Wei Tian,Jing Xu,Jufeng Yang,Ying Zhang,Lei Liu

DOI: https://doi.org/10.3772/j.issn.1002-0470.2012.11.009

2012-01-01

Abstract:To resolve the problem of how to generate adequate test cases to reduce the false negative in penetration testing for the SQL (structured query language) injection vulnerability, this paper proposes a novel model-driven penetration test case generation method. This method divides the penetration test case generation for the SQL injection vulnerability into two steps: 1) Building the model of penetration test case, which reveals the regularity of current SQL injection attacks to expound what test case should be used and describes them in a formal way; and 2) Instantiating the penetration test case model according to a series of coverage criteria proposed in the study to generate the test case covering more attack patterns. The experiment shows that compared with randomly enumerated test cases used in the current related work, the test cases generated by the proposed method can more effectively find the SQL injection vulnerability hidden behind the inadequate defense mechanism, which reduces the false negative and improves the test accuracy.

Lei Liu,Jing Xu,Hongji Yang,Chenkai Guo,Jiehui Kang,Sihan Xu,Biao Zhang,Guannan Si

DOI: https://doi.org/10.1109/compsac.2016.55

2016-01-01

Abstract:Among all the Web application security issues, SQL Injection Vulnerability (SQLIV) is one of the most serious problems. How to test SQLIV effectively is of great importance. To address this issue, this paper describes a novel approach that is the utilization of Feature Matrix (FM) model for SQLIV black-box penetration test. Firstly, FM is introduced, which integrates the general SQLIV penetration test features for SQLIV. Each row of the matrix is defined as a test pattern, named Global Test Pattern (GTP). Then, GTP Selection (GTPS) process is used to select legal GTPs for general SQLIV penetration test. Secondly, to find out the optimum FM during SQLIV penetration test procedure automatically, Dynamic Matrix Selection (DMS) algorithm is described, which is based on dynamic tree pruning. Finally, a prototype tool SQLEXP is developed, the experiments of which are carried out under the context of two target Web applications and about 30000 real Internet URLs. The results show that the proposed approach can effectively improve the testing effect for SQLIV penetration test compared with two benchmarking testing tools.

Liu Lei,Xu Jing,Li Minglei,Yang Jufeng

DOI: https://doi.org/10.1109/compsac.2013.42

2013-01-01

Abstract:SQL Injection Vulnerability (SQLIV) is one of the topmost serious threats to web applications. Penetration test is one of the most important approaches to detect SQLIV. The test case generation issue critically affects the effectiveness of penetration test. Thus, research on the approaches to improve coverage and efficiency of test case generation process in SQLIV penetration test is of great importance. This paper proposes a formalized SQLIV test case generation model. i) We propose Global Test Rule (GTR), which is used to generate test cases in the process of SQLIV detection. ii) We present SQL injection vulnerability Test Matrix (SQLTM) model, which is a three dimensional matrix, to generate the set of GTR. iii) Based on the GTR generated by the above steps, we propose a Multiple Phases Detection Approach (MPDA) to implement the dynamic generation of test cases and detection procedure control, and then we give its algorithms in detail. Experiment results show that our approach can improve the coverage, precision and efficiency of SQLIV detection by a comparison with two real products for enterprise projects.

Alex Zhu,Wei Qi Yan

DOI: https://doi.org/10.4018/ijdcf.2017100106

2017-01-01

International Journal of Digital Crime and Forensics

Abstract:SQLIA is adopted to attack websites with and without confidential information. Hackers utilized the compromised website as intermediate proxy to attack others for avoiding being committed of cyber-criminal and also enlarging the scale of Distributed Denial of Service Attack DDoS. The DDoS is that hackers maliciously turn down a website and make network resources unavailable to web users. It is extremely difficult to effectively detect and prevent SQLIA because hackers adopt various evading SQLIA Intrusion Detection System techniques. Victims may not be even aware of that their confidential data has been compromised for a long time. In this paper, our contribution is that we evaluate several most popular open source SQLIA tools and SQLIA prevention tools with both qualitative and quantitative assessments.

Lei Liu,Jing Xu,Chenkai Guo,Jiehui Kang,Sihan Xu,Biao Zhang

DOI: https://doi.org/10.1109/compcomm.2016.7924889

2016-01-01

Abstract:Penetration test is one of the most used SQL Injection Vulnerability (SQLIV) testing technology. Focused on the insufficiency of test accuracy problem in SQLIV black-box penetration test process, we discuss the limitation of the traditional approaches based on test case library enumerating methods and propose a SQLIV Penetration Test approach based on Finite State Machine (SPT-FSM). The proposed approach establishes FSM based on the states corresponding to different SQLIV penetration test cases, map the statuses of test cases and their relevant responses, and analyzes the transition regularity of the established FSM for the testing of SQLIV with dynamic nature and states transition characteristics. We conduct experiments about the proposed approach and compare it with a popular state-of-the-art benchmarking tool. The experimental results show that the proposed approach can effectively improve the accuracy of SQLIV penetration test by reducing False Negatives (FN) and False Positives (FP).

朱辉,沈明星,李善平

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.10.059

2010-01-01

Abstract:This paper studies the code injection vulnerabilities of Web application,modifies and expands the definition of this kind of vulnerabilities with summarizing and analyzing the features of them,and transforms the causes of vulnerabilities into two kinds of coding errors to present a new test method based on testing the two kinds of coding errors.Experimental result shows that the test method can test all the code injection vulnerabilities of Web application effectively with less test workload.

Tian, Wei,Xu, Jing,Lian, Kun-Mei,Zhang, Ying

DOI: https://doi.org/10.1109/icise.2010.5689924

2010-01-01

Abstract:The testing methods for hunting vulnerabilities in web applications can be mainly classified into two categories: white box testing and black box testing. This paper focuses on the research on black box testing for the SQL injection vulnerability. Through the combination of fuzzy test and mock attack testing, a new testing method for hunting SQL injection is proposed, in which the injection parameters can be divided into several sets of equivalence classes according to the defined multi-defense levels of testee web systems. By injecting the most representative parameters selected from each equivalence classes, the mock attack testing for hunting SQL injection can be very effective and low cost. Experimental result shows that this method can achieve desirable result for SQLI mock attack testing in real web applications.

Yonghee Shin,L. Williams,Tao Xie

2006-01-01

Abstract:More than half of all of the vulnerabilities reported can be classified as input manipulation, such as SQL injection, cross site scripting, and buffer overflows. Increasingly, automated static analysis tools are being used to identify input manipulation vulnerabilities. However, these tools cannot detect the presence or the effectiveness of black or white list input filters and, therefore, may have a high false positive rate. Our research objective is to facilitate the identification of true input manipulation vulnerabilities via the combination of static analysis, runtime detection, and automatic testing. We propose an approach for SQL injection vulnerability detection, automated by a prototype tool SQLUnitGen. We performed case studies on two small web applications for the evaluation of our approach compared to static analysis for identifying true SQL injection vulnerabilities. In our case study, SQLUnitGen had no false positives, but had a small number of false negatives while the static analysis tool had a false positive for every vulnerability that was actually protected by a white or black list. Future work will focus on removing false negatives from SQLUnitGen and at generalizing the approach for other types of input manipulation vulnerabilities.

Jing Zhao,Tianran Dong,Yang Cheng,Yanbin Wang

DOI: https://doi.org/10.1007/978-3-030-41418-4_23

2020-01-01

Abstract:With the rapid development of Web applications, SQL injection (SQLi) has been a serious security threat for years. Many systems use superimposed rules to prevent SQLi like backlists filtering rules and filter functions. However, these methods can not completely eliminate SQLi vulnerabilities. Many researchers and security experts hope to find a way to find SQLi vulnerabilities efficiently. Among them, mutation-based fuzzing plays an important role in Web security testing, especially for SQLi. Although this approach expands the space for test cases and improves vulnerability coverage to some extent, there are still some problems such as mutation operators cannot be fully covered, test cases space explosions, etc. In this paper, we present a new technique Combinatorial Mutation Method (CMM) to generate test set for SQLi. The test set applies t-way and variable strength Combinatorial Testing. It makes the mutation progress more aggressive and automated and generates test cases with better F-measure Metric and Efficiency Metric. We apply our approach to three open source benchmarks and compare it with sqlmap, FuzzDB and ART4SQLi. The experiment results demonstrate that the approach is effective in finding SQLi vulnerabilities with multiple filtering rules.

Lei Liu,Guoxin Su,Jing Xu,Biao Zhang,Jiehui Kang,Sihan Xu,Peng Li,Guannan Si

DOI: https://doi.org/10.1109/compsac.2017.276

2017-01-01

Abstract:SQL Injection Vulnerability (SQLIV) has been the top-ranked threat to the Web security consistently for many years. Penetration tests, which are a most widely adopted technique to detect SQLIV, are usually affected by testing inaccuracy. This problem is even worse in inference-based, blind penetration tests for online Web sites, where Web page variations (such as those caused by inbuilt dynamic modules or user interactions) may lead to a large number of False Positives (FP). We present a novel approach called Inferential Metamorphic Testing (IMT) to reduce FP in SQLIV penetration tests. First, we define the notion of Inferential Metamorphic Relations (IMR), which is inherited from Mutational Metamorphic Testing (MMT). Second, we present a set of logic operators and mutation operators for generating IMR and deducting the background testing context. Finally, we present an iterative IMT process, which is based on the heuristic IMR generation and the background testing context deduction. Our empirical study demonstrates the effectiveness of our approach by a comparison to three famous SQLIV penetration test tools.

Long Zhang,Donghong Zhang,Chenghong Wang,Jing Zhao,Zhenyu Zhang

DOI: https://doi.org/10.1109/TR.2019.2910285

IF: 5.883

2019-01-01

IEEE Transactions on Reliability

Abstract:SQL injection (SQLi) is one of the chief threats to the security of database-driven Web applications. It can cause serious security issues such as authentication bypassing, privacy leakage, and arbitrary code execution. Dynamic testing techniques are used in SQLi vulnerability discovery, which de-facto approach is to maintain a collection of elaborately designed user inputs (aka. attack payloads) and based on it to compose malicious SQL queries to Web applications. Such techniques are effective to reveal SQLi threats before an application is released, thus reducing the cost of manual analysis, monitoring or postdeployment of other defensive mechanisms. However, because of the diversity of SQLi attacks and the difficulty of SQLi discovery, the process to execute payloads can be costly, time-consuming, and even risky. In this paper, we approach from a test case prioritization perspective to give a more effective SQLi discovery proposal, which is based on adaptive random testing with the aim to successfully trigger an SQLi within limited attempts. To evaluate our method, we conduct an experiment using three extensively adopted open source vulnerable benchmarks. The experiment results indicate that our method ART4SQLi can effectively improve the conventional random testing approach on three common benchmarks by more than 26% in reducing the number of SQLi attempts before accomplishing a successful injection.

Muhammad Saidu Aliero,Imran Ghani,Kashif Naseer Qureshi,Mohd Fo’ad Rohani

DOI: https://doi.org/10.1007/s12652-019-01235-z

IF: 3.662

2019-02-07

Journal of Ambient Intelligence and Humanized Computing

Abstract:SQL Injection Attack (SQLIA) is one of the most severe attack that can be used against web database-driven applications. Attackers use SQLIA to obtain unauthorized access and perform unauthorized data modifications due to initial improper input validation by the web application developer. Various studies have shown that, on average, 64% of web applications worldwide are vulnerable to SQLIA due to improper input. To mitigate the devastating problem of SQLIA, this research proposes an automatic black box testing for SQL Injection Vulnerability (SQLIV). This acts to automate an SQLIV assessment in SQLIA. In addition, recent studies have shown that there is a need for improving the effectiveness of existing SQLIVS in order to reduce the cost of manual inspection of vulnerabilities and the risk of being attacked due to inaccurate false negative and false positive results. This research focuses on improving the effectiveness of SQLIVS by proposing an object-oriented approach in its development in order to help and minimize the incidence of false positive and false negative results, as well as to provide room for improving a proposed scanner by potential researchers. To test and validate the accuracy of research work, three vulnerable web applications were developed. Each possesses a different type of vulnerabilities and an experimental evaluation was used to validate the proposed scanner. In addition, an analytical evaluation is used to compare the proposed scanner with the existing academic scanners. The result of the experimental analysis shows significant improvement by achieving high accuracy compared to existing studies. Similarly, the analytical evaluations showed that the proposed scanner is capable of analyzing attacked page response using four different techniques.

computer science, information systems,telecommunications, artificial intelligence

MA Kai,CAI Wan-dong,YAO Ye

DOI: https://doi.org/10.3969/j.issn.1673-629X.2013.03.031

2013-01-01

Abstract:To solve the SQL injection vulnerability detection in website under Web2.0 environment,proposed an injection point extraction approach.According to the characteristics of Web2.0 websites,by analyzing HTML markup,parsing and executing web client script,this approach got comprehensive data entry points of the website.Depending on the type of data entry points and arguments,built test case and established the rule to determine injection points,thereby enhancing the SQL injection vulnerability detection.Experimental results showed that,after adding script analysis and data entry point extraction,the approach of SQL injection vulnerability detection under Web2.0 environment increased test coverage and reduced the rate of missing.This approach that used to detect SQL injection vulnerability in website which used traditional and Web2.0 technologies,had some applicability,could gain a more comprehensive test results.

Wei Pan,Weihua Li

DOI: https://doi.org/10.1109/ICMeCG.2009.111

2009-01-01

Abstract:E-Commerce systems are suffering more and more security issues. Vulnerabilities of authentication systems are revealed when various attacks and malicious abuses are developed and deployed to violate security of system and information. To improve the ability to defend authentication system against invasion and abuse, a novel penetration testing method for E-Commerce authentication system is proposed to scrutinize the vulnerabilities of e-Commerce authentication system and evaluate severity level of potential vulnerabilities. The penetration testing method is an active vulnerability analysis and verification method that can mimic active attacks and perform exploitations by constructing effective and concise penetration testing cases. Through analyzing dynamic taint propagation, the presented method can determine feasibility of the attacks and evaluate security of authentication system. The experiment demonstrates the proposed method can serve as a viable and effective candidate for security detection of authentication system.

Chiem Trieu Phong,Wei Qi Yan

DOI: https://doi.org/10.4018/ijdcf.2014100104

2014-01-01

International Journal of Digital Crime and Forensics

Abstract:Penetration testing is an effort to attack a system using similar techniques and tools adopted by real hackers. The ultimate goal of penetration testing is to call to light as many existing vulnerabilities as possible, then come up with practical solutions to remediate the problems; thus, enhance the system security as a whole. The paper introduces concepts and definitions related to penetration testing, together with different models and methodologies to conduct a penetration test. A wide range of penetration testing state-of-the-art, as well as related tools (both commercial and free open source available on the market) are also presented in relatively rich details.

Haiyan Wu,Guozhu Gao,Chunyu Miao

DOI: https://doi.org/10.1109/ICCSNT.2011.6182115

2012-01-01

Abstract:SQL injection, known as a popular attack against web applications, has become a serious security risk. However, traditional penetration test methods are insufficient to test SQL injection vulnerabilities (SQLIVs) in web applications. This paper presents a new test method called SMART, which automatically tests SQLIVs in web applications. SMART analyzes the SQL queries generated by web applications and uses a structure matching validation mechanism to determine whether SQLIVs exist. Comprehensive experiments show that SMART is effective in finding SQLIVs. Testing the web applications with SMART, the security against SQL injection can be greatly improved.

Bernhard Garn,Jovan Zivanovic,Manuel Leithner,Dimitris E. Simos

DOI: https://doi.org/10.1002/stvr.1826

2022-07-04

Software Testing Verification and Reliability

Abstract:This work presents a gray‐box combinatorial security testing methodology for detecting SQL injection vulnerabilities in web applications. New attack grammars modelling SQL injections are proposed. This combinatorial security testing approach performs equally well or better when compared to existing state‐of‐the‐art SQL injection security testing tools. Summary This work presents an extended and enhanced gray‐box combinatorial security testing methodology for SQL injection vulnerabilities in web applications. We propose multiple new attack grammars modelling SQLi attacks against MySQL‐compatible databases, each one targeting a different injection context. Additionally, these grammars are also dynamically refined at the beginning of each attack against an endpoint of a web application, as a further optimization of the used attack model by taking into account the specifics of the generated query of that endpoint. Our goal is to enhance existing combinatorial approaches for detecting SQL injection vulnerabilities. The newly developed methodology is implemented in a prototype security testing tool called SQLInjector+, which is an extension of an earlier prototype developed by us in prior work. This improved tool can attack (i.e. test) any web application that uses a MySQL‐compatible database management system. We evaluate our revised approach and improved prototype tool in a case study comprising of different kinds of web applications to which SQLi is a potential security threat. The case study contains the well‐known verification framework WAVSEP among other five real‐world web applications and one web application firewall. Our generated attack vectors, constructed via combinatorial methods applied to our improved and dynamically optimized attack grammars, are capable of injecting every known vulnerable endpoint in WAVSEP and also of finding new vulnerable parameters in some of the real‐world applications investigated in this paper. Our approach performs equally well or better when compared with existing state‐of‐art of SQL injection security testing tools (sqlmap, w3af, wapiti and fuzzdb) across all tested web applications in the case study.

computer science, software engineering

LIAN Kunmei,XU Jing,TIAN Wei,ZHANG Ying

DOI: https://doi.org/10.3778/j.issn.1673-9418.2011.05.010

2011-01-01

Abstract:On the basis of an in-depth analysis of characteristics of SQL(structured query language) injection attacks and defense mechanisms related to SQL injection vulnerability,this paper grades the SQL injection vulnerability according to the level of defense degree,and takes the vulnerability grading as the basis for the equivalence partitioning of SQL injection fuzz testing case.After the optimized choice of SQL injection parameters,it detects the SQL injection vulnerabilities of target Web system initiatively and effectively by imitating hacker attacks,which makes the detection more target-oriented.The equivalence partition of SQL injection parameters ensures the completeness and no redundancy of fuzz testing.

Ying ZHOU,Yong FANG,Cheng HUANG,Liang LIU

DOI: https://doi.org/10.11772/j.issn.1001-9081.2017071692

2018-01-01

Journal of Computer Applications

Abstract:The SQL (Structured Query Language) injection attack is a threat to Web applications.Aiming at SQL injection behaviors in PHP (Hypertext Preprocessor) applications,a model of detecting SQL injection behaviors based on tainting technology was proposed.Firstly,an SQL statement was obtained when an SQL function was executed,and the identity information of the attacker was recorded through PHP extension technology.Based on the above information,the request log was generated and used as the analysis source.Secondly,the SQL parsing process with taint marking was achieved based on SQL grammar analysis and abstract syntax tree.By using tainting technology,multiple features which reflected SQL injection behaviors were extracted.Finally,the random forest algorithm was used to identify malicious SQL requests.The experimental results indicate that the proposed model gets a high accuracy of 96.9％,which is 7.2 percentage points higher than that of regular matching detection technology.The information acquisition module of the proposed model can be loaded in an extended form in any PHP application;therefore,it is transplantable and applicable in security audit and attack traceability.

Tinghui Yang,Zhiyuan Jiang,Yongjun Wang

DOI: https://doi.org/10.1109/icbase63199.2024.10762654

2024-01-01

Abstract:Black box detection tools of SQL injection vulnerabilities simulate real-world web attack scenarios, making it essential for evaluating SQLi risks in actual web applications. However, current black-box approaches depend on predefined rules for SQLi vulnerability detection, which limits both their efficiency and accuracy. In this paper, we propose a black-box SQLi detection tool based on large language multi-agent, LLMSQLi, which uses the context understanding and reasoning capabilities of large language models and the cooperative division of labor mode of multi-agent to generate payloads customized for test targets and efficiently detect SQL injection vulnerabilities in Web programs. Drawing inspiration from real-world teams of security experts, LLMSQLi simulates the step-by-step process of human experts in testing tasks through the LLM Muti-Agent collaboration model. We ran experiments on SQLiMicroBenchmark to compare the performance of LLMSQLi and two of the most advanced black-box SQLi testing tools. Experiments show that LLMSQLi successfully detected all 15 targets and outperformed other tools.