Exposing SQL Injection Vulnerability through Penetration Test based on Finite State Machine
Penetration test is one of the most used SQL Injection Vulnerability (SQLIV) testing technology. Focused on the insufficiency of test accuracy problem in SQLIV black-box penetration test process, we discuss the limitation of the traditional approaches based on test case library enumerating methods a...
Saved in:
Published in | 2016 2nd IEEE International Conference on Computer and Communications (ICCC) pp. 1171 - 1175 |
---|---|
Main Authors | , , , , , |
Format | Conference Proceeding |
Language | English |
Published |
IEEE
01.10.2016
|
Subjects | |
Online Access | Get full text |
Cover
Loading…
Summary: | Penetration test is one of the most used SQL Injection Vulnerability (SQLIV) testing technology. Focused on the insufficiency of test accuracy problem in SQLIV black-box penetration test process, we discuss the limitation of the traditional approaches based on test case library enumerating methods and propose a SQLIV Penetration Test approach based on Finite State Machine (SPT-FSM). The proposed approach establishes FSM based on the states corresponding to different SQLIV penetration test cases, map the statuses of test cases and their relevant responses, and analyzes the transition regularity of the established FSM for the testing of SQLIV with dynamic nature and states transition characteristics. We conduct experiments about the proposed approach and compare it with a popular state-of-the-art benchmarking tool. The experimental results show that the proposed approach can effectively improve the accuracy of SQLIV penetration test by reducing False Negatives (FN) and False Positives (FP). |
---|---|
DOI: | 10.1109/CompComm.2016.7924889 |