Security testing of web applications for detecting and removing second-order SQL injection vulnerabilities

Security testing of web applications for detecting and removing second-order SQL injection vulnerabilities

Structured query language injection vulnerability (SQLIV) is one of the most prevalent and severe web application vulnerabilities. It is usually exploited by SQL injection attacks (SQLIA) for the purpose of gaining unauthorised access to the back-end databases by altering the original SQL stateme...

Full description

Saved in:
Bibliographic Details
Main Author: Draib, Najla'a Ateeq Mohammed
Format: Thesis
Language:English
Published: 2022
Subjects:
Web applications - Security measures
SQL (Computer program language)
Computer security
Online Access:http://psasir.upm.edu.my/id/eprint/113153/1/113153.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
id my-upm-ir.113153
record_format uketd_dc
institution Universiti Putra Malaysia
collection PSAS Institutional Repository
language English
advisor Md Sultan, Abu Bakar
topic Web applications - Security measures
SQL (Computer program language)
Computer security
spellingShingle Web applications - Security measures
SQL (Computer program language)
Computer security
Draib, Najla'a Ateeq Mohammed
Security testing of web applications for detecting and removing second-order SQL injection vulnerabilities
description Structured query language injection vulnerability (SQLIV) is one of the most prevalent and severe web application vulnerabilities. It is usually exploited by SQL injection attacks (SQLIA) for the purpose of gaining unauthorised access to the back-end databases by altering the original SQL statements through input data manipulation. A successful attack can hinder integrity, privacy, and information availability in the database. As a particular type of SQL injection (SQLI), the second-order SQLIA tends to be more severe and difficult to detect. It has a more significant impact on the backend database than the first-order SQLIA, simply because its respective SQL injection is seeded first into the application's persistent storage, which is usually deemed a trusted source, before its actual exploitation. In order to protect a web application from a malicious user, test procedures for identifying and removing SQLIVs must be implemented earlier in the software development life cycle (SDLC) of web applications, specifically before bringing it onto production and possibly becoming available to a malicious attack. Critically, several efforts have been devoted to detecting SQLIVs and preventing their exploitation, and the majority focused on approaches that address the detection of first-order SQL injection vulnerabilities. However, the mechanisms needed to detect first-order SQLIV, which may lead to SQLIA on the application level, may not afford to catch second-order SQLIV. This is specifically because the malicious inputs supplied by the attacker can be concatenated with the SQL statement at the database level. Moreover, the existing techniques only reported the detected vulnerabilities, and they left their removal as a burden on the programmer. As far as the literature shows, none of the current automated methods exhibited the ability to deal with this phenomenon. Hence, the actual fixing process of any vulnerabilities is left for the human developer to handle. However, manual removal of such vulnerabilities is tedious, errorprone, and costly. Second-order injections are also difficult to prevent as the point of injection differs from the point of attack, and therefore more care should be taken to detect and prevent them. Both attack points should be validated carefully (i.e., point of injection and point of attack). In order to address the weaknesses above and the identified research gaps, this study invents a white-box testing technique for automated detection and removal of the second-order SQLIVs in web applications using source code static analysis. Static analysis is devoted to identifying candidate pairs of vulnerable paths to second-order SQLI. It statically detects when the data comes from tainted sources, when they are stored in the back-end database, and when they are retrieved later in another point to build a new SQL statement without proper sanitisation. This technique also applies the removing algorithm, which uses escaping method to remove the detected vulnerabilities. The prototype tool, called Second-order SQL injection Protector (SoSQLiP), was developed and implemented to test the proposed technique. The test was conducted using eleven PHP Web applications: ten applications available on the internet and that other researchers have used and one application that the researcher developed. The results were empirically evaluated with an existing tool to determine the effectiveness of the automatic detection of second-order SQLIVs. Promising results have been obtained from both of these evaluations. The experiments show that the proposed technique has a detection rate of 100% and a vulnerability removal rate of 100%. The proposed technique has shown a better vulnerability detection rate than the state-of-theart tool (i.e., SQLMAP). However, future studies should expand the scope of the research to include more types of vulnerabilities, such as second-order XSS vulnerabilities.
format Thesis
qualification_level Doctorate
author Draib, Najla'a Ateeq Mohammed
author_facet Draib, Najla'a Ateeq Mohammed
author_sort Draib, Najla'a Ateeq Mohammed
title Security testing of web applications for detecting and removing second-order SQL injection vulnerabilities
title_short Security testing of web applications for detecting and removing second-order SQL injection vulnerabilities
title_full Security testing of web applications for detecting and removing second-order SQL injection vulnerabilities
title_fullStr Security testing of web applications for detecting and removing second-order SQL injection vulnerabilities
title_full_unstemmed Security testing of web applications for detecting and removing second-order SQL injection vulnerabilities
title_sort security testing of web applications for detecting and removing second-order sql injection vulnerabilities
granting_institution Universiti Putra Malaysia
publishDate 2022
url http://psasir.upm.edu.my/id/eprint/113153/1/113153.pdf
_version_ 1818586143213486080
spelling my-upm-ir.1131532024-10-28T03:09:06Z Security testing of web applications for detecting and removing second-order SQL injection vulnerabilities 2022-11 Draib, Najla'a Ateeq Mohammed Structured query language injection vulnerability (SQLIV) is one of the most prevalent and severe web application vulnerabilities. It is usually exploited by SQL injection attacks (SQLIA) for the purpose of gaining unauthorised access to the back-end databases by altering the original SQL statements through input data manipulation. A successful attack can hinder integrity, privacy, and information availability in the database. As a particular type of SQL injection (SQLI), the second-order SQLIA tends to be more severe and difficult to detect. It has a more significant impact on the backend database than the first-order SQLIA, simply because its respective SQL injection is seeded first into the application's persistent storage, which is usually deemed a trusted source, before its actual exploitation. In order to protect a web application from a malicious user, test procedures for identifying and removing SQLIVs must be implemented earlier in the software development life cycle (SDLC) of web applications, specifically before bringing it onto production and possibly becoming available to a malicious attack. Critically, several efforts have been devoted to detecting SQLIVs and preventing their exploitation, and the majority focused on approaches that address the detection of first-order SQL injection vulnerabilities. However, the mechanisms needed to detect first-order SQLIV, which may lead to SQLIA on the application level, may not afford to catch second-order SQLIV. This is specifically because the malicious inputs supplied by the attacker can be concatenated with the SQL statement at the database level. Moreover, the existing techniques only reported the detected vulnerabilities, and they left their removal as a burden on the programmer. As far as the literature shows, none of the current automated methods exhibited the ability to deal with this phenomenon. Hence, the actual fixing process of any vulnerabilities is left for the human developer to handle. However, manual removal of such vulnerabilities is tedious, errorprone, and costly. Second-order injections are also difficult to prevent as the point of injection differs from the point of attack, and therefore more care should be taken to detect and prevent them. Both attack points should be validated carefully (i.e., point of injection and point of attack). In order to address the weaknesses above and the identified research gaps, this study invents a white-box testing technique for automated detection and removal of the second-order SQLIVs in web applications using source code static analysis. Static analysis is devoted to identifying candidate pairs of vulnerable paths to second-order SQLI. It statically detects when the data comes from tainted sources, when they are stored in the back-end database, and when they are retrieved later in another point to build a new SQL statement without proper sanitisation. This technique also applies the removing algorithm, which uses escaping method to remove the detected vulnerabilities. The prototype tool, called Second-order SQL injection Protector (SoSQLiP), was developed and implemented to test the proposed technique. The test was conducted using eleven PHP Web applications: ten applications available on the internet and that other researchers have used and one application that the researcher developed. The results were empirically evaluated with an existing tool to determine the effectiveness of the automatic detection of second-order SQLIVs. Promising results have been obtained from both of these evaluations. The experiments show that the proposed technique has a detection rate of 100% and a vulnerability removal rate of 100%. The proposed technique has shown a better vulnerability detection rate than the state-of-theart tool (i.e., SQLMAP). However, future studies should expand the scope of the research to include more types of vulnerabilities, such as second-order XSS vulnerabilities. Web applications - Security measures SQL (Computer program language) Computer security 2022-11 Thesis http://psasir.upm.edu.my/id/eprint/113153/ http://psasir.upm.edu.my/id/eprint/113153/1/113153.pdf text en public doctoral Universiti Putra Malaysia Web applications - Security measures SQL (Computer program language) Computer security Md Sultan, Abu Bakar

Similar Items