research-article

Security testing of web applications: a search-based approach for detecting SQL injection vulnerabilities

Authors:

Muyang Liu,

Ke Li,

Tao ChenAuthors Info & Claims

GECCO '19: Proceedings of the Genetic and Evolutionary Computation Conference Companion

Pages 417 - 418

https://doi.org/10.1145/3319619.3322026

Published: 13 July 2019 Publication History

Get Access

Abstract

Web applications have become increasingly essential in many domains that operate on confidential data related to business. SQL injection attack is one of the most significant web application security risks. Detecting SQL injection vulnerabilities is essential for protecting the underlying web application. However, manually enumerating test cases is extremely challenging, if not impossible, given the potentially infinite number of user inputs and the likely nonexistence of one-to-one mapping between user inputs and malicious SQL statements. This paper proposes an automatic security test case generation approach to detect SQL injection vulnerabilities for web applications, following a search-based software engineering (SBSE) paradigm. Particularly, we propose a novel fitness function that evaluates the similarity between the SQL statements produced by feeding user inputs in the system under test and a known malicious SQL statement. For the search algorithm, we exploit differential evolution, which is robust in continuous optimization but it is under-investigated in SBSE. Based on three real-world web applications, we conduct experiments on 19 configurations that are of diverse forms of SQL statements and types of attacks. Results demonstrate that our approach is more effective, with statistical significance and high effect sizes, than the state-of-the-art.

References

[1]

Fred Damerau. 1964. A technique for computer detection and correction of spelling errors. Commun. ACM 7, 3 (1964), 171--176.

Digital Library

Google Scholar

[2]

Saswat Anand et al. 2013. An orchestrated survey of methodologies for automated software test case generation. Journal of Systems and Software 86, 8 (2013), 1978--2001.

Digital Library

Google Scholar

[3]

Halfond, William, Orso, Alex, Manolios, and Pete. 2008. WASP: Protecting web applications using positive tainting and syntax-aware evaluation. IEEE Trans. Software Engineering 34, 1 (2008), 65--81.

Digital Library

Google Scholar

[4]

Mark Harman, S Afshin Mansouri, and Yuanyuan Zhang. 2012. Search-based software engineering: Trends, techniques and applications. Comput. Surveys 45, 1 (2012), 11.

Digital Library

Google Scholar

[5]

Michael Howard and David LeBlanc. 2003. Writing secure code. Pearson Education.

Google Scholar

[6]

Sadeeq Jan, Annibale Panichella, Andrea Arcuri, and Lionel Briand. 2017. Automatic Generation of Tests to Exploit XML Injection Vulnerabilities in Web Applications. IEEE Trans. Software Engineering (2017).

Google Scholar

Cited By

View all

Maina Y(2024)A CRITICAL EVALUATION OF SECURITY APPROACHES FOR DETECTION AND PREVENTION OF SQL INJECTION ATTACKS IN WEB-BASED APPLICATIONSFUDMA JOURNAL OF SCIENCES10.33003/fjs-2024-0802-23088:2(241-246)Online publication date: 30-Apr-2024
https://doi.org/10.33003/fjs-2024-0802-2308
Ahsan FAnwer F(2024)A systematic literature review on software security testing using metaheuristicsAutomated Software Engineering10.1007/s10515-024-00433-031:2Online publication date: 23-May-2024
https://doi.org/10.1007/s10515-024-00433-0
Krichen M(2023)Formal Methods and Validation Techniques for Ensuring Automotive Systems SecurityInformation10.3390/info1412066614:12(666)Online publication date: 18-Dec-2023
https://doi.org/10.3390/info14120666
Show More Cited By

Index Terms

Security testing of web applications: a search-based approach for detecting SQL injection vulnerabilities
1. Software and its engineering
  1. Software creation and management
    1. Search-based software engineering
  2. Software organization and properties
    1. Extra-functional properties
      1. Software reliability

Recommendations

DeepSQLi: deep semantic learning for testing SQL injection
ISSTA 2020: Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis

Security is unarguably the most serious concern for Web applications, to which SQL injection (SQLi) attack is one of the most devastating attacks. Automatically testing SQLi vulnerabilities is of ultimate importance, yet is unfortunately far from ...
Security vulnerabilities and mitigation techniques of web applications
SIN '13: Proceedings of the 6th International Conference on Security of Information and Networks

Web applications contain vulnerabilities, which may lead to serious security breaches such as stealing of confidential information. To protect against security breaches, it is necessary to understand the detailed steps of attacks and the pros and cons ...
Securing web applications from injection and logic vulnerabilities

Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...

Comments

Information & Contributors

Information

Published In

GECCO '19: Proceedings of the Genetic and Evolutionary Computation Conference Companion

July 2019

2161 pages

ISBN:9781450367486

DOI:10.1145/3319619

Editor:
Manuel López-Ibáñez
University of Manchester, UK
,
General Chairs:
Anne Auger
Inria and Ecole Polytechnique, France
,
Thomas Stützle
IRIDIA, Université libre de Bruxelles Belgium

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 July 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Royal Society
UK Research and Innovation

Conference

GECCO '19

Sponsor:

SIGEVO

GECCO '19: Genetic and Evolutionary Computation Conference

July 13 - 17, 2019

Prague, Czech Republic

Acceptance Rates

Overall Acceptance Rate 1,669 of 4,410 submissions, 38%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

13
Total Citations
View Citations
469
Total Downloads

Downloads (Last 12 months)58
Downloads (Last 6 weeks)7

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Maina Y(2024)A CRITICAL EVALUATION OF SECURITY APPROACHES FOR DETECTION AND PREVENTION OF SQL INJECTION ATTACKS IN WEB-BASED APPLICATIONSFUDMA JOURNAL OF SCIENCES10.33003/fjs-2024-0802-23088:2(241-246)Online publication date: 30-Apr-2024
https://doi.org/10.33003/fjs-2024-0802-2308
Ahsan FAnwer F(2024)A systematic literature review on software security testing using metaheuristicsAutomated Software Engineering10.1007/s10515-024-00433-031:2Online publication date: 23-May-2024
https://doi.org/10.1007/s10515-024-00433-0
Krichen M(2023)Formal Methods and Validation Techniques for Ensuring Automotive Systems SecurityInformation10.3390/info1412066614:12(666)Online publication date: 18-Dec-2023
https://doi.org/10.3390/info14120666
Poleto TNepomuceno Tde Carvalho VFriaes Lde Oliveira RFigueiredo C(2023)Information Security Applications in Smart Cities: A Bibliometric Analysis of Emerging ResearchFuture Internet10.3390/fi1512039315:12(393)Online publication date: 1-Dec-2023
https://doi.org/10.3390/fi15120393
Iannone EGuadagni RFerrucci FDe Lucia APalomba F(2023)The Secret Life of Software Vulnerabilities: A Large-Scale Empirical StudyIEEE Transactions on Software Engineering10.1109/TSE.2022.314086849:1(44-63)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TSE.2022.3140868
Gautier AWhitehead CDzielski DDevine THernandez J(2023)A Systematic Mapping Study of the Advancement in Software Vulnerability ForecastingSoutheastCon 202310.1109/SoutheastCon51012.2023.10115111(545-552)Online publication date: 1-Apr-2023
https://doi.org/10.1109/SoutheastCon51012.2023.10115111
Wang LWang W(2023)Sensitive Path oriented Malicious data Generation for Web applications2023 6th International Conference on Data Science and Information Technology (DSIT)10.1109/DSIT60026.2023.00009(1-6)Online publication date: 28-Jul-2023
https://doi.org/10.1109/DSIT60026.2023.00009
Ahsan FAnwer F(2023)A Critical Review on Search-Based Security Testing of ProgramsComputational Intelligence10.1007/978-981-19-7346-8_19(207-225)Online publication date: 16-Feb-2023
https://doi.org/10.1007/978-981-19-7346-8_19
Hussain MAbbdal Refish SKhalefa MHussain SHussien ZAbduljabbar ZAl Sibahee M(2021)Web application database protection from SQLIA using permutation encodingProceedings of the 4th International Conference on Information Science and Systems10.1145/3459955.3460594(13-21)Online publication date: 17-Mar-2021
https://dl.acm.org/doi/10.1145/3459955.3460594
Kaur PSharma IKaur A(2021)Web Application Vulnerabilities & Countermeasures2021 5th International Conference on Information Systems and Computer Networks (ISCON)10.1109/ISCON52037.2021.9702496(1-6)Online publication date: 22-Oct-2021
https://doi.org/10.1109/ISCON52037.2021.9702496
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

DeepSQLi: deep semantic learning for testing SQL injection

Security vulnerabilities and mitigation techniques of web applications

Securing web applications from injection and logic vulnerabilities