Advertisement

An algorithm for detecting SQL injection vulnerability using black-box testing

  • Muhammad Saidu Aliero
  • Imran Ghani
  • Kashif Naseer QureshiEmail author
  • Mohd Fo’ad Rohani
Original Research
  • 6 Downloads

Abstract

SQL Injection Attack (SQLIA) is one of the most severe attack that can be used against web database-driven applications. Attackers use SQLIA to obtain unauthorized access and perform unauthorized data modifications due to initial improper input validation by the web application developer. Various studies have shown that, on average, 64% of web applications worldwide are vulnerable to SQLIA due to improper input. To mitigate the devastating problem of SQLIA, this research proposes an automatic black box testing for SQL Injection Vulnerability (SQLIV). This acts to automate an SQLIV assessment in SQLIA. In addition, recent studies have shown that there is a need for improving the effectiveness of existing SQLIVS in order to reduce the cost of manual inspection of vulnerabilities and the risk of being attacked due to inaccurate false negative and false positive results. This research focuses on improving the effectiveness of SQLIVS by proposing an object-oriented approach in its development in order to help and minimize the incidence of false positive and false negative results, as well as to provide room for improving a proposed scanner by potential researchers. To test and validate the accuracy of research work, three vulnerable web applications were developed. Each possesses a different type of vulnerabilities and an experimental evaluation was used to validate the proposed scanner. In addition, an analytical evaluation is used to compare the proposed scanner with the existing academic scanners. The result of the experimental analysis shows significant improvement by achieving high accuracy compared to existing studies. Similarly, the analytical evaluations showed that the proposed scanner is capable of analyzing attacked page response using four different techniques.

Keywords

Black box testing SQL injection SQL injection vulnerability SQL injection attack SQLI vulnerability scanner 

Notes

Compliance with ethical standards

Conflict of interest

The authors whose names are in paper, certify that they have NO affiliations with or involvement in any organization or entity with any financial interest (such as participation in speakers’ bureaus; membership, employment, consultancies, stock ownership, or other equity interest; and expert testimony or patent-licensing arrangements), or non-financial interest (such as personal or professional relationships, affiliations, knowledge or beliefs) in the subject matter or materials discussed in this manuscript.

References

  1. Acunetix (2013) Accunetix vulnerability scannerGoogle Scholar
  2. Agosta G, Barenghi A, Parata A, Pelosi G (2012) Automated security analysis of dynamic web applications through symbolic code execution. In: Information Technology: new generations (ITNG), 2012 ninth international conference on, IEEEGoogle Scholar
  3. Aliero MS, Ghani I, Zainudden S, Khan MM, Bello M (2015) Review on SQL injection protection methods and tools. Jurnal Teknologi 77(13):49–66Google Scholar
  4. AlShahwan F, Faisal M, Ansa G (2016) Security framework for RESTful mobile cloud computing Web services. J Ambient Intell Hum Comput 7(5):649–659CrossRefGoogle Scholar
  5. Antunes N, Vieira M (2009) Detecting SQL injection vulnerabilities in web services. In: Dependable computing, 2009. LADC’09. Fourth Latin-American symposium on, IEEEGoogle Scholar
  6. Antunes N, Vieira M (2010) Benchmarking vulnerability detection tools for web services. In: Web services (ICWS), 2010 IEEE international conference on, IEEEGoogle Scholar
  7. Antunes N, Vieira M (2011) Enhancing penetration testing with attack signatures and interface monitoring for the detection of injection vulnerabilities in web services. In: Services computing (SCC), 2011 IEEE international conference on, IEEEGoogle Scholar
  8. Antunes N, Vieira M (2012) Evaluating and improving penetration testing in web services. In: Software reliability engineering (ISSRE), 2012 IEEE 23rd international symposium on, IEEEGoogle Scholar
  9. Antunes N, Vieira M (2015) Assessing and comparing vulnerability detection tools for web services: Benchmarking approach and examples. IEEE Trans Serv Comput 8(2):269–283CrossRefGoogle Scholar
  10. Appelt D, Nguyen CD, Briand LC, Alshahwan N (2014) Automated testing for SQL injection vulnerabilities: an input mutation approach. In: Proceedings of the 2014 international symposium on software testing and analysis, ACMGoogle Scholar
  11. Bau J, Bursztein E, Gupta D, Mitchell J (2010) State of the art: automated black-box web application vulnerability testing. In: Security and privacy (SP), 2010 IEEE symposium on, IEEEGoogle Scholar
  12. Chen J-M, Wu C-L (2010) An automated vulnerability scanner for injection attack based on injection point. In: Computer symposium (ICS), 2010 international, IEEEGoogle Scholar
  13. Cheon EH, Huang Z, Lee YS (2013) Preventing SQL injection attack based on machine learning. Int J Adv Comput Technol 5(9):967–974Google Scholar
  14. Cho Y-C, Pan J-Y (2015) Design and implementation of website information disclosure assessment system. PloS One 10(3):e0117180CrossRefGoogle Scholar
  15. Ciampa A, Visaggio CA, Di Penta M (2010) A heuristic-based approach for detecting SQL-injection vulnerabilities in Web applications. In: Proceedings of the 2010 ICSE workshop on software engineering for secure systems, ACMGoogle Scholar
  16. Djuric Z (2013) A black-box testing tool for detecting SQL injection vulnerabilities. In: Informatics and applications (ICIA), 2013 second international conference on, IEEEGoogle Scholar
  17. Hassan M, Sarker K, Biswas S, Sharif M (2017) Detection of Wordpress content injection vulnerability. arXiv:1711.02447Google Scholar
  18. Huang Y-W, Yu F, Hang C, Tsai C-H, Lee D-T, Kuo S-Y (2004) Securing web application code by static analysis and runtime protection. In: Proceedings of the 13th international conference on World Wide Web, ACMGoogle Scholar
  19. Huang Y-W, Tsai C-H, Lin T-P, Huang S-K, Lee D, Kuo S-Y (2005) A testing framework for Web application security assessment. Comput Netw 48(5):739–761CrossRefGoogle Scholar
  20. IBM (2013) IBM web application scannerGoogle Scholar
  21. Imperva (2014) Web application attack report #5Google Scholar
  22. Kals S, Kirda E, Kruegel C, Jovanovic N (2006) Secubat: a web vulnerability scanner. In: Proceedings of the 15th international conference on World Wide Web, ACMGoogle Scholar
  23. Kiraz MS (2016) A comprehensive meta-analysis of cryptographic security mechanisms for cloud computing. J Ambient Intell Hum Comput 7(5):731–760CrossRefGoogle Scholar
  24. Kumar P, Pateriya R (2013) DWVP: detection of web application vulnerabilities using parameters of web form. In; Proceedings of joint international conferences on CIITGoogle Scholar
  25. Langin C, Rahimi S (2010) Soft computing in intrusion detection: the state of the art. J Ambient Intell Hum Comput 1(2):133–145CrossRefGoogle Scholar
  26. Liban A, Hilles SM (2014) Enhancing Mysql Injector vulnerability checker tool (Mysql Injector) using inference binary search algorithm for blind timing-based attack. In: Control and system graduate research Colloquium (ICSGRC), 2014 IEEE 5th, IEEEGoogle Scholar
  27. Liu A, Yuan Y, Wijesekera D, Stavrou A (2009) SQLProb: a proxy-based architecture towards preventing SQL injection attacks. In: Proceedings of the 2009 ACM symposium on applied computing, ACMGoogle Scholar
  28. Livshits VB, Lam MS (2005) Finding security vulnerabilities in java applications with static analysis. In: USENIX security symposiumGoogle Scholar
  29. Michael C (2005) Black box security testing toolsGoogle Scholar
  30. Nikto (2019) Nikto. https://sectools.org/tool/nikto/. Accessed 2019
  31. Ouchani S, Lenzini G (2015) Generating attacks in SysML activity diagrams by detecting attack surfaces. J Ambient Intell Hum Comput 6(3):361–373CrossRefGoogle Scholar
  32. Plantevin V, Bouzouane A, Bouchard B, Gaboury S (2018) Towards a more reliable and scalable architecture for smart home environments. J Ambient Intell Hum Comput 2018:1–12Google Scholar
  33. Qureshi KN, Abdullah AH (2014) Localization-based system challenges in vehicular ad hoc networks: survey. SmartCR 4(6):515–528Google Scholar
  34. Qureshi KN, Bashir F, Abdullah AH (2017a) Real time traffic density aware road based forwarding method for vehicular ad hoc networks. In: Wireless and mobile networking conference (WMNC), 2017 10th IFIP, IEEEGoogle Scholar
  35. Qureshi KN, Abdullah AH, Kaiwartya O, Iqbal S, Butt RA, Bashir F (2017b) A dynamic congestion control scheme for safety applications in vehicular ad hoc networks. Comput Electr Eng 72:774–788Google Scholar
  36. Scott D, Sharp R (2002) Abstracting application-level web security. In: Proceedings of the 11th international conference on World Wide Web, ACMGoogle Scholar
  37. Shakhatreh AYI (2010) SQL-injection vulnerability scanner using automatic creation of SQL-injection attacks (MySqlinjector). Universiti Utara Malaysia, ChanglunGoogle Scholar
  38. Shar LK, Tan HBK (2012) Predicting common web application vulnerabilities from input validation and sanitization code patterns. In: Automated software engineering (ASE), 2012 proceedings of the 27th IEEE/ACM international conference on, IEEEGoogle Scholar
  39. Shin Y, Williams L, Xie T (2006) Sqlunitgen: Sql injection testing using static and dynamic analysis. In: Supplemental proc. 17th IEEE international conference on software reliability engineeringGoogle Scholar
  40. Singh AK, Roy S (2012) A network based vulnerability scanner for detecting sqli attacks in web applications. In: Recent advances in information technology (RAIT), 2012 1st international conference on, IEEEGoogle Scholar
  41. Tillmann N, De Halleux J (2008) Pex–white box test generation for. net. International conference on tests and proofs. Springer, BerlinGoogle Scholar
  42. Van Rijsbergen C (1979) Information retrieval. Dept. of computer science, University of Glasgow. citeseer.ist.psu.edu/vanrijsbergen79information.html. Accessed 2019
  43. Vega Subgraph (2019) https://subgraph.com/vega/. Accessed 2019
  44. Wapiti (2019) http://wapiti.sourceforge.net/. Accessed 2019
  45. Web Application Security Consortium (2019) http://www.webappsec.org. Accessed 2019
  46. Yang Q, Li JJ, Weiss DM (2009) A survey of coverage-based testing tools. Comput J 52(5):589–597CrossRefGoogle Scholar
  47. Zap by Open web application security project(OWASP) (2019) https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project. Accessed 2019
  48. Zhang X-h, Wang Z-j (2010) Notice of retraction a static analysis tool for detecting web application injection vulnerabilities for asp program. In: e-Business and information system security (EBISS), 2010 2nd international conference on, IEEEGoogle Scholar
  49. Zhang L, Gu Q, Peng S, Chen X, Zhao H, Chen D (2010) D-WAV: a web application vulnerabilities detection tool using Characteristics of Web Forms. In: Software engineering advances (ICSEA), 2010 fifth international conference on, IEEEGoogle Scholar

Copyright information

© Springer-Verlag GmbH Germany, part of Springer Nature 2019

Authors and Affiliations

  1. 1.School of Information TechnologyMonash UniversitySubang JayaMalaysia
  2. 2.Indiana University of PennsylvaniaIndianaUSA
  3. 3.Department of Computer ScienceBahria UniversityIslamabadPakistan
  4. 4.Faculty of ComputingUniversiti TeknologiJohor BahruMalaysia

Personalised recommendations