Automated Security Testing of Web-Based Systems Against SQL Injection Attacks

Injection vulnerabilities, such as SQL injection (SQLi), are ranked amongst the most dangerous types of vulnerabilities. Despite having received much attention from academia and practitioners, the prevalence of SQLi is common and the impact of their successful exploitation is severe. In this dissertation, we propose several security testing approaches that evaluate web applications and services for vulnerabilities and common IT infrastructure components such as for their resilience against attacks. Each of the presented approaches covers a different aspect of security testing, e.g. the generation of test cases or the definition of test oracles, and in combination they provide a holistic approach.

The work presented in this dissertation was conducted in collaboration with SIX Payment Services (formerly CETREL S.A.). SIX Payment Services is a leading provider of financial services in the area of payment processing, e.g. issuing of credit and debit cards, settlement of card transactions, online payments, and point-of-sale payment terminals. We analyse the challenges SIX is facing in security testing and base our testing approaches on assumptions inferred from our findings. Specifically, the devised testing approaches are automated, applicable in black box testing scenarios, able to assess and bypass Web Application Firewalls (WAF), and use an accurate test oracle. The devised testing approaches are evaluated with SIX’ IT platform, which consists of various web services that process several thousand financial transactions daily.

The main research contributions in this dissertation are:

- An assessment of the impact of Web Application Firewalls and
Database Intrusion Detection Systems on the accuracy of
SQLi testing.

- An input mutation technique that can generate a diverse set of
test cases. We propose a set of mutation operators that are
specifically designed to increase the likelihood of generating
successful attacks.

- A testing technique that assesses the attack detection capabilities
of a Web Application Firewall (WAF) by systematically generating attacks that try to bypass it.

- An approach that increases the attack detection capabilities of a WAF by
inferring a filter rule from a set of bypassing attacks. The
inferred filter rule can be added to the WAF’s rule set to prevent
attacks from bypassing.

- An automated test oracle that is designed to meet the specific
requirements of testing in an industrial context and that is
independent of any specific test case generation technique.