Attack Model Based Penetration Test for SQL Injection Vulnerability

The penetration test is a crucial way to enhance the security of web applications. Improving accuracy is the core issue of the penetration test research. The test case is an important factor affecting the penetration test accuracy. In this paper, we discuss how to generate more effective penetration test case inputs to detect the SQL injection vulnerability hidden behind the inadequate blacklist filter defense mechanism in web applications. We propose a model based penetration test method for the SQL injection vulnerability, in which the penetration test case generation is divided into two steps: i) Building model for the penetration test case, and ii) Instantiating the model of penetration test case. Our method can generate test case covering more types and patterns of SQL injection attack input to thoroughly test the blacklist filter mechanism of web applications. Experiments show the penetration test case generated by our method can effectively find the SQL injection vulnerabilities hidden behind the inadequate blacklist filter defense mechanism thus reduce the false negative and improve test accuracy.

[1]  Christopher Krügel,et al.  SecuBat: a web vulnerability scanner , 2006, WWW '06.

[2]  John C. Mitchell,et al.  State of the Art: Automated Black-Box Web Application Vulnerability Testing , 2010, 2010 IEEE Symposium on Security and Privacy.

[3]  Alessandro Orso,et al.  Improving penetration testing through static and dynamic analysis , 2011, Softw. Test. Verification Reliab..

[4]  Nahid Shahmehri,et al.  Unified modeling of attacks, vulnerabilities and security activities , 2010, SESS '10.

[5]  D. T. Lee,et al.  A testing framework for Web application security assessment , 2005, Comput. Networks.

[6]  Dianxiang Xu,et al.  Security test generation using threat trees , 2009, 2009 ICSE Workshop on Automation of Software Test.

[7]  Nuno Laranjeiro,et al.  Effective Detection of SQL/XPath Injection Vulnerabilities in Web Services , 2009, 2009 IEEE International Conference on Services Computing.

[8]  Miguel Correia,et al.  Vulnerability Discovery with Attack Injection , 2010, IEEE Transactions on Software Engineering.

[9]  Michael D. Ernst,et al.  Automatic creation of SQL Injection and cross-site scripting attacks , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[10]  Vadim Okun,et al.  Building a Test Suite for Web Application Scanners , 2008, Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008).

[11]  Raphael C.-W. Phan,et al.  Augmented attack tree modeling of SQL injection attacks , 2010, 2010 2nd IEEE International Conference on Information Management and Engineering.