MUSIC: Mutation-based SQL Injection Vulnerability Checking
- 1 August 2008
- conference paper
- conference paper
- Published by Institute of Electrical and Electronics Engineers (IEEE)
Abstract
SQL injection is one of the most prominent vulnerabilities for web-based applications. Exploitation of SQL injection vulnerabilities (SQLIV) through successful attacks might result in severe consequences such as authentication bypassing, leaking of private information etc. Therefore, testing an application for SQLIV is an important step for ensuring its quality. However, it is challenging as the sources of SQLIV vary widely, which include the lack of effective input filters in applications, insecure coding by programmers, inappropriate usage of APIs for manipulating databases etc. Moreover, existing testing approaches do not address the issue of generating adequate test data sets that can detect SQLIV. In this work, we present a mutation-based testing approach for SQLIV testing. We propose nine mutation operators that inject SQLIV in application source code. The operators result in mutants, which can be killed only with test data containing SQL injection attacks. By this approach, we force the generation of an adequate test data set containing effective test cases capable of revealing SQLIV. We implement a MUtation-based SQL Injection vulnerabilities Checking (testing) tool (MUSIC) that automatically generates mutants for the applications written in Java Server Pages (JSP) and performs mutation analysis. We validate the proposed operators with five open source web-based applications written in JSP. We show that the proposed operators are effective for testing SQLIV.Keywords
This publication has 13 references indexed in Scilit:
- SQL-IDSPublished by Association for Computing Machinery (ACM) ,2008
- The Automatic Defense Mechanism for Malicious Injection AttackPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2007
- Mutating database queriesInformation and Software Technology, 2007
- AMNESIAPublished by Association for Computing Machinery (ACM) ,2005
- Using parse tree validation to prevent SQL injection attacksPublished by Association for Computing Machinery (ACM) ,2005
- Fault-Based Testing of Database Application Programs with Conceptual Data ModelPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2005
- SQLrand: Preventing SQL Injection AttacksLecture Notes in Computer Science, 2004
- Software unit test coverage and adequacyACM Computing Surveys, 1997
- Weak Mutation Testing and Completeness of Test SetsIEEE Transactions on Software Engineering, 1982
- Hints on Test Data Selection: Help for the Practicing ProgrammerComputer, 1978