| Reference : Automated Security Testing of Web-Based Systems Against SQL Injection Attacks |
| Dissertations and theses : Doctoral thesis | |||
| Engineering, computing & technology : Computer science | |||
| Security, Reliability and Trust | |||
| http://hdl.handle.net/10993/27947 | |||
| Automated Security Testing of Web-Based Systems Against SQL Injection Attacks | |
| English | |
Appelt, Dennis  [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >] | |
| 24-Jun-2016 | |
| University of Luxembourg, Luxembourg, Luxembourg | |
| Docteur en Informatique | |
| Briand, Lionel | |
| Nguyen, Duy Cu | |
| Klein, Jacques | |
| Pretschner, Alexander | |
| Vieira, Marco | |
| [en] Security Testing ; Penetration Testing ; SQL Injection | |
| [en] Injection vulnerabilities, such as SQL injection (SQLi), are ranked amongst the most dangerous types of vulnerabilities. Despite having received much attention from academia and practitioners, the prevalence of SQLi is common and the impact of their successful exploitation is severe. In this dissertation, we propose several security testing approaches that evaluate web applications and services for vulnerabilities and common IT infrastructure components such as for their resilience against attacks. Each of the presented approaches covers a different aspect of security testing, e.g. the generation of test cases or the definition of test oracles, and in combination they provide a holistic approach.
The work presented in this dissertation was conducted in collaboration with SIX Payment Services (formerly CETREL S.A.). SIX Payment Services is a leading provider of financial services in the area of payment processing, e.g. issuing of credit and debit cards, settlement of card transactions, online payments, and point-of-sale payment terminals. We analyse the challenges SIX is facing in security testing and base our testing approaches on assumptions inferred from our findings. Specifically, the devised testing approaches are automated, applicable in black box testing scenarios, able to assess and bypass Web Application Firewalls (WAF), and use an accurate test oracle. The devised testing approaches are evaluated with SIX’ IT platform, which consists of various web services that process several thousand financial transactions daily. The main research contributions in this dissertation are: - An assessment of the impact of Web Application Firewalls and Database Intrusion Detection Systems on the accuracy of SQLi testing. - An input mutation technique that can generate a diverse set of test cases. We propose a set of mutation operators that are specifically designed to increase the likelihood of generating successful attacks. - A testing technique that assesses the attack detection capabilities of a Web Application Firewall (WAF) by systematically generating attacks that try to bypass it. - An approach that increases the attack detection capabilities of a WAF by inferring a filter rule from a set of bypassing attacks. The inferred filter rule can be added to the WAF’s rule set to prevent attacks from bypassing. - An automated test oracle that is designed to meet the specific requirements of testing in an industrial context and that is independent of any specific test case generation technique. | |
| Fonds National de la Recherche - FnR | |
| Black-Box Security Testing for Web Applications and Services | |
| Researchers ; Professionals ; Students | |
| http://hdl.handle.net/10993/27947 | |
| FnR ; FNR4800382 > Dennis Appelt > > Black-Box Security Testing for Web Applications and Services > 01/10/2012 > 30/06/2016 > 2012 |
| File(s) associated to this reference | ||||||||||||||
|
Fulltext file(s):
| ||||||||||||||
All documents in ORBilu are protected by a user license.
