[en] This paper examines the effects and potential benefits of utilising Web Application Firewalls (WAFs) and database proxies in SQL injection testing of web applications and services. We propose testing the WAF itself to refine and evaluate its security rules and prioritise fixing vulnerabilities that are not protected by the WAF. We also propose using database proxies as oracles for black-box security testing instead of relying only on the output of the application under test. The paper also presents a case study of our proposed approaches on two sets of web services. The results indicate that testing through WAFs can be used to prioritise vulnerabilities and that an oracle that uses a database proxy finds more vulnerabilities with fewer tries than an oracle that relies only on the output of the application.
Centre de recherche :
Interdisciplinary Centre for Security, Reliability and Trust
Disciplines :
Sciences informatiques
Auteur, co-auteur :
APPELT, Dennis ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
ALSHAHWAN, Nadia ; University College London - UCL > Department of Computer Science
BRIAND, Lionel ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)
Co-auteurs externes :
yes
Langue du document :
Anglais
Titre :
Assessing the Impact of Firewalls and Database Proxies on SQL Injection Testing
Date de publication/diffusion :
2013
Nom de la manifestation :
1st International Workshop on Future Internet Testing
Antunes, N., Vieira, M.: Detecting SQL injection vulnerabilities in web services. In: Proceedings of the 4th Latin-American Symposium on Dependable Computing (LADC '09), pp. 17-24 (2009
Apache-scalp: Apache log analyzer for security (2008). https://code.google.com/ p/apache-scalp
Bau, J., Bursztein, E., Gupta, D., Mitchell, J.: State of the art: Automated blackbox web application vulnerability testing. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy (SP '10), pp. 332-345 (2010
Beery, T., Niv, N.: Web application attack report (2011
Christey, S., Martin, R.A.: Vulnerability type distributions in CVE (2007). http:// cwe.mitre.org
Ciampa, A., Visaggio, C.A., Di Penta, M.: A heuristic-based approach for detecting SQL-injection vulnerabilities in web applications. In: Proceedings of the ICSE Workshop on Software Engineering for Secure Systems (SESS '10), pp. 43-49 (2010
Coffey, J., White, L., Wilde, N., Simmons, S.: Locating software features in a SOA composite application. In: Proceedings of the 8th IEEE European Conference on Web Services (ECOWS '10), pp. 99-106 (2010
Damele, B., Guimaraes, A., Stampar, M.: Sqlmap (2013). http://sqlmap.org/
Doupé, A., Cova, M., Vigna, G.: Why Johnny can't pentest: An analysis of blackbox web vulnerability scanners. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 111-131. Springer, Heidelberg (2010
Elia, I.A., Fonseca, J., Vieira, M.: Comparing SQL injection detection tools using attack injection: An experimental study. In: Proceedings of the IEEE 21st International Symposium on Software Reliability Engineering (ISSRE '10), pp. 289-298 (2010
Fossi, M., Johnson, E.: Symantec global internet security threat report, vol. xiv (2009
Fu, X., Qian, K.: SAFELI: SQL injection scanner using symbolic execution. In: Proceedings of the workshop on Testing, Analysis, and Verification of Web Services and Applications (TAV-WEB '08), pp. 34-39 (2008
Halfond, W.G., Anand, S., Orso, A.: Precise interface identification to improve testing and analysis of web applications. In: Proceedings of the 18th International Symposium on Software Testing and Analysis (ISSTA '09), pp. 285-296 (2009
Hanna, S., Shin, R., Akhawe, D., Boehm, A., Saxena, P., Song, D.: The emperors new apis: On the (in) secure usage of new client-side primitives. In: Proceedings of the Web, vol. 2 (2010
Holler, C., Herzig, K., Zeller, A.: Fuzzing with code fragments. In: Proceedings of the 21st Usenix Security Symposium (2012
Huang, Y-W., Huang, S-K., Lin, T-P., Tsai, C-H.: Web application security assessment by fault injection and behavior monitoring. In: Proceedings of the 12th International Conference on World Wide Web (WWW '03), pp. 148-159 (2003
Khoury, N., Zavarsky, P., Lindskog, D., Ruhl, R.: Testing and assessing web vulnerability scanners for persistent SQL injection attacks. In: Proceedings of the 1st International Workshop on Security and Privacy Preserving in e-Societies (SeceS' 11), pp. 12-18 (2011
Kieyzun, A., Guo, P.J., Jayaraman, K., Ernst, M.D.: Automatic creation of SQL injection and cross-site scripting attacks. In: Proceedings of the 31st International Conference on Software Engineering (ICSE '09), pp. 199-209 (2009
PCI Security Standards Council: Pci data security standard (PCI DSS) (2013). https://www.pcisecuritystandards.org
Roesch, M.: Snort-lightweight intrusion detection for networks. In: Proceedings of the 13th USENIX Conference on System Administration, pp. 229-238 (1999
Ryck, P.D., Desmet, L., Philippaerts, P., Piessens, F.: A security analysis of next generation web standards (2011
Shar, L.K., Tan, H.B.K.: Mining input sanitization patterns for predicting SQL injection and cross site scripting vulnerabilities. In: Proceedings of the 34th International Conference on Software Engineering (ICSE NIER '12), pp. 1293-1296 (2012
The Open Web Application Security Project (OWASP): Testing for SQL injection (owasp-dv-005) (2013). http://www.owasp.org
Vieira, M., Antunes, N., Madeira, H.: Using web security scanners to detect vulnerabilities in web services. In: Proceedings of the IEEE/IFIP International Conference on Dependable Systems & Networks (DSN'09), pp. 566-571 (2009
Wohlin, C., Runeson, P., Host, M., Ohlsson, M., Regnell, B., Wesslen, A.: The Experimentation in Software Engineering-An Introduction. Kluwer, Dordrecht (2000
