Yonghee Shin,L. Williams,Tao Xie

2006-01-01

Abstract:More than half of all of the vulnerabilities reported can be classified as input manipulation, such as SQL injection, cross site scripting, and buffer overflows. Increasingly, automated static analysis tools are being used to identify input manipulation vulnerabilities. However, these tools cannot detect the presence or the effectiveness of black or white list input filters and, therefore, may have a high false positive rate. Our research objective is to facilitate the identification of true input manipulation vulnerabilities via the combination of static analysis, runtime detection, and automatic testing. We propose an approach for SQL injection vulnerability detection, automated by a prototype tool SQLUnitGen. We performed case studies on two small web applications for the evaluation of our approach compared to static analysis for identifying true SQL injection vulnerabilities. In our case study, SQLUnitGen had no false positives, but had a small number of false negatives while the static analysis tool had a false positive for every vulnerability that was actually protected by a white or black list. Future work will focus on removing false negatives from SQLUnitGen and at generalizing the approach for other types of input manipulation vulnerabilities.

Zijian Liu,Lei Xu

DOI: https://doi.org/10.1109/wisa.2013.45

2013-01-01

Abstract:SQL injection exploits the weakness of server, causing damage to database and threating the benefit of both corporations and individuals. SQL injection attack is still one of the most serious security threats. This paper proposes a method with static analysis and dynamic monitor to detect SQL injection attacks. Comparing to the current tools, this tool can compute danger degree of user input and classify user behavior with lower time and space complexity.

Zhi-yuan WAN,Bo ZHOU

DOI: https://doi.org/10.3785/j.issn.1008-973x.2015.04.011

2015-01-01

Abstract:An approach based on static information flow tracking was proposed to detect input validation vulnerabilities in order to reduce the false positive rate of vulnerability detection techniques based on static analysis.The approach was implemented on top of the static code analysis tool FindBugs.The performance and precision of our approach were evaluated.Experimental results show that our approach can effectively detect input validation vulnerabilities.The false positive rate of FindBugs was reduced by 55.7% without significantly slowing the performance.

朱辉,沈明星,李善平

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.10.059

2010-01-01

Abstract:This paper studies the code injection vulnerabilities of Web application,modifies and expands the definition of this kind of vulnerabilities with summarizing and analyzing the features of them,and transforms the causes of vulnerabilities into two kinds of coding errors to present a new test method based on testing the two kinds of coding errors.Experimental result shows that the test method can test all the code injection vulnerabilities of Web application effectively with less test workload.

Young-Su JANG

DOI: https://doi.org/10.1587/transinf.2019edl8143

2020-05-01

IEICE Transactions on Information and Systems

Abstract:Embedded SQL inserts SQL statements into the host programming language and executes them at program run time. SQL injection is a known attack technique; however, detection techniques are not introduced in embedded SQL. This paper introduces a technique based on candidate code generation that can detect SQL injection vulnerability in the C/C++ host programming language.

Long Zhang,Donghong Zhang,Chenghong Wang,Jing Zhao,Zhenyu Zhang

DOI: https://doi.org/10.1109/TR.2019.2910285

IF: 5.883

2019-01-01

IEEE Transactions on Reliability

Abstract:SQL injection (SQLi) is one of the chief threats to the security of database-driven Web applications. It can cause serious security issues such as authentication bypassing, privacy leakage, and arbitrary code execution. Dynamic testing techniques are used in SQLi vulnerability discovery, which de-facto approach is to maintain a collection of elaborately designed user inputs (aka. attack payloads) and based on it to compose malicious SQL queries to Web applications. Such techniques are effective to reveal SQLi threats before an application is released, thus reducing the cost of manual analysis, monitoring or postdeployment of other defensive mechanisms. However, because of the diversity of SQLi attacks and the difficulty of SQLi discovery, the process to execute payloads can be costly, time-consuming, and even risky. In this paper, we approach from a test case prioritization perspective to give a more effective SQLi discovery proposal, which is based on adaptive random testing with the aim to successfully trigger an SQLi within limited attempts. To evaluate our method, we conduct an experiment using three extensively adopted open source vulnerable benchmarks. The experiment results indicate that our method ART4SQLi can effectively improve the conventional random testing approach on three common benchmarks by more than 26% in reducing the number of SQLi attempts before accomplishing a successful injection.

Alex Zhu,Wei Qi Yan

DOI: https://doi.org/10.4018/ijdcf.2017100106

2017-01-01

International Journal of Digital Crime and Forensics

Abstract:SQLIA is adopted to attack websites with and without confidential information. Hackers utilized the compromised website as intermediate proxy to attack others for avoiding being committed of cyber-criminal and also enlarging the scale of Distributed Denial of Service Attack DDoS. The DDoS is that hackers maliciously turn down a website and make network resources unavailable to web users. It is extremely difficult to effectively detect and prevent SQLIA because hackers adopt various evading SQLIA Intrusion Detection System techniques. Victims may not be even aware of that their confidential data has been compromised for a long time. In this paper, our contribution is that we evaluate several most popular open source SQLIA tools and SQLIA prevention tools with both qualitative and quantitative assessments.

Bernhard Garn,Jovan Zivanovic,Manuel Leithner,Dimitris E. Simos

DOI: https://doi.org/10.1002/stvr.1826

2022-07-04

Software Testing Verification and Reliability

Abstract:This work presents a gray‐box combinatorial security testing methodology for detecting SQL injection vulnerabilities in web applications. New attack grammars modelling SQL injections are proposed. This combinatorial security testing approach performs equally well or better when compared to existing state‐of‐the‐art SQL injection security testing tools. Summary This work presents an extended and enhanced gray‐box combinatorial security testing methodology for SQL injection vulnerabilities in web applications. We propose multiple new attack grammars modelling SQLi attacks against MySQL‐compatible databases, each one targeting a different injection context. Additionally, these grammars are also dynamically refined at the beginning of each attack against an endpoint of a web application, as a further optimization of the used attack model by taking into account the specifics of the generated query of that endpoint. Our goal is to enhance existing combinatorial approaches for detecting SQL injection vulnerabilities. The newly developed methodology is implemented in a prototype security testing tool called SQLInjector+, which is an extension of an earlier prototype developed by us in prior work. This improved tool can attack (i.e. test) any web application that uses a MySQL‐compatible database management system. We evaluate our revised approach and improved prototype tool in a case study comprising of different kinds of web applications to which SQLi is a potential security threat. The case study contains the well‐known verification framework WAVSEP among other five real‐world web applications and one web application firewall. Our generated attack vectors, constructed via combinatorial methods applied to our improved and dynamically optimized attack grammars, are capable of injecting every known vulnerable endpoint in WAVSEP and also of finding new vulnerable parameters in some of the real‐world applications investigated in this paper. Our approach performs equally well or better when compared with existing state‐of‐art of SQL injection security testing tools (sqlmap, w3af, wapiti and fuzzdb) across all tested web applications in the case study.

computer science, software engineering

Liu Lei,Xu Jing,Li Minglei,Yang Jufeng

DOI: https://doi.org/10.1109/compsac.2013.42

2013-01-01

Abstract:SQL Injection Vulnerability (SQLIV) is one of the topmost serious threats to web applications. Penetration test is one of the most important approaches to detect SQLIV. The test case generation issue critically affects the effectiveness of penetration test. Thus, research on the approaches to improve coverage and efficiency of test case generation process in SQLIV penetration test is of great importance. This paper proposes a formalized SQLIV test case generation model. i) We propose Global Test Rule (GTR), which is used to generate test cases in the process of SQLIV detection. ii) We present SQL injection vulnerability Test Matrix (SQLTM) model, which is a three dimensional matrix, to generate the set of GTR. iii) Based on the GTR generated by the above steps, we propose a Multiple Phases Detection Approach (MPDA) to implement the dynamic generation of test cases and detection procedure control, and then we give its algorithms in detail. Experiment results show that our approach can improve the coverage, precision and efficiency of SQLIV detection by a comparison with two real products for enterprise projects.

Jianjun Yang

2012-01-01

Abstract:Programmers fail to judge the legitimacy of the user input data when they write code.In that case,the user can submit a database query code,according to the results of the program returns to get some data he would like to know.This paper introduces the principle and SQL injection vulnerability checking methods,attempts at source level on the SQL injection principle and scanning method for deep analysis,puts forward two kinds of SQL injection prevention solution.

Wei Tian,Jing Xu,Jufeng Yang,Ying Zhang,Lei Liu

DOI: https://doi.org/10.3772/j.issn.1002-0470.2012.11.009

2012-01-01

Abstract:To resolve the problem of how to generate adequate test cases to reduce the false negative in penetration testing for the SQL (structured query language) injection vulnerability, this paper proposes a novel model-driven penetration test case generation method. This method divides the penetration test case generation for the SQL injection vulnerability into two steps: 1) Building the model of penetration test case, which reveals the regularity of current SQL injection attacks to expound what test case should be used and describes them in a formal way; and 2) Instantiating the penetration test case model according to a series of coverage criteria proposed in the study to generate the test case covering more attack patterns. The experiment shows that compared with randomly enumerated test cases used in the current related work, the test cases generated by the proposed method can more effectively find the SQL injection vulnerability hidden behind the inadequate defense mechanism, which reduces the false negative and improves the test accuracy.

Yi Wang,Zhoujun Li

DOI: https://doi.org/10.1007/978-3-642-34883-9_21

2012-01-01

Abstract:Database systems are indispensable in modern web applications in order to process and store business information. Due to the contained valuable information, these systems are highly interesting to hackers and their diverse and enormous amount of attacks severely undermine the effectiveness of classical signature-based detection. In this work we propose a novel hybrid approach for learning SQL statements with program tracing techniques in order to detect malicious behavior between the database and application. The approach incorporates the program trace hashing technique and tree structure of SQL queries as well as query name similarity as characteristic to distinguish malicious from benign queries. An prototype learning system integrated in PHP is demonstrated to show the usefulness of our approach on real-world application.

Muyang Liu,Ke Li,Tao Chen

DOI: https://doi.org/10.1145/3395363.3397375

2020-07-13

Abstract:Security is unarguably the most serious concern for Web applications, to which SQL injection (SQLi) attack is one of the most devastating attacks. Automatically testing SQLi vulnerabilities is of ultimate importance, yet is unfortunately far from trivial to implement. This is because the existence of a huge, or potentially infinite, number of variants and semantic possibilities of SQL leading to SQLi attacks on various Web applications. In this paper, we propose a deep natural language processing based tool, dubbed DeepSQLi, to generate test cases for detecting SQLi vulnerabilities. Through adopting deep learning based neural language model and sequence of words prediction, DeepSQLi is equipped with the ability to learn the semantic knowledge embedded in SQLi attacks, allowing it to translate user inputs (or a test case) into a new test case, which is se- mantically related and potentially more sophisticated. Experiments are conducted to compare DeepSQLi with SQLmap, a state-of-the-art SQLi testing automation tool, on six real-world Web applications that are of different scales, characteristics and domains. Empirical results demonstrate the effectiveness and the remarkable superiority of DeepSQLi over SQLmap, such that more SQLi vulnerabilities can be identified by using a less number of test cases, whilst running much faster.

Jun Zhu,Jing Xie,Heather Richter Lipford,Bill Chu

DOI: https://doi.org/10.1016/j.jare.2013.11.006

IF: 12.822

2014-01-01

Journal of Advanced Research

Abstract:Many security incidents are caused by software developers’ failure to adhere to secure programming practices. Static analysis tools have been used to detect software vulnerabilities. However, their wide usage by developers is limited by the special training required to write rules customized to application-specific logic. Our approach is interactive static analysis, to integrate static analysis into Integrated Development Environment (IDE) and provide in-situ secure programming support to help developers prevent vulnerabilities during code construction. No additional training is required nor are there any assumptions on ways programs are built. Our work is motivated in part by the observation that many vulnerabilities are introduced due to failure to practice secure programming by knowledgeable developers. We implemented a prototype interactive static analysis tool as a plug-in for Java in Eclipse. Our technical evaluation of our prototype detected multiple zero-day vulnerabilities in a large open source project. Our evaluations also suggest that false positives may be limited to a very small class of use cases.

Haiyan Wu,Guozhu Gao,Chunyu Miao

DOI: https://doi.org/10.1109/ICCSNT.2011.6182115

2012-01-01

Abstract:SQL injection, known as a popular attack against web applications, has become a serious security risk. However, traditional penetration test methods are insufficient to test SQL injection vulnerabilities (SQLIVs) in web applications. This paper presents a new test method called SMART, which automatically tests SQLIVs in web applications. SMART analyzes the SQL queries generated by web applications and uses a structure matching validation mechanism to determine whether SQLIVs exist. Comprehensive experiments show that SMART is effective in finding SQLIVs. Testing the web applications with SMART, the security against SQL injection can be greatly improved.

MA Kai,CAI Wan-dong,YAO Ye

DOI: https://doi.org/10.3969/j.issn.1673-629X.2013.03.031

2013-01-01

Abstract:To solve the SQL injection vulnerability detection in website under Web2.0 environment,proposed an injection point extraction approach.According to the characteristics of Web2.0 websites,by analyzing HTML markup,parsing and executing web client script,this approach got comprehensive data entry points of the website.Depending on the type of data entry points and arguments,built test case and established the rule to determine injection points,thereby enhancing the SQL injection vulnerability detection.Experimental results showed that,after adding script analysis and data entry point extraction,the approach of SQL injection vulnerability detection under Web2.0 environment increased test coverage and reduced the rate of missing.This approach that used to detect SQL injection vulnerability in website which used traditional and Web2.0 technologies,had some applicability,could gain a more comprehensive test results.

LIAN Kunmei,XU Jing,TIAN Wei,ZHANG Ying

DOI: https://doi.org/10.3778/j.issn.1673-9418.2011.05.010

2011-01-01

Abstract:On the basis of an in-depth analysis of characteristics of SQL(structured query language) injection attacks and defense mechanisms related to SQL injection vulnerability,this paper grades the SQL injection vulnerability according to the level of defense degree,and takes the vulnerability grading as the basis for the equivalence partitioning of SQL injection fuzz testing case.After the optimized choice of SQL injection parameters,it detects the SQL injection vulnerabilities of target Web system initiatively and effectively by imitating hacker attacks,which makes the detection more target-oriented.The equivalence partition of SQL injection parameters ensures the completeness and no redundancy of fuzz testing.

ZHOU Jing-Li,WANG Xiao-Feng,YU Sheng-Sheng,XIA Hong-Tao

DOI: https://doi.org/10.3969/j.issn.1002-137X.2006.11.019

2006-01-01

Computer Science

Abstract:SQL injection, which is a popular and easy to carry out method of remote attacks, poses a major thread to application level security. In this paper, we introduce Pre-analysis of SQL syntax, a fire-new policy to detect and prevent SQL injection attacks. First, all SQL injection attacks are categorized into some classes and for each class a specified syntagma is abstracted and recorded. Then, the user input is picked up and embedded into prepared SQL sentences. Finally, these embedded SQL sentences are syntactically checked. Any find of underlying syntagma recorded as SQL injection tells a SQL injection attack. The implementation of new policy needs neither modification to Web program codes nor any patch to software of server platform. Experiments prove that new policy provides close to perfect detection rate and avoids the conflict between low false positive rate and low false negative rate.

Stephen Thomas,Laurie Williams,Tao Xie

DOI: https://doi.org/10.1016/j.infsof.2008.08.002

IF: 3.9

2009-01-01

Information and Software Technology

Abstract:Since 2002, over 10% of total cyber vulnerabilities were SQL injection vulnerabilities (SQLIVs). This paper presents an algorithm of prepared statement replacement for removing SQLIVs by replacing SQL statements with prepared statements. Prepared statements have a static structure, which prevents SQL injection attacks from changing the logical structure of a prepared statement. We created a prepared statement replacement algorithm and a corresponding tool for automated fix generation. We conducted four case studies of open source projects to evaluate the capability of the algorithm and its automation. The empirical results show that prepared statement code correctly replaced 94% of the SQLIVs in these projects.

Jun Zhu,Bill Chu,Heather Richter Lipford,Tyler Thomas

DOI: https://doi.org/10.1145/2752952.2752976

2015-01-01

Abstract:ABSTRACTAccess control vulnerabilities due to programming errors have consistently ranked amongst top software vulnerabilities. Previous research efforts have concentrated on using automatic program analysis techniques to detect access control vulnerabilities in applications. We report a comparative study of six open source PHP applications, and find that implicit assumptions of previous research techniques can significantly limit their effectiveness. We propose a more effective hybrid approach to mitigate access control vulnerabilities. Developers are reminded in-situ of potential access control vulnerabilities, where self-review of code can help them discover mistakes. Additionally, developers are prompted for application-specific access control knowledge, providing samples of code that could be thought of as static analysis by example. These examples are turned into code patterns that can be used in performing static analysis to detect additional access control vulnerabilities and alert the developer to take corrective actions. Our evaluation of six open source applications detected 20 zero-day access control vulnerabilities in addition to finding all access control vulnerabilities detected in previous works.