Abstract
Today almost all organizations have changed their traditional systems and have improved their performance using web-based applications. This process will make more profit and at the same time will increase the efficiency of their activities through customer support services and data transactions. Usually, web application take inputs from users through web form and send this input to get the response from database. Modern web-based application use web database to store all critical information such as user credentials, financial and payment information, company statistics etc. However error in validation of user input can cause database vulnerable to Structured Query Language Injection (SQLI) attack. By using SQLI attack, the attackers might insert malicious code in the user input and trying to gain access to the confidential and sensitive data from database. Security tester need to identify the appropriate test cases before starting exploiting SQL vulnerability in web-based application during testing phase. Identifying the test cases of a web application and analyzing the test results of an attack are important parts and consider as critical issues that affects the effectiveness of security testing. Thus, this research focused on the developing a framework for testing and detecting SQL injection vulnerability in web application. In this research, test cases will be generated automatically based on SQLI attack pattern and then the results will be executed automatically based on generated test cases. The primary focus in this paper is to develop a framework to automate security testing based on input injection attack pattern. To test our framework, we install a vulnerable web application and test result shows that the proposed framework can detect SQLI vulnerability successfully.
Keywords
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Vermatt, S.: Discovering Computers 2009, Complete. Cengage Learning Course Technology (2009)
Anastacio, M., Blanco, J.A., Villalba, L., Dahoud, A.: E-Government: benefits, risks and a proposal to assessment including cloud computing and critical infrastructure. In: International Conference on Information Technology (2013)
Internet World Stats, Usage and Population Statistics (2013). http://www.internetworldstats.com/stats.htm
Symantec Corp.: Web Based Attacks (2013). http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/web_based_attacks_02-2009.pdf
Software Security Testing, Software Assurance Pocket Guide Series: Development, vol. III, Version 1.0, 21 May 2012
Gu, T.-Y., Shi, Y.-S., Fang, Y.-U.: Research on software security testing. World Academy of Science, Engineering and Technology 69, 647–651 (2010)
Halfond, W.G.J., Choudhary, S.R., Orso, A.: Improving penetration testing through static and dynamic analysis. In: ICST 2009, the Second IEEE International Conference on Software Testing, Verification and Validation, vol. 21, pp. 195–214 (2011). doi:10.1002/stvr
Khan, S.A., Khan, R.A.: Software security testing process: phased approach. In: Agrawal, A., Tripathi, R.C., Do, E.Y.-L., Tiwari, M.D. (eds.) IITM 2013. CCIS, vol. 276, pp. 211–217. Springer, Heidelberg (2013)
Djuric, Z.: A black-box testing tool for detecting SQL injection vulnerabilities. In: 2013 2nd International Conference on Informatics and Applications, ICIA 2013, pp. 216–221 (2013). doi:10.1109/ICoIA.2013.6650259
Akrout, R., Alata, E., Kaaniche, M., Nicomette, V.: An automated black box approach for web vulnerability identification and attack scenario generation. J. Braz. Comput. Soc. 20, 4 (2014). doi:10.1186/1678-4804-20-4
Awang, N.F., Manaf, A.A., Zainudin, W.S.: A survey on conducting vulnerability assessment in web-based application. In: Hassanien, A.E., Tolba, M.F., Taher Azar, A. (eds.) AMLTA 2014. CCIS, vol. 488, pp. 459–471. Springer, Heidelberg (2014)
Halfond, W.G.J., Halfond, W.G.J., Viegas, J., Viegas, J., Orso, A., Orso, A.: A classification of SQL injection attacks and countermeasures (2006)
Stuttard, D., Pinto, M.: The web application hacker’s handbook: discovering and exploiting security flaws. Wiley Publishing, Inc., Indianapolis (2007)
Bisht, P., Madhusudan, P., Venkatarish-nan, V.N.: CANDID: dynamic candidate evaluations for automatic prevention of SQL injection attacks. ACM Trans. Inf. Syst. Secur. 13(2), 1–39 (2010). Article 14
Ezumalai, R., Aghila, G.: Combinatorial approach for preventing SQL injection attacks. IEEE International Advance Computing Conference, IACC (2009)
Kindy, D.A., Pathan, A.S.K.: A detailed survey on various aspects of SQL injection in web applications: Vulnerabilities, innovative attacks and remedies. Int. J. Commun. Netw. Inf. Secur. 5, 80–92 (2013)
Wodarz, P.N.: Algorithms for Generating Permutations and Combinations, pp. 1–7 (2008)
He, K., Feng, Z., Li, X.: An attack scenario based approach for software security testing at design stage. In: 2008 International Symposium on Computer Science and Computational Technology, pp. 782–787. IEEE Computer Society (2008)
Wassermann, G., Yu, D., Chander, A., Dhurjati, D., Inamura, H., Su, Z.: Dynamic test input generation for web applications. In: International Symposium on Software Testing and Analysis (ISSTA), pp. 249–259 (2008)
Alata, E., Kaaniche, M., Nicomette, V., Akrout, R.: An automated approach to generate web applications attack scenarios. In: Proceedings - 6th Latin-American Symposium on Dependable Computing, LADC 2013, pp. 78–85 (2013). doi:10.1109/LADC.2013.22
Bozic, J., Wotawa, F.: XSS pattern for attack modeling in testing. In: 2013 8th International Workshop on Automation of Software Test, AST 2013 - Proceedings, pp. 71–74 (2013). doi:10.1109/IWAST.2013.6595794
Bozic, J., Wotawa, F.: Security testing based on attack patterns. In: Proceedings - IEEE 7th International Conference on Software Testing, Verification and Validation Workshops, ICSTW 2014, pp. 4–11 (2014). doi:10.1109/ICSTW.2014.58
Chen, J.M., Wu, C.L.: An automated vulnerability scanner for injection attack based on injection point. In: ICS 2010 - International Computer Symposium, pp. 113–118 (2010). doi:10.1109/COMPSYM.2010.5685537
Duchene, F., Richier, J., Groz, R.: KameleonFuzz: Evolutionary Fuzzing for Black-Box XSS Detection. In: CODASPY (2014)
Acknowledgment
This work was supported by the Advanced Informatics School (AIS), University Technology of Malaysia and National Defence University of Malaysia
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Awang, N.F., Manaf, A.A. (2015). Automated Security Testing Framework for Detecting SQL Injection Vulnerability in Web Application. In: Jahankhani, H., Carlile, A., Akhgar, B., Taal, A., Hessami, A., Hosseinian-Far, A. (eds) Global Security, Safety and Sustainability: Tomorrow's Challenges of Cyber Security. ICGS3 2015. Communications in Computer and Information Science, vol 534. Springer, Cham. https://doi.org/10.1007/978-3-319-23276-8_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-23276-8_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-23275-1
Online ISBN: 978-3-319-23276-8
eBook Packages: Computer ScienceComputer Science (R0)