Comparing Web Vulnerability Scanners with a New Method for SQL Injection Vulnerabilities Detection and Removal EPSQLiFix

  • Authors

    • Kabir Umar
    • Abu Bakar Sultan
    • Hazura Zulzalil
    • Novia Admodisastro
    • Mohd Taufik Abdullah
    2018-12-09
    https://doi.org/10.14419/ijet.v7i4.31.23338
  • SQL Injection, Reachability Analysis, Vulnerability Detection and Removal.
  • Web vulnerabilities have become a major threat to the security of information and services accessible via the internet. Dynamic analysis based Web Vulnerability Scanners (WVS) have been employed to facilitate detection of vulnerabilities, though, such scanners could not remove the detected vulnerabilities. Empirical evidences show that some existing static analysis techniques targeted both detection and removal of vulnerabilities. However, these techniques are not adequately effective – they report considerably large number of false positives and do not achieve fully automatic vulnerabilities removal.  Although, clear understanding of the workflow of WVSs is very essential in designing more improved scanners, current literature does not provide a comprehensive presentation on workflow of WVSs. Thus, this paper presents thorough description of generic WVS through synthesis and aggregation of knowledge. In addition, the paper presents overview of an Evolutionary Programming (EP) based static analysis method for automatic detection and removal of vulnerabilities called EPSQLiFix. Lastly, the paper compares the workflow of WVSs to that of EPSQLiFix method.

     

  • References

    1. [1] Arcuri A (2011), Evolutionary repair of faulty software, Journal of Applied Soft Computing, 11, 4, 3494–3514. DOI: 10.1016/j.asoc.2011.01.023.

      [2] Arcuri A (2008), On the automation of fixing software bugs, In Proceedings of the 30th International Conference on Software Engineering. Leipzig, Germany: ACM, pp. 1003-1006, DOI: 10.1145/1370175.1370223

      [3] Halfond W & Orso A (2005), AMNESIA: Analysis and monitoring for neutralizing sql-injection attacks, In Proceedings of the 20th International Conference on ASE. Long Beach, CA: IEEE/ACM. pp.174-183

      [4] Medeiros I, Neves NF & Correia M (2014), Automatic detection and correction of web application vulnerabilities using data mining to predict false positives, Proceedings of the 23rd International Conference on World Wide Web. New York: IEEE, 63-74, DOI: 10.1145/2566486.2568024.

      [5] Kaur D & Parminder K (2017), SQLI Attacks: Current State and Mitigation in SDLC, Proceedings of the 5th International Conference on Frontiers in Intelligent Computing: Theory and Applications. Springer, Singapore.

      [6] Sun F, Xu L & Su Z (2011), Static Detection of Access Control Vulnerabilities in Web Applications, USENIX Security Symposium.

      [7] Minamide Y (2005), Static approximation of dynamically generated web pages, Proceedings of the 14th international conference on World Wide Web. ACM.

      [8] Thomé J, Gorla A & Zeller A (2014), Search-based security testing of web applications, Proceedings of the 7th International Workshop on Search-Based Software Testing. ACM.

      [9] Doupé A, Cova M & Vigna G (2010), Why Johnny can’t pentest: An analysis of black-box web vulnerability scanners, International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, Berlin, Heidelberg.

      [10] Bau J, Bursztein E, Gupta D & Mitchell J (2012), Vulnerability factors in new web applications: Audit tools, developer selection & languages, Stanford, Tech. Rep.

      [11] Huang YW, Huang SK, Lin TP & Tsai CH (2002), Web application security assessment by fault injection and behavior monitoring, Proceedings of the 12th international conference on World Wide Web. ACM, pp. 148-159.

      [12] Thomas S, Williams & Xie T (2009), On automated prepared statement generation to remove SQL injection vulnerabilities, Information and Software Technology 51.3, 589-598.

      [13] Kals S, Kirda E, Kruegel C & Jovanovic N (2006), Secubat: a web vulnerability scanner, Proceedings of the 15th international conference on World Wide Web. ACM.

      [14] Vieira M, Antunes N & Madeira H (2009), Using web security scanners to detect vulnerabilities in web services, International Conference on Dependable Systems & Networks,DSN'09. IEEE/IFIP. IEEE.

      [15] Jose S, Priyadarshini K & Abirami K (2016), An Analysis of Black-Box Web Application Vulnerability Scanners in SQLi Detection, Proceedings of the International Conference on Soft Computing Systems. Springer, New Delhi, pp. 177-185.

      [16] Bau J, Bursztein E, Gupta D & Mitchell J (2010), State of the art: Automated black-box web application vulnerability testing, IEEE Symposium on Security and Privacy (SP).

      [17] Fonseca J, Vieira M & Madeira H (2007), Testing and comparing web vulnerability scanning tools for SQL injection and XSS attacks, 13th Pacific Rim International Symposium on Dependable Computing,PRDC2007, IEEE.

      [18] Pałka D, Zachara M & Wójcik K (2016), Evolutionary scanner of web application vulnerabilities, International Conference on Computer Networks. Springer, Cham.

      [19] Saleh AZM, Rozali NA, Buja AG, Jalil KA, Ali FHM & Rahman TFA (2015), A method for web application vulnerabilities detection by using boyer-moore string matching algorithm, Procedia Computer Science 72, 112-121.

      [20] Chen JM & Wu CL (2010), An automated vulnerability scanner for injection attack based on injection point, International Computer Symposium (ICS), IEEE.

      [21] Patil S, Marathe N & Padiya P (2016), Design of efficient web vulnerability scanner, Proceedings of International Conference on Inventive Computation Technologies (ICICT), 2. IEEE.

      [22] Trivedi SH (2012), Software testing techniques, International Journal of Advanced Research in Computer Science and Software Engineering 2.10.

      [23] Al-Khashab E, Al-Anzi FS & Salman AA (2011), PSIAQOP: preventing SQL injection attacks based on query optimization process, Proceedings of the Second Kuwait Conference on e-Services and e-Systems. ACM.

      [24] Thomas S & Williams L (2007), Using automated fix generation to secure SQL statements, Proceedings of the Third International Workshop on Software Engineering for Secure Systems. IEEE Computer Society.

      [25] Salas MIP & Eliane M (2015), A black-box approach to detect vulnerabilities in web services using penetration testing. IEEE Latin America Transactions 13, 3, 707-712.

      [26] Deepa G & Thilagam PS (2016), Securing web applications from injection and logic vulnerabilities: Approaches and challenges. Information and Software Technology 74, 160-180.

      [27] Irena J (2006), Software testing methods and techniques. Journal of the IPSI BgD Transactions on Internet Research 30.

      [28] Akrout R, Alata E, Kaaniche M & Nicomette V (2014), An automated black box approach for web vulnerability identification and attack scenario generation. Journal of the Brazilian Computer Society 20.1: 4.

  • Downloads

  • How to Cite

    Umar, K., Bakar Sultan, A., Zulzalil, H., Admodisastro, N., & Taufik Abdullah, M. (2018). Comparing Web Vulnerability Scanners with a New Method for SQL Injection Vulnerabilities Detection and Removal EPSQLiFix. International Journal of Engineering & Technology, 7(4.31), 40-45. https://doi.org/10.14419/ijet.v7i4.31.23338