Automated Testing for SQL Injection Vulnerabilities: An Input Mutation Approach

Appelt, Dennis; Nguyen, Duy Cu; Briand, Lionel; Alshahwan, Nadia

Request a copy

Paper published in a book (Scientific congresses, symposiums and conference proceedings)

Automated Testing for SQL Injection Vulnerabilities: An Input Mutation Approach

Appelt, Dennis; Nguyen, Duy Cu; Briand, Lionel et al.

2014 • In Proc. of the International Symposium on Software Testing and Analysis 2014

Peer reviewed

Permalink
https://hdl.handle.net/10993/16407

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

main.pdf

Publisher postprint (483.37 kB)

Request a copy

All documents in ORBilu are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Keywords :

Mutation testing; SQL Injection; Test Generation

Abstract :

[en] Web services are increasingly adopted in various domains, from finance and e-government to social media. As they are built on top of the web technologies, they suffer also an unprecedented amount of attacks and exploitations like the Web. Among the attacks, those that target SQL injection vulnerabilities have consistently been top-ranked for the last years. Testing to detect such vulnerabilities before making web services public is crucial. We present in this paper an automated testing approach, namely μ4SQLi, and its underpinning set of mutation operators. μ4SQLi can produce effective inputs that lead to executable and harmful SQL statements. Executability is key as otherwise no injection vulnerability can be exploited. Our evaluation demonstrated that the approach is effective to detect SQL injection vulnerabilities and to produce inputs that bypass application firewalls, which is a common configuration in real world.

Disciplines :

Computer science

Author, co-author :

Appelt, Dennis ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

Nguyen, Duy Cu ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

Briand, Lionel ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)

Alshahwan, Nadia ; University College London - UCL > Department of Computer Science

External co-authors :

yes

Language :

English

Title :

Automated Testing for SQL Injection Vulnerabilities: An Input Mutation Approach

Publication date :

21 July 2014

Event name :

International Symposium on Software Testing and Analysis

Event place :

San Jose, CA, United States

Event date :

July 21-25

Audience :

International

Main work title :

Proc. of the International Symposium on Software Testing and Analysis 2014

Peer reviewed :

Peer reviewed

Available on ORBilu :

since 22 April 2014

Statistics

Number of views

491 (45 by Unilu)

Number of downloads

14 (11 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

Bibliography

N. Antunes, N. Laranjeiro, M. Vieira, and H. Madeira. Effective detection of SQL/XPath injection vulnerabilities in web services. In Proceedings of the 6th IEEE International Conference on Services Computing (SCC '09), pages 260-267, 2009.
N. Antunes and M. Vieira. Detecting SQL injection vulnerabilities in web services. In Proceedings of the 4th Latin-American Symposium on Dependable Computing (LADC '09), pages 17-24, 2009.
D. Appelt, N. Alshahwan, and L. Briand. Assessing the impact of firewalls and database proxies on sql injection testing. In Proceedings of the 1st International Workshop on Future Internet Testing, 2013.
D. Appelt, N. Alshahwan, C. D. Nguyen, and L. Briand. Black-box sql injection testing. Technical report, University of Luxembourg and University College London, 2014.
C. Bartolini, A. Bertolino, E. Marchetti, and A. Polini. Ws-taxi: A wsdl-based testing tool for web services. In ICST, pages 326-335, 2009.
T. Beery and N. Niv. Web application attack report, 2013.
A. Ciampa, C. A. Visaggio, and M. Di-Penta. A heuristic-based approach for detecting SQL-injection vulnerabilities in web applications. In Proceedings of the ICSE Workshop on Software Engineering for Secure Systems (SESS '10), pages 43-49, 2010.
J. Coffey, L. White, N. Wilde, and S. Simmons. Locating software features in a soa composite application. In Web Services (ECOWS), 2010 IEEE 8th European Conference on, pages 99-106, 2010.
M. Cova, V. Felmetsger, and G. Vigna. Vulnerability analysis of web-based applications. In L. Baresi and E. Nitto, editors, Test and Analysis of Web Services, pages 363-394. Springer Berlin Heidelberg, 2007.
B. Efron and R. Tibshirani. An Introduction To The Bootstrap, volume 57. CRC press, 1993.
I. A. Elia, J. Fonseca, and M. Vieira. Comparing sql injection detection tools using attack injection: An experimental study. In Proceedings of the IEEE 21st International Symposium on Software Reliability Engineering (ISSRE '10), pages 289-298, 2010.
J. Fonseca, M. Vieira, and H. Madeira. Testing and comparing web vulnerability scanning tools for SQL injection and XSS attacks. In Proceedings of the 13th Pacific Rim International Symposium on Dependable Computing (PRDC '07), pages 365-372, 2007.
M. Fossi and E. Johnson. Symantec global internet security threat report, volume xiv, 2009.
X. Fu and K. Qian. SAFELI: SQL injection scanner using symbolic execution. In Proceedings of the workshop on Testing, Analysis, and Verification of Web Services and Applications (TAV-WEB '08), pages 34-39, 2008.
W. G. Halfond, J. Viegas, and A. Orso. A classification of sql-injection attacks and countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering (ISSSE '06), pages 13-15, 2006.
W. G. J. Halfond and A. Orso. Amnesia: Analysis and monitoring for neutralizing SQL-injection attacks. In Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering (ASE '05), pages 174-183, 2005.
W. G. J. Halfond and A. Orso. Preventing SQL injection attacks using AMNESIA. In Proceedings of the 28th International Conference on Software Engineering (ICSE' 06), pages 795-798, 2006.
C. Holler, K. Herzig, and A. Zeller. Fuzzing with code fragments. In Proceedings of the 21st Usenix Security Symposium, 2012.
Y.-W. Huang, S.-K. Huang, T.-P. Lin, and C.-H. Tsai. Web application security assessment by fault injection and behavior monitoring. In Proceedings of the 12th International Conference on World Wide Web (WWW '03), pages 148-159, 2003.
Y. Jia and M. Harman. An analysis and survey of the development of mutation testing. IEEE Transactions on Software Engineering, 37(5):649-678, 2011.
A. Kieyzun, P. J. Guo, K. Jayaraman, and M. D. Ernst. Automatic creation of SQL injection and cross-site scripting attacks. In Proceedings of the 31st International Conference on Software Engineering (ICSE '09), pages 199-209, 2009.
I. Lee, S. Jeong, S. Yeo, and J. Moon. A novel method for SQL injection attack detection based on removing SQL query attribute values. Mathematical and Computer Modelling, 55(1):58-68, 2012.
R. Sekar. An effcient black-box technique for defeating web application attacks. In Proceedings of the 16th Annual Network and Distributed System Security Symposium, 2009.
H. Shahriar and M. Zulkernine. MUSIC: Mutation-based SQL injection vulnerability checking. In Proceedings of the 8th International Conference on Quality Software (QSIC'08), pages 77-86. IEEE, 2008.
L. K. Shar, H. B. K. Tan, and L. Briand. Mining sql injection and cross site scripting vulnerabilities using hybrid program analysis. In Software Engineering (ICSE), 2013 35th International Conference on, pages 642-651, 2013.
Y. Shin. Improving the identification of actual input manipulation vulnerabilities. In Proceedings of the 14th ACM SIGSOFT Symposium on Foundations of Software Engineering, 2006.
Y. Shin, L. Williams, and T. Xie. Sqlunitgen: Test case generation for sql injection detection. North Carolina State University, Raleigh Technical report, NCSU CSC TR, 21, 2006.
B. Smith, L. Williams, and A. Austin. Idea: using system level testing for revealing SQL injection-related error message information leaks. In Proceedings of the 2nd International Conference on Engineering Secure Software and Systems (ESSoS '10), pages 192-200, 2010.
SQL Injection Wiki. SQL injection cheat sheet. http://www.sqlinjectionwiki.com/2013.
The Open Web Application Security Project (OWASP). Testing for SQL injection (owasp-dv-005). http://www.owasp.org, 2013.
M. Vieira, N. Antunes, and H. Madeira. Using web security scanners to detect vulnerabilities in web services. In Proceedings of the IEEE/IFIP International Conference on Dependable Systems Networks (DSN '09), pages 566-571, 2009.
W3C. Character entity references in HTML 4. http://www.w3.org/TR/html4/sgml/entities.html, 2012.
G. Wassermann and Z. Su. Sound and precise analysis of web applications for injection vulnerabilities. In Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI '07), pages 32-41, 2007.
K. Wei, M. Muthuprasanna, and S. Kothari. Preventing SQL injection attacks in stored procedures. In Proceedings of the Australian Software Engineering Conference (ASWEC '06), pages 191-198, 2006.
Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In Proceedings of the 15th Conference on USENIX Security Symposium - Volume 15, USENIX-SS'06, Berkeley, CA, USA, 2006. USENIX Association.