A Mutation Approach of Detecting SQL Injection Vulnerabilities

Huang, Yanyu; Fu, Chuan; Chen, Xuan; Guo, Hao; He, Xiaoyu; Jin, Li; Liu, Zheli

doi:10.1007/978-3-319-68542-7_15

Cited by 4 publications

(1 citation statement)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…At least one approach [16] uses deep natural language processing with the same aim. Search-based software testing techniques including mutation [17,18] and genetic programming [19] have been successfully applied to the same end. Combinatorial methods have been demonstrated to be applicable in this field, either by selecting mutation operators to derive test cases for SQLi [20] or by using similar means to mutate SOAP messages used in web application testing [21].…”

Section: Related Workmentioning

confidence: 99%

Combinatorial methods for dynamic gray‐box SQL injection testing

Garn

Zivanovic

Leithner

et al. 2022

Software Testing Verif & Rel

View full text Add to dashboard Cite

This work presents an extended and enhanced gray-box combinatorial security testing methodology for SQL injection vulnerabilities in web applications. We propose multiple new attack grammars modelling SQLi attacks against MySQL-compatible databases, each one targeting a different injection context. Additionally, these grammars are also dynamically refined at the beginning of each attack against an endpoint of a web application, as a further optimization of the used attack model by taking into account the specifics of the generated query of that endpoint. Our goal is to enhance existing combinatorial approaches for detecting SQL injection vulnerabilities. The newly developed methodology is implemented in a prototype security testing tool called SQLInjector+, which is an extension of an earlier prototype developed by us in prior work. This improved tool can attack (i.e. test) any web application that uses a MySQL-compatible database management system. We evaluate our revised approach and improved prototype tool in a case study comprising of different kinds of web applications to which SQLi is a potential security threat. The case study contains the well-known verification framework WAVSEP among other five realworld web applications and one web application firewall. Our generated attack vectors, constructed via combinatorial methods applied to our improved and dynamically optimized attack grammars, are capable of injecting every known vulnerable endpoint in WAVSEP and also of finding new vulnerable parameters in some of the real-world applications investigated in this paper. Our approach performs equally well or better when compared with existing state-of-art of SQL injection security testing tools (sqlmap, w3af, wapiti and fuzzdb) across all tested web applications in the case study. K E Y W O R D S combinatorial testing, security testing, gray-box testing, SQL injection, web applications 1 | INTRODUCTIONSQL injection (SQLi) is a well-known type of command injection attack, where an attacker attempts to insert additional content into SQL queries produced by an application that uses databases (DBs) to store and retrieve information. SQLis are some of the most common and most critical vulnerabilities found in web applications according to the most recent OWASP Top 10 report [1] published in 2017 and prior releases [2,3]. This is despite the fact that there exists a large body of work dedicated to this topic, both in terms of detecting and defending against such flaws.The most popular method of identifying SQLis, particularly as part of penetration testing, entails the use of dynamic application security testing tools. Numerous commercial and open-source solutions are available to support this type of security testing effort.

show abstract