Abstract
With the rapid development of Web applications, SQL injection (SQLi) has been a serious security threat for years. Many systems use superimposed rules to prevent SQLi like backlists filtering rules and filter functions. However, these methods can not completely eliminate SQLi vulnerabilities. Many researchers and security experts hope to find a way to find SQLi vulnerabilities efficiently. Among them, mutation-based fuzzing plays an important role in Web security testing, especially for SQLi. Although this approach expands the space for test cases and improves vulnerability coverage to some extent, there are still some problems such as mutation operators cannot be fully covered, test cases space explosions, etc. In this paper, we present a new technique Combinatorial Mutation Method (CMM) to generate test set for SQLi. The test set applies t-way and variable strength Combinatorial Testing. It makes the mutation progress more aggressive and automated and generates test cases with better F-measure Metric and Efficiency Metric. We apply our approach to three open source benchmarks and compare it with sqlmap, FuzzDB and ART4SQLi. The experiment results demonstrate that the approach is effective in finding SQLi vulnerabilities with multiple filtering rules.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Appelt, D., Nguyen, C.D., Briand, L.C., Alshahwan, N.: Automated testing for SQL injection vulnerabilities: an input mutation approach. In: Proceedings of the 2014 International Symposium on Software Testing and Analysis, pp. 259–269. ACM (2014)
Bisht, P., Madhusudan, P., Venkatakrishnan, V.: Candid: dynamic candidate evaluations for automatic prevention of SQL injection attacks. ACM Trans. Inf. Syst. Secur. (TISSEC) 13(2), 14 (2010)
Nie, C., Leung, H.: A survey of combinatorial testing. ACM Comput. Surv. 43(2), 1–29 (2011)
Chen, J., et al.: An adaptive sequence approach for OOS test case prioritization. In: IEEE International Symposium on Software Reliability Engineering Workshops (2016)
Cohen, M.B., Gibbons, P.B., Mugridge, W.B., Colbourn, C.J.: Constructing test suites for interaction testing. In: Proceedings of the 25th International Conference on Software Engineering, pp. 38–48. IEEE Computer Society (2003)
Deepa, G., Thilagam, P.S.: Securing web applications from injection and logic vulnerabilities: approaches and challenges. Inf. Softw. Technol. 74, 160–180 (2016)
Deshpande, V.M., Nair, D.M.K., Shah, D.: Major web application threats for data privacy & security-detection, analysis and mitigation strategies. Int. J. Sci. Res. Sci. Technol. 3(7), 182–198 (2017)
Fossi, M., et al.: Symantec global internet security threat report. White Paper, Symantec Enterprise Security 1 (2009)
Gu, H., et al.: DIAVA: a traffic-based framework for detection of SQL injection attacks and vulnerability analysis of leaked data. IEEE Trans. Reliab. (2019)
Hagar, J.D., Wissink, T.L., Kuhn, D.R., Kacker, R.N.: Introducing combinatorial testing in a large organization. Computer 48(4), 64–72 (2015)
Holler, C., Herzig, K., Zeller, A.: Fuzzing with code fragments. In: Presented as Part of the 21st USENIX Security Symposium (USENIX Security 2012), pp. 445–458 (2012)
Huang, Y., et al.: A mutation approach of detecting SQL injection vulnerabilities. In: Sun, X., Chao, H.-C., You, X., Bertino, E. (eds.) ICCCS 2017. LNCS, vol. 10603, pp. 175–188. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-68542-7_15
Jia, Y., Harman, M.: An analysis and survey of the development of mutation testing. IEEE Trans. Softw. Eng. 37(5), 649–678 (2011)
Kuhn, D.R., Kacker, R.N., Lei, Y.: Introduction to Combinatorial Testing. CRC Press, Boca Raton (2013)
Lee, I., Jeong, S., Yeo, S., Moon, J.: A novel method for SQL injection attack detection based on removing SQL query attribute values. Math. Comput. Model. 55(1), 58–68 (2012)
Lei, Y., Kacker, R., Kuhn, D.R., Okun, V., Lawrence, J.: IPOG: a general strategy for t-way software testing. In: IEEE International Conference & Workshops on the Engineering of Computer-based Systems, ECBS 2007 (2010)
Nie, C., Leung, H.: A survey of combinatorial testing. ACM Comput. Surv. (CSUR) 43(2), 11 (2011)
Nie, C., Wu, H., Niu, X., Kuo, F.C., Leung, H., Colbourn, C.J.: Combinatorial testing, random testing, and adaptive random testing for detecting interaction triggered failures. Inf. Softw. Technol. 62, 198–213 (2015)
Qi, X., He, J., Wang, P., Zhou, H.: Variable strength combinatorial testing of concurrent programs. Front. Comput. Sci. 10(4), 631–643 (2016)
Sabharwal, S., Aggarwal, M.: Variable strength interaction test set generation using multi objective genetic algorithms. In: 2015 International Conference on Advances in Computing, Communications and Informatics (ICACCI), pp. 2049–2053. IEEE (2015)
Sadeghian, A., Zamani, M., Manaf, A.A.: A taxonomy of SQL injection detection and prevention techniques. In: 2013 International Conference on Informatics and Creative Multimedia (ICICM), pp. 53–56. IEEE (2013)
Shahriar, H., Zulkernine, M.: Music: Mutation-based SQL injection vulnerability checking. In: The Eighth International Conference on Quality Software 2008, QSIC 2008, pp. 77–86. IEEE (2008)
Simos, D.E., Zivanovic, J., Leithner, M.: Automated combinatorial testing for detecting SQL vulnerabilities in web applications. In: Proceedings of the 14th International Workshop on Automation of Software Test, pp. 55–61. IEEE Press (2019)
Yu, L., Yu, L., Kacker, R.N., Kuhn, D.R.: ACTS: a combinatorial test generation tool. In: IEEE Sixth International Conference on Software Testing (2013)
Zhang, L., Zhang, D., Wang, C., Zhao, J., Zhang, Z.: ART4SQLi: the ART of SQL injection vulnerability discovery. IEEE Trans. Reliab. 68, 1470–1489 (2019)
Acknowledgement
We would like to thank anonymous reviewers for their invaluable comments and suggestions on improving this work. This work is supported by National Natural Science Foundation of China (NSFC) (grant No. 61572150), and the Fundamental Research Funds for the Central Universities of DUT (No. DUT17RC(3)097).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Zhao, J., Dong, T., Cheng, Y., Wang, Y. (2020). CMM: A Combination-Based Mutation Method for SQL Injection. In: Miao, H., Tian, C., Liu, S., Duan, Z. (eds) Structured Object-Oriented Formal Language and Method. SOFL+MSVL 2019. Lecture Notes in Computer Science(), vol 12028. Springer, Cham. https://doi.org/10.1007/978-3-030-41418-4_23
Download citation
DOI: https://doi.org/10.1007/978-3-030-41418-4_23
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-41417-7
Online ISBN: 978-3-030-41418-4
eBook Packages: Computer ScienceComputer Science (R0)