Comparison of Security Testing Approaches for Detection of SQL Injection Vulnerabilities

  • Authors

    • Najla’a Ateeq Mohammed Draib
    • Abu Bakar Md Sultan
    • Abdul Azim B Abd Ghani
    • Hazura Zulzalil
    2018-09-12
    https://doi.org/10.14419/ijet.v7i4.1.19483
  • SQL injection, vulnerabilities, Detection approaches, Software security test, Web applications.

  • Structured query language injection vulnerability (SQLIV) is one of the most prevalent and serious web application vulnerabilities that can be exploited by SQL injection attack (SQLIA) to gain unauthorized access to restricted data, bypass authentication mechanism, and execute unauthorized data manipulation language. Hence, testing web applications for detecting such vulnerabilities is very imperative. Recently, several security testing approaches have been proposed to detect SQL injection vulnerabilities. However, there is no up-to-date comparative study of these approaches that could be used to help security practitioners and researchers in selecting an appropriate approach for their needs.

    In this paper, six criteria's are identified to compare and analyze security testing approaches; vulnerability covered, testing approach, tool automation, false positive mitigation, vulnerability fixing, and test case/data generation. Using these criteria, a comparison was carried out to contrast the most prominent security testing approaches available in the literature. These criteria will aid both practitioners and researchers to select appropriate approaches according to their needs. Additionally, it will provide researchers with guidance that could help them make a preliminary decision prior to their proposal of new security testing approaches.

     

     

  • References

    1. [1] G. Deepa and P. S. Thilagam, “Securing web applications from injection and logic vulnerabilities: Approaches and challenges,†Inf. Softw. Technol., vol. 74, pp. 160–180, (2016).

      [2] Y.-F. Li, P. K. Das, and D. L. Dowe, “Two decades of Web application testing—A survey of recent advances,†Inf. Syst., vol. 43, pp. 20–54, (2014).

      [3] OWASP, “OWASP Top 10 - The Ten Most Critical Web Application Security Risks,†Owasp, p. 22, (2017).

      [4] B. Calbraith, “SANS Institute,†SANS Institute, (2012). [Online]. Available: https://www.sans.org/top25-software-errors/. [Accessed: 25-Feb-2017].

      [5] Trustwave, “Trustwave Global Security Report,†(2018).

      [6] W. G. J. Halfond, A. Orso, D. A. Kindy, and A. S. K. Pathan, “AMNESIA: Analysis and Monitoring for NEutralizing SQL-injection Attacks,†in Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering, (2005), pp. 174–183.

      [7] Y. Xie and A. Aiken, “Scalable error detection using boolean satisfiability,†Symp. Princ. Program. Lang., pp. 351–363, (2005).

      [8] H. Shahriar and M. Zulkernine, “Automatic Testing of Program Security Vulnerabilities,†2009 33rd Annu. IEEE Int. Comput. Softw. Appl. Conf., no. July, pp. 550–555, (2009).

      [9] F. T. Alssir and M. Ahmed, “Web security testing approaches: Comparison framework,†in Advances in Intelligent and Soft Computing, (2012), vol. 144 AISC, no. VOL. 1, pp. 163–169.

      [10] S. M. Srinivasan and R. S. Sangwan, “Web App Security: A Comparison and Categorization of Testing Frameworks,†IEEE Softw., vol. 34, no. 1, pp. 99–102, (2017).

      [11] W. G. J. Halfond, J. Viegas, and A. Orso, “A Classification of SQL Injection Attacks and Countermeasures,†(2008).

      [12] C. Sharma and S. C. Jain, “Analysis and classification of SQL injection vulnerabilities and attacks on web applications,†in 2014 International Conference on Advances in Engineering and Technology Research, ICAETR 2014, (2014).

      [13] A. Mohammed, A. B. Sultan, A. Azim, B. A. Ghani, and H. Zulzalil, “Detecting and Exploiting Second-order SQL Injection Vulnerabilities of Web Applications,†in Sixth International Conference on Computer Science and Computational Mathematics, (2017), no. Iccscm, pp. 88–92.

      [14] C. Anley, “Advanced SQL injection in SQL server applications,†White Pap. Next Gener. Secur. Softw., (2002).

      [15] U. D. E. Lisboa, “Detection of Vulnerabilities and Automatic Protection for Web Applications,†(2016).

      [16] A. Kieyzun, P. J. Guo, K. Jayaraman, and M. D. Ernst, “Automatic creation of SQL Injection and cross-site scripting attacks,†2009 IEEE 31st Int. Conf. Softw. Eng., pp. 199–209, (2009).

      [17] N. Jovanovic, C. Kruegel, and E. Kirda, “Pixy: a static analysis tool for detecting Web application vulnerabilities,†(2006) IEEE Symp. Secur. Priv., pp. 260–263, (2006).

      [18] I. Medeiros, N. Neves, and M. Correia, “Detecting and Removing Web Application Vulnerabilities with Static Analysis and Data Mining,†IEEE Trans. Reliab., vol. 65, no. 1, pp. 54–69, (2016).

      [19] M. Martin and M. S. Lam, “Automatic Generation of XSS and SQL Injection Attacks with Goal-Directed Model Checking,†USENIX Secur. Symp., pp. 31–43, (2008).

      [20] K. Qian, “SAFELI – SQL Injection Scanner Using Symbolic Execution,†pp. 34–39, (2008).

      [21] Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo, “Securing web application code by static analysis and runtime protection,†Proc. 13th Int. Conf. World Wide Web, pp. 40–52, (2004).

      [22] G. Wassermann and Z. Su, “Sound and precise analysis of web applications for injection vulnerabilities,†ACM SIGPLAN Not., vol. 42, no. 6, p. 32, (2007).

      [23] J. Dahse and T. Holz, “Static Detection of Second-Order Vulnerabilities in Web Applications,†23rd USENIX Secur. Symp. (USENIX Secur. 14), pp. 989–1003, (2014).

      [24] F. Yu, M. Alkhalaf, and T. Bultan, “Stranger: An Automata-Based String Analysis Tool for PHP,†Internation Conference on Tools and Algorithms for the Construction and Analysis of Systems, pp. 154-157, (2010).

      [25] H. Shahriar and M. Zulkernine, “MUSIC: Mutation-based SQL injection vulnerability checking,†in Proceedings - International Conference on Quality Software, (2008), pp. 77–86.

      [26] M. Backes, K. Rieck, M. Skoruppa, B. Stock, and F. Yamaguchi, “Efficient and Flexible Discovery of PHP Application Vulnerabilities,†Proc. - 2nd IEEE Eur. Symp. Secur. Privacy, EuroS P 2017, pp. 334–349, (2017).

      [27] J. Thomé, L. K. Shar, and L. Briand, “Security slicing for auditing XML, XPath, and SQL injection vulnerabilities,†2015 IEEE 26th Int. Symp. Softw. Reliab. Eng. ISSRE 2015, pp. 553–564, (2016).

      [28] Z. Djuric, “A black-box testing tool for detecting SQL injection vulnerabilities,†in 2013 Second International Conference on Informatics & Applications (ICIA), (2013), pp. 216–221.

  • Downloads

  • How to Cite

    Ateeq Mohammed Draib, N., Bakar Md Sultan, A., Azim B Abd Ghani, A., & Zulzalil, H. (2018). Comparison of Security Testing Approaches for Detection of SQL Injection Vulnerabilities. International Journal of Engineering & Technology, 7(4.1), 14-17. https://doi.org/10.14419/ijet.v7i4.1.19483