Assessing the Impact of Firewalls and Database Proxies on SQL Injection Testing

Appelt, Dennis; Alshahwan, Nadia; Briand, Lionel

Request a copy

Paper published in a book (Scientific congresses, symposiums and conference proceedings)

Assessing the Impact of Firewalls and Database Proxies on SQL Injection Testing

Appelt, Dennis; Alshahwan, Nadia; Briand, Lionel

2013 • In Springer LNCS series

Peer reviewed

Permalink
https://hdl.handle.net/10993/9617

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

dennisappelt-fittest2013.pdf

Author postprint (510.93 kB)

Request a copy

All documents in ORBilu are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Keywords :

SQL injection; blackbox testing; web service

Abstract :

[en] This paper examines the effects and potential benefits of utilising Web Application Firewalls (WAFs) and database proxies in SQL injection testing of web applications and services. We propose testing the WAF itself to refine and evaluate its security rules and prioritise fixing vulnerabilities that are not protected by the WAF. We also propose using database proxies as oracles for black-box security testing instead of relying only on the output of the application under test. The paper also presents a case study of our proposed approaches on two sets of web services. The results indicate that testing through WAFs can be used to prioritise vulnerabilities and that an oracle that uses a database proxy finds more vulnerabilities with fewer tries than an oracle that relies only on the output of the application.

Research center :

Interdisciplinary Centre for Security, Reliability and Trust

Disciplines :

Computer science

Author, co-author :

Appelt, Dennis ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

Alshahwan, Nadia ; University College London - UCL > Department of Computer Science

Briand, Lionel ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)

External co-authors :

yes

Language :

English

Title :

Assessing the Impact of Firewalls and Database Proxies on SQL Injection Testing

Publication date :

2013

Event name :

1st International Workshop on Future Internet Testing

Event place :

Istanbul, Turkey

Event date :

12-11-2013

Audience :

International

Main work title :

Springer LNCS series

Peer reviewed :

Peer reviewed

Funders :

FNR - Fonds National de la Recherche [LU]

Available on ORBilu :

since 29 October 2013

Statistics

Number of views

316 (40 by Unilu)

Number of downloads

10 (8 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

Bibliography

Antunes, N., Vieira, M.: Detecting SQL injection vulnerabilities in web services. In: Proceedings of the 4th Latin-American Symposium on Dependable Computing (LADC '09), pp. 17-24 (2009
Apache-scalp: Apache log analyzer for security (2008). https://code.google.com/ p/apache-scalp
Bau, J., Bursztein, E., Gupta, D., Mitchell, J.: State of the art: Automated blackbox web application vulnerability testing. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy (SP '10), pp. 332-345 (2010
Beery, T., Niv, N.: Web application attack report (2011
Christey, S., Martin, R.A.: Vulnerability type distributions in CVE (2007). http:// cwe.mitre.org
Ciampa, A., Visaggio, C.A., Di Penta, M.: A heuristic-based approach for detecting SQL-injection vulnerabilities in web applications. In: Proceedings of the ICSE Workshop on Software Engineering for Secure Systems (SESS '10), pp. 43-49 (2010
Coffey, J., White, L., Wilde, N., Simmons, S.: Locating software features in a SOA composite application. In: Proceedings of the 8th IEEE European Conference on Web Services (ECOWS '10), pp. 99-106 (2010
Damele, B., Guimaraes, A., Stampar, M.: Sqlmap (2013). http://sqlmap.org/
Doupé, A., Cova, M., Vigna, G.: Why Johnny can't pentest: An analysis of blackbox web vulnerability scanners. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 111-131. Springer, Heidelberg (2010
Elia, I.A., Fonseca, J., Vieira, M.: Comparing SQL injection detection tools using attack injection: An experimental study. In: Proceedings of the IEEE 21st International Symposium on Software Reliability Engineering (ISSRE '10), pp. 289-298 (2010
Fossi, M., Johnson, E.: Symantec global internet security threat report, vol. xiv (2009
Fu, X., Qian, K.: SAFELI: SQL injection scanner using symbolic execution. In: Proceedings of the workshop on Testing, Analysis, and Verification of Web Services and Applications (TAV-WEB '08), pp. 34-39 (2008
GreenSQL LTD: Greensql (2013). http://www.greensql.com
Halfond, W.G., Anand, S., Orso, A.: Precise interface identification to improve testing and analysis of web applications. In: Proceedings of the 18th International Symposium on Software Testing and Analysis (ISSTA '09), pp. 285-296 (2009
Hanna, S., Shin, R., Akhawe, D., Boehm, A., Saxena, P., Song, D.: The emperors new apis: On the (in) secure usage of new client-side primitives. In: Proceedings of the Web, vol. 2 (2010
Holler, C., Herzig, K., Zeller, A.: Fuzzing with code fragments. In: Proceedings of the 21st Usenix Security Symposium (2012
Huang, Y-W., Huang, S-K., Lin, T-P., Tsai, C-H.: Web application security assessment by fault injection and behavior monitoring. In: Proceedings of the 12th International Conference on World Wide Web (WWW '03), pp. 148-159 (2003
Khoury, N., Zavarsky, P., Lindskog, D., Ruhl, R.: Testing and assessing web vulnerability scanners for persistent SQL injection attacks. In: Proceedings of the 1st International Workshop on Security and Privacy Preserving in e-Societies (SeceS' 11), pp. 12-18 (2011
Kieyzun, A., Guo, P.J., Jayaraman, K., Ernst, M.D.: Automatic creation of SQL injection and cross-site scripting attacks. In: Proceedings of the 31st International Conference on Software Engineering (ICSE '09), pp. 199-209 (2009
PCI Security Standards Council: Pci data security standard (PCI DSS) (2013). https://www.pcisecuritystandards.org
Roesch, M.: Snort-lightweight intrusion detection for networks. In: Proceedings of the 13th USENIX Conference on System Administration, pp. 229-238 (1999
Ryck, P.D., Desmet, L., Philippaerts, P., Piessens, F.: A security analysis of next generation web standards (2011
Shar, L.K., Tan, H.B.K.: Mining input sanitization patterns for predicting SQL injection and cross site scripting vulnerabilities. In: Proceedings of the 34th International Conference on Software Engineering (ICSE NIER '12), pp. 1293-1296 (2012
The Open Web Application Security Project (OWASP): Testing for SQL injection (owasp-dv-005) (2013). http://www.owasp.org
Vieira, M., Antunes, N., Madeira, H.: Using web security scanners to detect vulnerabilities in web services. In: Proceedings of the IEEE/IFIP International Conference on Dependable Systems & Networks (DSN'09), pp. 566-571 (2009
Wohlin, C., Runeson, P., Host, M., Ohlsson, M., Regnell, B., Wesslen, A.: The Experimentation in Software Engineering-An Introduction. Kluwer, Dordrecht (2000