Abstract
Completely handling SQL injection consists of two activities: properly protecting the system from malicious input, and preventing any resultant error messages caused by SQL injection from revealing sensitive information. The goal of this research is to assess the relative effectiveness of unit and system level testing of web applications to reveal both error message information leak and SQL injection vulnerabilities. To produce 100% test coverage of 176 SQL statements in four open source web applications, we augmented the original automated unit test cases with our own system level tests that use both normal input and 132 forms of malicious input. Although we discovered no SQL injection vulnerabilities, we exposed 17 error message information leak vulnerabilities associated with SQL statements using system level testing. Our results suggest that security testers who use an iterative, test-driven development process should compose system level rather than unit level tests.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Halfond, W.G.J., Orso, A.: AMNESIA: analysis and monitoring for neutralizing SQL-injection attacks. In: 20th IEEE/ACM International Conference on Automated Software Engineering, Long Beach, CA, USA, pp. 174–183 (2005)
Kosuga, Y., Kono, K., Hanaoka, M., Hishiyama, M., Takahama, Y.: Sania: syntactic and semantic analysis for automated testing against SQL injection. In: 23rd Annual Computer Security Applications Conference, Miami Beach, FL, pp. 107–117 (2007)
Pietraszek, T., Berghe, C.V.: Defending against injection attacks through context-sensitive string evaluation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 124–145. Springer, Heidelberg (2006)
Aslam, T., Krsul, I., Spafford, E.: Use of a taxonomy of security faults. In: 19th National Information Systems Security Conference, Baltimore, MD, pp. 551–560 (1996)
Tsipenyuk, K., Chess, B., McGraw, G.: Seven pernicious kingdoms: a taxonomy of software security errors. IEEE Security & Privacy 3, 81–84 (2005)
IEEE: IEEE Standard 610.12-1990, IEEE Standard Glossary of Software Engineering Terminology (1990)
Beck, K.: Test-driven development: By example. Addison-Wesley, Boston (2003)
McGraw, G.: Software security: Building security in. Addison-Wesley, Upper Saddle River (2006)
Smith, B., Shin, Y., Williams, L.: Proposing SQL statement coverage metrics. In: The 4th International Workshop on Software Engineering for Secure Systems at the 30th International Conference on Software Engineering, Leipzig, Germany, pp. 49–56 (2008)
Jiang, Y., Cukic, B., Menzies, T.: Fault Prediction using Early Lifecycle Data. In: The 18th IEEE International Symposium on Software Reliability, 2007. ISSRE 2007, pp. 237–246 (2007)
Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. In: USENIX Security Symposium, Baltimore, MD, pp. 18–18 (2005)
Bauer, C., King, G.: Hibernate in Action. Manning Publications (2004)
Brown, M., Tapolcsanyi, E.: Mock object patterns. In: The 10th Conference on Pattern Languages of Programs, Monticello, USA (2003)
Thomas, S., Williams, L.: Using automated fix generation to secure SQL statements. In: Proceedings of the Third International Workshop on Software Engineering for Secure Systems, Minneapolis, MN (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Smith, B., Williams, L., Austin, A. (2010). Idea: Using System Level Testing for Revealing SQL Injection-Related Error Message Information Leaks. In: Massacci, F., Wallach, D., Zannone, N. (eds) Engineering Secure Software and Systems. ESSoS 2010. Lecture Notes in Computer Science, vol 5965. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-11747-3_15
Download citation
DOI: https://doi.org/10.1007/978-3-642-11747-3_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-11746-6
Online ISBN: 978-3-642-11747-3
eBook Packages: Computer ScienceComputer Science (R0)