Applying User Sessions to Detect SQL Injection Vulnerabilities in Web Applications

Abstract:

Vulnerabilities in web applications are a serious concern for companies and consumers. The large number of technologies that are involved in a web application, such as Flash, HTML, JavaScript, PHP, Ajax etc., and the underlying software, such as web servers and browsers, suggest that the vulnerability can be in any language, technology or component. One of the most common exploits that plague web applications is Code Injection attacks, such as SQL Injection and Cross Site Scripting. In 2011, SQL injection was ranked first, and Cross Site Scripting was ranked fourth on the MITRE Common Weakness Enumeration (CWE)/SANS Top 25 Most Dangerous Software Errors list[1]. Providing developers and testers with a mechanism by which they can identify the parameters that are vulnerable to Code Injection attacks, specifically SQL Injection, will help them develop secure web applications.

In particular, we propose to capitalize on user-­session-­based test cases to create test cases that are able to expose SQL Injection Vulnerabilities. User sessions capture all user interactions with a web system and thus are representative of actual field usage of the web application [2]. They are particularly useful for SQL Injection attacks, because the attacks are themselves caused by malicious end-­users of the web application.

In our approach, we first identify malicious values that cause code injection attacks that are typically given for parameters in web applications. The malicious values we identify are ones commonly used in different types of SQL Injection attacks, such as Boolean Exploitation, Union exploitation, Stacked queries, Time-­based, and Error-­based exploitation. Then, we select a subset of user sessions by applying reduction algorithms and mutate the selected user sessions by replacing normal values of parameters with the afore identified malicious values. In this poster, we present our approach and report results from an experimental evaluation designed to study the effectiveness of the newly developed test cases at detecting SQL Injection vulnerabilities. In the future, we plan to implement the proposed approach in a tool that will be made available to practitioners and researchers.

References :

1. Bob Martin, Mason Brown, Alan Paller and Kirby, D. 2011 CWE/SANS Top 25 Most Dangerous Software Errors, (2011) Retrieved, From The MITRE Corporation: http://cwe.mitre.org/top25/archive/2011/2011_cwe_sans_top25.html. 
2. Bryce, R. C., Sampath, S. and Memon, A. M. Developing a Single Model and Test Prioritization Strategies for Event-­Driven Software. Software Engineering, IEEE Transactions on, 37, 1 (2011), 48-64. DOI=10.1109/tse.2010.12. 

Bio:

Sreedevi Sampath is an Associate Professor in the Department of Information Systems at the University of Maryland, Baltimore County. She earned her Ph.D. and M.S. in Computer and Information Sciences from the University of Delaware in 2006 and 2002, respectively, and her B.E. degree from Osmania University in Computer Science and Engineering in 2000. Her research interests are in the areas of software testing and quality assurance, web applications, software maintenance and software security. She has served on the program committees of international conferences, such as the International Conference on Software Testing Verification and Validation (ICST), International Symposium on Software Reliability Engineering (ISSRE), and the International Conference on Empirical Software Engineering and Measurement (ESEM). She is a member of the IEEE Computer Society.