SQLUnitGen: Test Case Generation for SQL Injection Detection

More than half of all of the vulnerabilities reported can be classified as input manipulation, such as SQL injection, cross site scripting, and buffer overflows. Increasingly, automated static analysis tools are being used to identify input manipulation vulnerabilities. However, these tools cannot detect the presence or the effectiveness of black or white list input filters and, therefore, may have a high false positive rate. Our research objective is to facilitate the identification of true input manipulation vulnerabilities via the combination of static analysis, runtime detection, and automatic testing. We propose an approach for SQL injection vulnerability detection, automated by a prototype tool SQLUnitGen. We performed case studies on two small web applications for the evaluation of our approach compared to static analysis for identifying true SQL injection vulnerabilities. In our case study, SQLUnitGen had no false positives, but had a small number of false negatives while the static analysis tool had a false positive for every vulnerability that was actually protected by a white or black list. Future work will focus on removing false negatives from SQLUnitGen and at generalizing the approach for other types of input manipulation vulnerabilities.

[1]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[2]  Gary McGraw,et al.  Software Penetration Testing , 2005, IEEE Secur. Priv..

[3]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[4]  Gary McGraw,et al.  Exploiting Software: How to Break Code , 2004 .

[5]  Aske Simon Christensen,et al.  Extending Java for high-level Web service construction , 2002, TOPL.

[6]  David Hovemeyer,et al.  Finding bugs is easy , 2004, SIGP.

[7]  R.A. McClure,et al.  SQL DOM: compile time checking of dynamic SQL statements , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[8]  Chris Anley,et al.  Advanced SQL Injection In SQL Server Applications , 2002 .

[9]  John Steven,et al.  Putting the tools to work: how to succeed with source code analysis , 2006, IEEE Security & Privacy.

[10]  Christopher Krügel,et al.  SecuBat: a web vulnerability scanner , 2006, WWW '06.

[11]  Shih-Kun Huang,et al.  Web application security assessment by fault injection and behavior monitoring , 2003, WWW '03.

[12]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[13]  Giovanni Vigna,et al.  A Learning-Based Approach to the Detection of SQL Attacks , 2005, DIMVA.

[14]  Stephen Kost An Introduction to SQL Injection Attacks for Oracle Developers , 2007 .

[15]  Aske Simon Christensen,et al.  Precise Analysis of String Expressions , 2003, SAS.

[16]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[17]  S. Rai,et al.  Safe query objects: statically typed objects as remotely executable queries , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[18]  Richard A. Baker,et al.  Code Reviews Enhance Software Quality , 1997, Proceedings of the (19th) International Conference on Software Engineering.

[19]  Frank Swiderski,et al.  Threat Modeling , 2018, Hacking Connected Cars.

[20]  Lauri Auronen Tool-Based Approach to Assessing Web Application Security , 2002 .

[21]  Weider D. Yu,et al.  Trustworthy Web services based on testing , 2005, IEEE International Workshop on Service-Oriented System Engineering (SOSE'05).

[22]  Yannis Smaragdakis,et al.  JCrasher: an automatic robustness tester for Java , 2004, Softw. Pract. Exp..

[23]  Gary McGraw,et al.  Static Analysis for Security , 2004, IEEE Secur. Priv..