Automated testing for SQL injection vulnerabilities: An input mutation approach

Dennis Appelt, Cu Duy Nguyen, Lionel C. Briand, Nadia Alshahwan

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

Web services are increasingly adopted in various domains, from finance and e-government to social media. As they are built on top of the web technologies, they suffer also an unprecedented amount of attacks and exploitations like the Web. Among the attacks, those that target SQL injection vulnerabilities have consistently been top-ranked for the last years. Testing to detect such vulnerabilities before making web services public is crucial. We present in this paper an automated testing approach, namely μ4SQLi, and its underpinning set of mutation operators. μ4SQLi can produce effective inputs that lead to executable and harmful SQL statements. Executability is key as otherwise no injection vulnerability can be exploited. Our evaluation demonstrated that the approach is effective to detect SQL injection vulnerabilities and to produce inputs that bypass application firewalls, which is a common configuration in real world.

Original languageEnglish
Title of host publication2014 International Symposium on Software Testing and Analysis, ISSTA 2014 - Proceedings
PublisherAssociation for Computing Machinery, Inc
Pages259-269
Number of pages11
ISBN (Electronic)9781450326452
DOIs
Publication statusPublished - 21 Jul 2014
Externally publishedYes
Event23rd International Symposium on Software Testing and Analysis, ISSTA 2014 - San Jose, United States
Duration: 21 Jul 201425 Jul 2014

Publication series

Name2014 International Symposium on Software Testing and Analysis, ISSTA 2014 - Proceedings

Conference

Conference23rd International Symposium on Software Testing and Analysis, ISSTA 2014
Country/TerritoryUnited States
CitySan Jose
Period21/07/1425/07/14

Keywords

  • Mutation testing
  • SQL injection
  • Test generation

Fingerprint

Dive into the research topics of 'Automated testing for SQL injection vulnerabilities: An input mutation approach'. Together they form a unique fingerprint.

Cite this