Abstract
This paper examines the effects and potential benefits of utilising Web Application Firewalls (WAFs) and database proxies in SQL injection testing of web applications and services. We propose testing the WAF itself to refine and evaluate its security rules and prioritise fixing vulnerabilities that are not protected by the WAF. We also propose using database proxies as oracles for black-box security testing instead of relying only on the output of the application under test. The paper also presents a case study of our proposed approaches on two sets of web services. The results indicate that testing through WAFs can be used to prioritise vulnerabilities and that an oracle that uses a database proxy finds more vulnerabilities with fewer tries than an oracle that relies only on the output of the application.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Antunes, N., Vieira, M.: Detecting SQL injection vulnerabilities in web services. In: Proceedings of the 4th Latin-American Symposium on Dependable Computing (LADC ’09), pp. 17–24 (2009)
Apache-scalp: Apache log analyzer for security (2008). https://code.google.com/p/apache-scalp
Bau, J., Bursztein, E., Gupta, D., Mitchell, J.: State of the art: automated black-box web application vulnerability testing. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy (SP ’10), pp. 332–345 (2010)
Beery, T., Niv, N.: Web application attack report (2011)
Christey, S., Martin, R.A.: Vulnerability type distributions in CVE (2007). http://cwe.mitre.org
Ciampa, A., Visaggio, C.A., Di Penta, M.: A heuristic-based approach for detecting SQL-injection vulnerabilities in web applications. In: Proceedings of the ICSE Workshop on Software Engineering for Secure Systems (SESS ’10), pp. 43–49 (2010)
Coffey, J., White, L., Wilde, N., Simmons, S.: Locating software features in a SOA composite application. In: Proceedings of the 8th IEEE European Conference on Web Services (ECOWS ’10), pp. 99–106 (2010)
Damele, B., Guimaraes, A., Stampar, M.: Sqlmap (2013). http://sqlmap.org/
Doupé, A., Cova, M., Vigna, G.: Why Johnny can’t pentest: an analysis of black-box web vulnerability scanners. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 111–131. Springer, Heidelberg (2010)
Elia, I.A., Fonseca, J., Vieira, M.: Comparing SQL injection detection tools using attack injection: an experimental study. In: Proceedings of the IEEE 21st International Symposium on Software Reliability Engineering (ISSRE ’10), pp. 289–298 (2010)
Fossi, M., Johnson, E.: Symantec global internet security threat report, vol. xiv (2009)
Fu, X., Qian, K.: SAFELI: SQL injection scanner using symbolic execution. In: Proceedings of the workshop on Testing, Analysis, and Verification of Web Services and Applications (TAV-WEB ’08), pp. 34–39 (2008)
GreenSQL LTD: Greensql (2013). http://www.greensql.com
Halfond, W.G., Anand, S., Orso, A.: Precise interface identification to improve testing and analysis of web applications. In: Proceedings of the 18th International Symposium on Software Testing and Analysis (ISSTA ’09), pp. 285–296 (2009)
Hanna, S., Shin, R., Akhawe, D., Boehm, A., Saxena, P., Song, D.: The emperors new apis: on the (in) secure usage of new client-side primitives. In: Proceedings of the Web, vol. 2 (2010)
Holler, C., Herzig, K., Zeller, A.: Fuzzing with code fragments. In: Proceedings of the 21st Usenix Security Symposium (2012)
Huang, Y.-W., Huang, S.-K., Lin, T.-P., Tsai, C.-H.: Web application security assessment by fault injection and behavior monitoring. In: Proceedings of the 12th International Conference on World Wide Web (WWW ’03), pp. 148–159 (2003)
Khoury, N., Zavarsky, P., Lindskog, D., Ruhl, R.: Testing and assessing web vulnerability scanners for persistent SQL injection attacks. In: Proceedings of the 1st International Workshop on Security and Privacy Preserving in e-Societies (SeceS ’11), pp. 12–18 (2011)
Kieyzun, A., Guo, P.J., Jayaraman, K., Ernst, M.D.: Automatic creation of SQL injection and cross-site scripting attacks. In: Proceedings of the 31st International Conference on Software Engineering (ICSE ’09), pp. 199–209 (2009)
PCI Security Standards Council: Pci data security standard (PCI DSS) (2013). https://www.pcisecuritystandards.org
Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of the 13th USENIX Conference on System Administration, pp. 229–238 (1999)
Ryck, P.D., Desmet, L., Philippaerts, P., Piessens, F.: A security analysis of next generation web standards (2011)
Shar, L.K., Tan, H.B.K.: Mining input sanitization patterns for predicting SQL injection and cross site scripting vulnerabilities. In: Proceedings of the 34th International Conference on Software Engineering (ICSE NIER ’12), pp. 1293–1296 (2012)
The Open Web Application Security Project (OWASP): Testing for SQL injection (owasp-dv-005) (2013). http://www.owasp.org
Vieira, M., Antunes, N., Madeira, H.: Using web security scanners to detect vulnerabilities in web services. In: Proceedings of the IEEE/IFIP International Conference on Dependable Systems & Networks (DSN’09), pp. 566–571 (2009)
Wohlin, C., Runeson, P., Host, M., Ohlsson, M., Regnell, B., Wesslen, A.: The Experimentation in Software Engineering - An Introduction. Kluwer, Dordrecht (2000)
Acknowledgment
This work is supported by the National Research Fund, Luxembourg (FNR/P10/03 and FNR 4800382).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Appelt, D., Alshahwan, N., Briand, L. (2014). Assessing the Impact of Firewalls and Database Proxies on SQL Injection Testing. In: Vos, T., Lakhotia, K., Bauersfeld, S. (eds) Future Internet Testing. FITTEST 2013. Lecture Notes in Computer Science(), vol 8432. Springer, Cham. https://doi.org/10.1007/978-3-319-07785-7_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-07785-7_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-07784-0
Online ISBN: 978-3-319-07785-7
eBook Packages: Computer ScienceComputer Science (R0)