Generating Effective Attacks for Efficient and Precise Penetration Testing against SQL Injection

Abstract

An SQL injection attack is one of the most serious security threats to web applications. It allows an attacker to access the underlying database and execute arbitrary commands, which may lead to sensitive information disclosure. The primary way to prevent SQL injection attacks is to sanitize the user-supplied input. However, this is usually performed manually by developers and so is a laborious and error-prone task. Although security tools assist the developers in verifying the security of their web applications, they often generate a number of false positives/negatives. In this paper, we present our technique called Sania, which performs efficient and precise penetration testing by dynamically generating effective attacks through investigating SQL queries. Since Sania is designed to be used in the development phase of web applications, it can intercept SQL queries. By analyzing the SQL queries, Sania automatically generates precise attacks and assesses the security according to the context of the potentially vulnerable slots in the SQL queries. We evaluated our technique using real-world web applications and found that our solution is efficient. Sania generated more accurate attacks and less false positives than popular web application vulnerability scanners. We also found previously unknown vulnerabilities in a commercial product that was just about to be released and in open-source web applications.