UPM Institutional Repository

Security testing of web applications for detecting and removing second-order SQL injection vulnerabilities


Citation

Draib, Najla'a Ateeq Mohammed (2022) Security testing of web applications for detecting and removing second-order SQL injection vulnerabilities. Doctoral thesis, Universiti Putra Malaysia.

Abstract

Structured query language injection vulnerability (SQLIV) is one of the most prevalent and severe web application vulnerabilities. It is usually exploited by SQL injection attacks (SQLIA) for the purpose of gaining unauthorised access to the back-end databases by altering the original SQL statements through input data manipulation. A successful attack can hinder integrity, privacy, and information availability in the database. As a particular type of SQL injection (SQLI), the second-order SQLIA tends to be more severe and difficult to detect. It has a more significant impact on the backend database than the first-order SQLIA, simply because its respective SQL injection is seeded first into the application's persistent storage, which is usually deemed a trusted source, before its actual exploitation. In order to protect a web application from a malicious user, test procedures for identifying and removing SQLIVs must be implemented earlier in the software development life cycle (SDLC) of web applications, specifically before bringing it onto production and possibly becoming available to a malicious attack. Critically, several efforts have been devoted to detecting SQLIVs and preventing their exploitation, and the majority focused on approaches that address the detection of first-order SQL injection vulnerabilities. However, the mechanisms needed to detect first-order SQLIV, which may lead to SQLIA on the application level, may not afford to catch second-order SQLIV. This is specifically because the malicious inputs supplied by the attacker can be concatenated with the SQL statement at the database level. Moreover, the existing techniques only reported the detected vulnerabilities, and they left their removal as a burden on the programmer. As far as the literature shows, none of the current automated methods exhibited the ability to deal with this phenomenon. Hence, the actual fixing process of any vulnerabilities is left for the human developer to handle. However, manual removal of such vulnerabilities is tedious, errorprone, and costly. Second-order injections are also difficult to prevent as the point of injection differs from the point of attack, and therefore more care should be taken to detect and prevent them. Both attack points should be validated carefully (i.e., point of injection and point of attack). In order to address the weaknesses above and the identified research gaps, this study invents a white-box testing technique for automated detection and removal of the second-order SQLIVs in web applications using source code static analysis. Static analysis is devoted to identifying candidate pairs of vulnerable paths to second-order SQLI. It statically detects when the data comes from tainted sources, when they are stored in the back-end database, and when they are retrieved later in another point to build a new SQL statement without proper sanitisation. This technique also applies the removing algorithm, which uses escaping method to remove the detected vulnerabilities. The prototype tool, called Second-order SQL injection Protector (SoSQLiP), was developed and implemented to test the proposed technique. The test was conducted using eleven PHP Web applications: ten applications available on the internet and that other researchers have used and one application that the researcher developed. The results were empirically evaluated with an existing tool to determine the effectiveness of the automatic detection of second-order SQLIVs. Promising results have been obtained from both of these evaluations. The experiments show that the proposed technique has a detection rate of 100% and a vulnerability removal rate of 100%. The proposed technique has shown a better vulnerability detection rate than the state-of-theart tool (i.e., SQLMAP). However, future studies should expand the scope of the research to include more types of vulnerabilities, such as second-order XSS vulnerabilities.


Download File

[img] Text
113153.pdf

Download (1MB)

Additional Metadata

Item Type: Thesis (Doctoral)
Subject: Web applications - Security measures
Subject: SQL (Computer program language)
Subject: Computer security
Call Number: FSKTM 2022 27
Chairman Supervisor: Professor Abu Bakar Md Sultan, PhD
Divisions: Faculty of Computer Science and Information Technology
Depositing User: Ms. Rohana Alias
Date Deposited: 28 Oct 2024 03:09
Last Modified: 28 Oct 2024 03:09
URI: http://psasir.upm.edu.my/id/eprint/113153
Statistic Details: View Download Statistic

Actions (login required)

View Item View Item