Skip to main content
SpringerLink
Log in

Assessing the Impact of Firewalls and Database Proxies on SQL Injection Testing

  • Conference paper
  • First Online:
Future Internet Testing (FITTEST 2013)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 8432))

Included in the following conference series:

Abstract

This paper examines the effects and potential benefits of utilising Web Application Firewalls (WAFs) and database proxies in SQL injection testing of web applications and services. We propose testing the WAF itself to refine and evaluate its security rules and prioritise fixing vulnerabilities that are not protected by the WAF. We also propose using database proxies as oracles for black-box security testing instead of relying only on the output of the application under test. The paper also presents a case study of our proposed approaches on two sets of web services. The results indicate that testing through WAFs can be used to prioritise vulnerabilities and that an oracle that uses a database proxy finds more vulnerabilities with fewer tries than an oracle that relies only on the output of the application.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    http://uwf.edu/nwilde/soaResources/

  2. 2.

    http://sourceforge.net

References

  1. Antunes, N., Vieira, M.: Detecting SQL injection vulnerabilities in web services. In: Proceedings of the 4th Latin-American Symposium on Dependable Computing (LADC ’09), pp. 17–24 (2009)

    Google Scholar 

  2. Apache-scalp: Apache log analyzer for security (2008). https://code.google.com/p/apache-scalp

  3. Bau, J., Bursztein, E., Gupta, D., Mitchell, J.: State of the art: automated black-box web application vulnerability testing. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy (SP ’10), pp. 332–345 (2010)

    Google Scholar 

  4. Beery, T., Niv, N.: Web application attack report (2011)

    Google Scholar 

  5. Christey, S., Martin, R.A.: Vulnerability type distributions in CVE (2007). http://cwe.mitre.org

  6. Ciampa, A., Visaggio, C.A., Di Penta, M.: A heuristic-based approach for detecting SQL-injection vulnerabilities in web applications. In: Proceedings of the ICSE Workshop on Software Engineering for Secure Systems (SESS ’10), pp. 43–49 (2010)

    Google Scholar 

  7. Coffey, J., White, L., Wilde, N., Simmons, S.: Locating software features in a SOA composite application. In: Proceedings of the 8th IEEE European Conference on Web Services (ECOWS ’10), pp. 99–106 (2010)

    Google Scholar 

  8. Damele, B., Guimaraes, A., Stampar, M.: Sqlmap (2013). http://sqlmap.org/

  9. Doupé, A., Cova, M., Vigna, G.: Why Johnny can’t pentest: an analysis of black-box web vulnerability scanners. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 111–131. Springer, Heidelberg (2010)

    Google Scholar 

  10. Elia, I.A., Fonseca, J., Vieira, M.: Comparing SQL injection detection tools using attack injection: an experimental study. In: Proceedings of the IEEE 21st International Symposium on Software Reliability Engineering (ISSRE ’10), pp. 289–298 (2010)

    Google Scholar 

  11. Fossi, M., Johnson, E.: Symantec global internet security threat report, vol. xiv (2009)

    Google Scholar 

  12. Fu, X., Qian, K.: SAFELI: SQL injection scanner using symbolic execution. In: Proceedings of the workshop on Testing, Analysis, and Verification of Web Services and Applications (TAV-WEB ’08), pp. 34–39 (2008)

    Google Scholar 

  13. GreenSQL LTD: Greensql (2013). http://www.greensql.com

  14. Halfond, W.G., Anand, S., Orso, A.: Precise interface identification to improve testing and analysis of web applications. In: Proceedings of the 18th International Symposium on Software Testing and Analysis (ISSTA ’09), pp. 285–296 (2009)

    Google Scholar 

  15. Hanna, S., Shin, R., Akhawe, D., Boehm, A., Saxena, P., Song, D.: The emperors new apis: on the (in) secure usage of new client-side primitives. In: Proceedings of the Web, vol. 2 (2010)

    Google Scholar 

  16. Holler, C., Herzig, K., Zeller, A.: Fuzzing with code fragments. In: Proceedings of the 21st Usenix Security Symposium (2012)

    Google Scholar 

  17. Huang, Y.-W., Huang, S.-K., Lin, T.-P., Tsai, C.-H.: Web application security assessment by fault injection and behavior monitoring. In: Proceedings of the 12th International Conference on World Wide Web (WWW ’03), pp. 148–159 (2003)

    Google Scholar 

  18. Khoury, N., Zavarsky, P., Lindskog, D., Ruhl, R.: Testing and assessing web vulnerability scanners for persistent SQL injection attacks. In: Proceedings of the 1st International Workshop on Security and Privacy Preserving in e-Societies (SeceS ’11), pp. 12–18 (2011)

    Google Scholar 

  19. Kieyzun, A., Guo, P.J., Jayaraman, K., Ernst, M.D.: Automatic creation of SQL injection and cross-site scripting attacks. In: Proceedings of the 31st International Conference on Software Engineering (ICSE ’09), pp. 199–209 (2009)

    Google Scholar 

  20. PCI Security Standards Council: Pci data security standard (PCI DSS) (2013). https://www.pcisecuritystandards.org

  21. Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of the 13th USENIX Conference on System Administration, pp. 229–238 (1999)

    Google Scholar 

  22. Ryck, P.D., Desmet, L., Philippaerts, P., Piessens, F.: A security analysis of next generation web standards (2011)

    Google Scholar 

  23. Shar, L.K., Tan, H.B.K.: Mining input sanitization patterns for predicting SQL injection and cross site scripting vulnerabilities. In: Proceedings of the 34th International Conference on Software Engineering (ICSE NIER ’12), pp. 1293–1296 (2012)

    Google Scholar 

  24. The Open Web Application Security Project (OWASP): Testing for SQL injection (owasp-dv-005) (2013). http://www.owasp.org

  25. Vieira, M., Antunes, N., Madeira, H.: Using web security scanners to detect vulnerabilities in web services. In: Proceedings of the IEEE/IFIP International Conference on Dependable Systems & Networks (DSN’09), pp. 566–571 (2009)

    Google Scholar 

  26. Wohlin, C., Runeson, P., Host, M., Ohlsson, M., Regnell, B., Wesslen, A.: The Experimentation in Software Engineering - An Introduction. Kluwer, Dordrecht (2000)

    Google Scholar 

Download references

Acknowledgment

This work is supported by the National Research Fund, Luxembourg (FNR/P10/03 and FNR 4800382).

Author information

Authors and Affiliations

  1. Interdisciplinary Centre for Security, Reliability and Trust, University of Luxembourg, Luxembourg, Luxembourg

    Dennis Appelt, Nadia Alshahwan & Lionel Briand

Authors
  1. Dennis Appelt
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nadia Alshahwan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Lionel Briand
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Dennis Appelt .

Editor information

Editors and Affiliations

  1. Universidad Politécnica de Valencia, Valencia, Spain

    Tanja E.J. Vos

  2. University College London, London, United Kingdom

    Kiran Lakhotia

  3. Universidad Politécnica de Valencia, Valencia, Spain

    Sebastian Bauersfeld

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Appelt, D., Alshahwan, N., Briand, L. (2014). Assessing the Impact of Firewalls and Database Proxies on SQL Injection Testing. In: Vos, T., Lakhotia, K., Bauersfeld, S. (eds) Future Internet Testing. FITTEST 2013. Lecture Notes in Computer Science(), vol 8432. Springer, Cham. https://doi.org/10.1007/978-3-319-07785-7_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-07785-7_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-07784-0

  • Online ISBN: 978-3-319-07785-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation