Security testing of web applications for detecting and removing second-order SQL injection vulnerabilities
Structured query language injection vulnerability (SQLIV) is one of the most prevalent and severe web application vulnerabilities. It is usually exploited by SQL injection attacks (SQLIA) for the purpose of gaining unauthorised access to the back-end databases by altering the original SQL stateme...
Saved in:
| Main Author: | |
|---|---|
| Format: | Thesis |
| Language: | English |
| Published: |
2022
|
| Subjects: | |
| Online Access: | http://psasir.upm.edu.my/id/eprint/113153/1/113153.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Summary: | Structured query language injection vulnerability (SQLIV) is one of the most prevalent
and severe web application vulnerabilities. It is usually exploited by SQL injection
attacks (SQLIA) for the purpose of gaining unauthorised access to the back-end
databases by altering the original SQL statements through input data manipulation. A
successful attack can hinder integrity, privacy, and information availability in the
database. As a particular type of SQL injection (SQLI), the second-order SQLIA tends
to be more severe and difficult to detect. It has a more significant impact on the backend
database than the first-order SQLIA, simply because its respective SQL injection is
seeded first into the application's persistent storage, which is usually deemed a trusted
source, before its actual exploitation. In order to protect a web application from a
malicious user, test procedures for identifying and removing SQLIVs must be
implemented earlier in the software development life cycle (SDLC) of web applications,
specifically before bringing it onto production and possibly becoming available to a
malicious attack. Critically, several efforts have been devoted to detecting SQLIVs and
preventing their exploitation, and the majority focused on approaches that address the
detection of first-order SQL injection vulnerabilities. However, the mechanisms needed
to detect first-order SQLIV, which may lead to SQLIA on the application level, may not
afford to catch second-order SQLIV. This is specifically because the malicious inputs
supplied by the attacker can be concatenated with the SQL statement at the database
level. Moreover, the existing techniques only reported the detected vulnerabilities, and
they left their removal as a burden on the programmer. As far as the literature shows,
none of the current automated methods exhibited the ability to deal with this
phenomenon. Hence, the actual fixing process of any vulnerabilities is left for the human
developer to handle. However, manual removal of such vulnerabilities is tedious, errorprone,
and costly. Second-order injections are also difficult to prevent as the point of
injection differs from the point of attack, and therefore more care should be taken to
detect and prevent them. Both attack points should be validated carefully (i.e., point of
injection and point of attack). In order to address the weaknesses above and the identified
research gaps, this study invents a white-box testing technique for automated detection
and removal of the second-order SQLIVs in web applications using source code static
analysis. Static analysis is devoted to identifying candidate pairs of vulnerable paths to
second-order SQLI. It statically detects when the data comes from tainted sources, when
they are stored in the back-end database, and when they are retrieved later in another
point to build a new SQL statement without proper sanitisation. This technique also
applies the removing algorithm, which uses escaping method to remove the detected
vulnerabilities. The prototype tool, called Second-order SQL injection Protector
(SoSQLiP), was developed and implemented to test the proposed technique. The test
was conducted using eleven PHP Web applications: ten applications available on the
internet and that other researchers have used and one application that the researcher
developed. The results were empirically evaluated with an existing tool to determine the
effectiveness of the automatic detection of second-order SQLIVs. Promising results have
been obtained from both of these evaluations. The experiments show that the proposed
technique has a detection rate of 100% and a vulnerability removal rate of 100%. The
proposed technique has shown a better vulnerability detection rate than the state-of-theart
tool (i.e., SQLMAP). However, future studies should expand the scope of the research
to include more types of vulnerabilities, such as second-order XSS vulnerabilities. |
|---|