Vieira, N. Antunes, and H. Madeira. Using web security scanners to detect vulnerabilities in web services. In Proceedings of the IEEE/IFIP International Conference on Dependable Systems Networks (DSN '09), pages 566-571, 2009.
W3C. Character entity references in HTML 4. http://www.w3.org/TR/html4/sgml/entities.html, 2012.
G. Wassermann and Z. Su. Sound and precise analysis of web applications for injection vulnerabilities. In Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI '07), pages 32-41, 2007.
K. Wei, M. Muthuprasanna, and S. Kothari. Preventing SQL injection attacks in stored procedures. In Proceedings of the Australian Software Engineering Conference (ASWEC '06), pages 191-198, 2006.
Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In Proceedings of the 15th Conference on USENIX Security Symposium - Volume 15, USENIX-SS'06, Berkeley, CA, USA, 2006. USENIX Association.