Skip to main content
SpringerLink
Log in

Automated Security Testing Framework for Detecting SQL Injection Vulnerability in Web Application

  • Conference paper
  • First Online:
Global Security, Safety and Sustainability: Tomorrow's Challenges of Cyber Security (ICGS3 2015)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 534))

Included in the following conference series:

  • International Conference on Global Security, Safety, and Sustainability

Abstract

Today almost all organizations have changed their traditional systems and have improved their performance using web-based applications. This process will make more profit and at the same time will increase the efficiency of their activities through customer support services and data transactions. Usually, web application take inputs from users through web form and send this input to get the response from database. Modern web-based application use web database to store all critical information such as user credentials, financial and payment information, company statistics etc. However error in validation of user input can cause database vulnerable to Structured Query Language Injection (SQLI) attack. By using SQLI attack, the attackers might insert malicious code in the user input and trying to gain access to the confidential and sensitive data from database. Security tester need to identify the appropriate test cases before starting exploiting SQL vulnerability in web-based application during testing phase. Identifying the test cases of a web application and analyzing the test results of an attack are important parts and consider as critical issues that affects the effectiveness of security testing. Thus, this research focused on the developing a framework for testing and detecting SQL injection vulnerability in web application. In this research, test cases will be generated automatically based on SQLI attack pattern and then the results will be executed automatically based on generated test cases. The primary focus in this paper is to develop a framework to automate security testing based on input injection attack pattern. To test our framework, we install a vulnerable web application and test result shows that the proposed framework can detect SQLI vulnerability successfully.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Vermatt, S.: Discovering Computers 2009, Complete. Cengage Learning Course Technology (2009)

    Google Scholar 

  2. Anastacio, M., Blanco, J.A., Villalba, L., Dahoud, A.: E-Government: benefits, risks and a proposal to assessment including cloud computing and critical infrastructure. In: International Conference on Information Technology (2013)

    Google Scholar 

  3. Internet World Stats, Usage and Population Statistics (2013). http://www.internetworldstats.com/stats.htm

  4. Symantec Corp.: Web Based Attacks (2013). http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/web_based_attacks_02-2009.pdf

  5. Software Security Testing, Software Assurance Pocket Guide Series: Development, vol. III, Version 1.0, 21 May 2012

    Google Scholar 

  6. Gu, T.-Y., Shi, Y.-S., Fang, Y.-U.: Research on software security testing. World Academy of Science, Engineering and Technology 69, 647–651 (2010)

    Google Scholar 

  7. Halfond, W.G.J., Choudhary, S.R., Orso, A.: Improving penetration testing through static and dynamic analysis. In: ICST 2009, the Second IEEE International Conference on Software Testing, Verification and Validation, vol. 21, pp. 195–214 (2011). doi:10.1002/stvr

  8. Khan, S.A., Khan, R.A.: Software security testing process: phased approach. In: Agrawal, A., Tripathi, R.C., Do, E.Y.-L., Tiwari, M.D. (eds.) IITM 2013. CCIS, vol. 276, pp. 211–217. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  9. Djuric, Z.: A black-box testing tool for detecting SQL injection vulnerabilities. In: 2013 2nd International Conference on Informatics and Applications, ICIA 2013, pp. 216–221 (2013). doi:10.1109/ICoIA.2013.6650259

  10. Akrout, R., Alata, E., Kaaniche, M., Nicomette, V.: An automated black box approach for web vulnerability identification and attack scenario generation. J. Braz. Comput. Soc. 20, 4 (2014). doi:10.1186/1678-4804-20-4

    Article  MathSciNet  Google Scholar 

  11. Awang, N.F., Manaf, A.A., Zainudin, W.S.: A survey on conducting vulnerability assessment in web-based application. In: Hassanien, A.E., Tolba, M.F., Taher Azar, A. (eds.) AMLTA 2014. CCIS, vol. 488, pp. 459–471. Springer, Heidelberg (2014)

    Google Scholar 

  12. Halfond, W.G.J., Halfond, W.G.J., Viegas, J., Viegas, J., Orso, A., Orso, A.: A classification of SQL injection attacks and countermeasures (2006)

    Google Scholar 

  13. Stuttard, D., Pinto, M.: The web application hacker’s handbook: discovering and exploiting security flaws. Wiley Publishing, Inc., Indianapolis (2007)

    Google Scholar 

  14. Bisht, P., Madhusudan, P., Venkatarish-nan, V.N.: CANDID: dynamic candidate evaluations for automatic prevention of SQL injection attacks. ACM Trans. Inf. Syst. Secur. 13(2), 1–39 (2010). Article 14

    Article  Google Scholar 

  15. Ezumalai, R., Aghila, G.: Combinatorial approach for preventing SQL injection attacks. IEEE International Advance Computing Conference, IACC (2009)

    Google Scholar 

  16. Kindy, D.A., Pathan, A.S.K.: A detailed survey on various aspects of SQL injection in web applications: Vulnerabilities, innovative attacks and remedies. Int. J. Commun. Netw. Inf. Secur. 5, 80–92 (2013)

    Google Scholar 

  17. Wodarz, P.N.: Algorithms for Generating Permutations and Combinations, pp. 1–7 (2008)

    Google Scholar 

  18. He, K., Feng, Z., Li, X.: An attack scenario based approach for software security testing at design stage. In: 2008 International Symposium on Computer Science and Computational Technology, pp. 782–787. IEEE Computer Society (2008)

    Google Scholar 

  19. Wassermann, G., Yu, D., Chander, A., Dhurjati, D., Inamura, H., Su, Z.: Dynamic test input generation for web applications. In: International Symposium on Software Testing and Analysis (ISSTA), pp. 249–259 (2008)

    Google Scholar 

  20. Alata, E., Kaaniche, M., Nicomette, V., Akrout, R.: An automated approach to generate web applications attack scenarios. In: Proceedings - 6th Latin-American Symposium on Dependable Computing, LADC 2013, pp. 78–85 (2013). doi:10.1109/LADC.2013.22

  21. Bozic, J., Wotawa, F.: XSS pattern for attack modeling in testing. In: 2013 8th International Workshop on Automation of Software Test, AST 2013 - Proceedings, pp. 71–74 (2013). doi:10.1109/IWAST.2013.6595794

  22. Bozic, J., Wotawa, F.: Security testing based on attack patterns. In: Proceedings - IEEE 7th International Conference on Software Testing, Verification and Validation Workshops, ICSTW 2014, pp. 4–11 (2014). doi:10.1109/ICSTW.2014.58

  23. Chen, J.M., Wu, C.L.: An automated vulnerability scanner for injection attack based on injection point. In: ICS 2010 - International Computer Symposium, pp. 113–118 (2010). doi:10.1109/COMPSYM.2010.5685537

  24. Duchene, F., Richier, J., Groz, R.: KameleonFuzz: Evolutionary Fuzzing for Black-Box XSS Detection. In: CODASPY (2014)

    Google Scholar 

Download references

Acknowledgment

This work was supported by the Advanced Informatics School (AIS), University Technology of Malaysia and National Defence University of Malaysia

Author information

Authors and Affiliations

  1. Faculty of Defence Science and Technology, National Defence University of Malaysia, Kuala Lumpur, Malaysia

    Nor Fatimah Awang

  2. Advanced Informatics School (UTM AIS), UTM International Campus, Kuala Lumpur, Malaysia

    Azizah Abd Manaf

Authors
  1. Nor Fatimah Awang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Azizah Abd Manaf
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nor Fatimah Awang .

Editor information

Editors and Affiliations

  1. GSM London, London, United Kingdom

    Hamid Jahankhani

  2. SC Strategy Limited, London, United Kingdom

    Alex Carlile

  3. Sheffield Hallam University, Sheffield, United Kingdom

    Babak Akhgar

  4. Deutsche Bank, New York, USA

    Amie Taal

  5. City University, London, United Kingdom

    Ali G. Hessami

  6. Leeds Beckett University, Leeds, United Kingdom

    Amin Hosseinian-Far

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Awang, N.F., Manaf, A.A. (2015). Automated Security Testing Framework for Detecting SQL Injection Vulnerability in Web Application. In: Jahankhani, H., Carlile, A., Akhgar, B., Taal, A., Hessami, A., Hosseinian-Far, A. (eds) Global Security, Safety and Sustainability: Tomorrow's Challenges of Cyber Security. ICGS3 2015. Communications in Computer and Information Science, vol 534. Springer, Cham. https://doi.org/10.1007/978-3-319-23276-8_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-23276-8_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-23275-1

  • Online ISBN: 978-3-319-23276-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation