A heuristic-based approach for detecting SQL-injection vulnerabilities in web applications

SQL injection is one amongst the most dangerous vulnerabilities for Web applications, and it is becoming a frequent cause of attacks as many systems are migrating towards the Web. This paper proposes an approach and a tool-named V1p3R ("viper") for Web application penetration testing. The approach is based on pattern matching of error messages and on outputs produced by the application under test, and relies upon an extensible knowledge base consisting in a large set of templates. Results of an empirical study carried out on 12 real Web applications and aimed at comparing V1p3R with SQLMap showed the higher performances of the proposed approach with respect to the existing state-of-the-practice.

[1]  Jacob Cohen Statistical Power Analysis for the Behavioral Sciences , 1969, The SAGE Encyclopedia of Research Design.

[2]  Alessandro Orso,et al.  WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation , 2008, IEEE Transactions on Software Engineering.

[3]  G. Aghila,et al.  Combinatorial Approach for Preventing SQL Injection Attacks , 2009, 2009 IEEE International Advance Computing Conference.

[4]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[5]  Elisa Bertino,et al.  Profiling Database Application to Detect SQL Injection Attacks , 2007, 2007 IEEE International Performance, Computing, and Communications Conference.

[6]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[7]  Kenji Kono,et al.  Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[8]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[9]  Shih-Kun Huang,et al.  Web application security assessment by fault injection and behavior monitoring , 2003, WWW '03.

[10]  David LeBlanc,et al.  Writing Secure Code , 2001 .

[11]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[12]  Chris Anley,et al.  Advanced SQL Injection In SQL Server Applications , 2002 .

[13]  SQL Injection Signatures Evasion , 2004 .

[14]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).