Cover Image

Security testing of web applications for detecting and removing second-order SQL injection vulnerabilities

Structured query language injection vulnerability (SQLIV) is one of the most prevalent and severe web application vulnerabilities. It is usually exploited by SQL injection attacks (SQLIA) for the purpose of gaining unauthorised access to the back-end databases by altering the original SQL stateme...

Full description

Saved in:
Bibliographic Details
Main Author: Draib, Najla'a Ateeq Mohammed
Format: Thesis
Language:English
Published: 2022
Subjects:
Web applications - Security measures
SQL (Computer program language)
Computer security
Online Access:http://psasir.upm.edu.my/id/eprint/113153/1/113153.pdf
http://psasir.upm.edu.my/id/eprint/113153/
Tags: Add Tag
No Tags, Be the first to tag this record!
id my.upm.eprints.113153
record_format eprints
institution Universiti Putra Malaysia
building UPM Library
collection Institutional Repository
continent Asia
country Malaysia
content_provider Universiti Putra Malaysia
content_source UPM Institutional Repository
url_provider http://psasir.upm.edu.my/
language English
topic Web applications - Security measures
SQL (Computer program language)
Computer security
spellingShingle Web applications - Security measures
SQL (Computer program language)
Computer security
Draib, Najla'a Ateeq Mohammed
Security testing of web applications for detecting and removing second-order SQL injection vulnerabilities
description Structured query language injection vulnerability (SQLIV) is one of the most prevalent and severe web application vulnerabilities. It is usually exploited by SQL injection attacks (SQLIA) for the purpose of gaining unauthorised access to the back-end databases by altering the original SQL statements through input data manipulation. A successful attack can hinder integrity, privacy, and information availability in the database. As a particular type of SQL injection (SQLI), the second-order SQLIA tends to be more severe and difficult to detect. It has a more significant impact on the backend database than the first-order SQLIA, simply because its respective SQL injection is seeded first into the application's persistent storage, which is usually deemed a trusted source, before its actual exploitation. In order to protect a web application from a malicious user, test procedures for identifying and removing SQLIVs must be implemented earlier in the software development life cycle (SDLC) of web applications, specifically before bringing it onto production and possibly becoming available to a malicious attack. Critically, several efforts have been devoted to detecting SQLIVs and preventing their exploitation, and the majority focused on approaches that address the detection of first-order SQL injection vulnerabilities. However, the mechanisms needed to detect first-order SQLIV, which may lead to SQLIA on the application level, may not afford to catch second-order SQLIV. This is specifically because the malicious inputs supplied by the attacker can be concatenated with the SQL statement at the database level. Moreover, the existing techniques only reported the detected vulnerabilities, and they left their removal as a burden on the programmer. As far as the literature shows, none of the current automated methods exhibited the ability to deal with this phenomenon. Hence, the actual fixing process of any vulnerabilities is left for the human developer to handle. However, manual removal of such vulnerabilities is tedious, errorprone, and costly. Second-order injections are also difficult to prevent as the point of injection differs from the point of attack, and therefore more care should be taken to detect and prevent them. Both attack points should be validated carefully (i.e., point of injection and point of attack). In order to address the weaknesses above and the identified research gaps, this study invents a white-box testing technique for automated detection and removal of the second-order SQLIVs in web applications using source code static analysis. Static analysis is devoted to identifying candidate pairs of vulnerable paths to second-order SQLI. It statically detects when the data comes from tainted sources, when they are stored in the back-end database, and when they are retrieved later in another point to build a new SQL statement without proper sanitisation. This technique also applies the removing algorithm, which uses escaping method to remove the detected vulnerabilities. The prototype tool, called Second-order SQL injection Protector (SoSQLiP), was developed and implemented to test the proposed technique. The test was conducted using eleven PHP Web applications: ten applications available on the internet and that other researchers have used and one application that the researcher developed. The results were empirically evaluated with an existing tool to determine the effectiveness of the automatic detection of second-order SQLIVs. Promising results have been obtained from both of these evaluations. The experiments show that the proposed technique has a detection rate of 100% and a vulnerability removal rate of 100%. The proposed technique has shown a better vulnerability detection rate than the state-of-theart tool (i.e., SQLMAP). However, future studies should expand the scope of the research to include more types of vulnerabilities, such as second-order XSS vulnerabilities.
format Thesis
author Draib, Najla'a Ateeq Mohammed
author_facet Draib, Najla'a Ateeq Mohammed
author_sort Draib, Najla'a Ateeq Mohammed
title Security testing of web applications for detecting and removing second-order SQL injection vulnerabilities
title_short Security testing of web applications for detecting and removing second-order SQL injection vulnerabilities
title_full Security testing of web applications for detecting and removing second-order SQL injection vulnerabilities
title_fullStr Security testing of web applications for detecting and removing second-order SQL injection vulnerabilities
title_full_unstemmed Security testing of web applications for detecting and removing second-order SQL injection vulnerabilities
title_sort security testing of web applications for detecting and removing second-order sql injection vulnerabilities
publishDate 2022
url http://psasir.upm.edu.my/id/eprint/113153/1/113153.pdf
http://psasir.upm.edu.my/id/eprint/113153/
_version_ 1814936539897004032
spelling my.upm.eprints.1131532024-10-28T03:09:06Z http://psasir.upm.edu.my/id/eprint/113153/ Security testing of web applications for detecting and removing second-order SQL injection vulnerabilities Draib, Najla'a Ateeq Mohammed Structured query language injection vulnerability (SQLIV) is one of the most prevalent and severe web application vulnerabilities. It is usually exploited by SQL injection attacks (SQLIA) for the purpose of gaining unauthorised access to the back-end databases by altering the original SQL statements through input data manipulation. A successful attack can hinder integrity, privacy, and information availability in the database. As a particular type of SQL injection (SQLI), the second-order SQLIA tends to be more severe and difficult to detect. It has a more significant impact on the backend database than the first-order SQLIA, simply because its respective SQL injection is seeded first into the application's persistent storage, which is usually deemed a trusted source, before its actual exploitation. In order to protect a web application from a malicious user, test procedures for identifying and removing SQLIVs must be implemented earlier in the software development life cycle (SDLC) of web applications, specifically before bringing it onto production and possibly becoming available to a malicious attack. Critically, several efforts have been devoted to detecting SQLIVs and preventing their exploitation, and the majority focused on approaches that address the detection of first-order SQL injection vulnerabilities. However, the mechanisms needed to detect first-order SQLIV, which may lead to SQLIA on the application level, may not afford to catch second-order SQLIV. This is specifically because the malicious inputs supplied by the attacker can be concatenated with the SQL statement at the database level. Moreover, the existing techniques only reported the detected vulnerabilities, and they left their removal as a burden on the programmer. As far as the literature shows, none of the current automated methods exhibited the ability to deal with this phenomenon. Hence, the actual fixing process of any vulnerabilities is left for the human developer to handle. However, manual removal of such vulnerabilities is tedious, errorprone, and costly. Second-order injections are also difficult to prevent as the point of injection differs from the point of attack, and therefore more care should be taken to detect and prevent them. Both attack points should be validated carefully (i.e., point of injection and point of attack). In order to address the weaknesses above and the identified research gaps, this study invents a white-box testing technique for automated detection and removal of the second-order SQLIVs in web applications using source code static analysis. Static analysis is devoted to identifying candidate pairs of vulnerable paths to second-order SQLI. It statically detects when the data comes from tainted sources, when they are stored in the back-end database, and when they are retrieved later in another point to build a new SQL statement without proper sanitisation. This technique also applies the removing algorithm, which uses escaping method to remove the detected vulnerabilities. The prototype tool, called Second-order SQL injection Protector (SoSQLiP), was developed and implemented to test the proposed technique. The test was conducted using eleven PHP Web applications: ten applications available on the internet and that other researchers have used and one application that the researcher developed. The results were empirically evaluated with an existing tool to determine the effectiveness of the automatic detection of second-order SQLIVs. Promising results have been obtained from both of these evaluations. The experiments show that the proposed technique has a detection rate of 100% and a vulnerability removal rate of 100%. The proposed technique has shown a better vulnerability detection rate than the state-of-theart tool (i.e., SQLMAP). However, future studies should expand the scope of the research to include more types of vulnerabilities, such as second-order XSS vulnerabilities. 2022-11 Thesis NonPeerReviewed text en http://psasir.upm.edu.my/id/eprint/113153/1/113153.pdf Draib, Najla'a Ateeq Mohammed (2022) Security testing of web applications for detecting and removing second-order SQL injection vulnerabilities. Doctoral thesis, Universiti Putra Malaysia. Web applications - Security measures SQL (Computer program language) Computer security
score 13.211869

Similar Items