Exposing SQL Injection Vulnerability through Penetration Test based on Finite State Machine
Penetration test is one of the most used SQL Injection Vulnerability (SQLIV) testing technology. Focused on the insufficiency of test accuracy problem in SQLIV black-box penetration test process, we discuss the limitation of the traditional approaches based on test case library enumerating methods a...
Saved in:
Published in | 2016 2nd IEEE International Conference on Computer and Communications (ICCC) pp. 1171 - 1175 |
---|---|
Main Authors | , , , , , |
Format | Conference Proceeding |
Language | English |
Published |
IEEE
01.10.2016
|
Subjects | |
Online Access | Get full text |
Cover
Loading…
Abstract | Penetration test is one of the most used SQL Injection Vulnerability (SQLIV) testing technology. Focused on the insufficiency of test accuracy problem in SQLIV black-box penetration test process, we discuss the limitation of the traditional approaches based on test case library enumerating methods and propose a SQLIV Penetration Test approach based on Finite State Machine (SPT-FSM). The proposed approach establishes FSM based on the states corresponding to different SQLIV penetration test cases, map the statuses of test cases and their relevant responses, and analyzes the transition regularity of the established FSM for the testing of SQLIV with dynamic nature and states transition characteristics. We conduct experiments about the proposed approach and compare it with a popular state-of-the-art benchmarking tool. The experimental results show that the proposed approach can effectively improve the accuracy of SQLIV penetration test by reducing False Negatives (FN) and False Positives (FP). |
---|---|
AbstractList | Penetration test is one of the most used SQL Injection Vulnerability (SQLIV) testing technology. Focused on the insufficiency of test accuracy problem in SQLIV black-box penetration test process, we discuss the limitation of the traditional approaches based on test case library enumerating methods and propose a SQLIV Penetration Test approach based on Finite State Machine (SPT-FSM). The proposed approach establishes FSM based on the states corresponding to different SQLIV penetration test cases, map the statuses of test cases and their relevant responses, and analyzes the transition regularity of the established FSM for the testing of SQLIV with dynamic nature and states transition characteristics. We conduct experiments about the proposed approach and compare it with a popular state-of-the-art benchmarking tool. The experimental results show that the proposed approach can effectively improve the accuracy of SQLIV penetration test by reducing False Negatives (FN) and False Positives (FP). |
Author | Jiehui Kang Lei Liu Jing Xu Biao Zhang Chenkai Guo Sihan Xu |
Author_xml | – sequence: 1 surname: Lei Liu fullname: Lei Liu email: leiliu1983@foxmail.com organization: Coll. of Comput. & Control Eng., Nankai Univ., Tianjin, China – sequence: 2 surname: Jing Xu fullname: Jing Xu organization: Coll. of Comput. & Control Eng., Nankai Univ., Tianjin, China – sequence: 3 surname: Chenkai Guo fullname: Chenkai Guo organization: Coll. of Comput. & Control Eng., Nankai Univ., Tianjin, China – sequence: 4 surname: Jiehui Kang fullname: Jiehui Kang organization: Coll. of Comput. & Control Eng., Nankai Univ., Tianjin, China – sequence: 5 surname: Sihan Xu fullname: Sihan Xu organization: Coll. of Comput. & Control Eng., Nankai Univ., Tianjin, China – sequence: 6 surname: Biao Zhang fullname: Biao Zhang organization: Coll. of Comput. & Control Eng., Nankai Univ., Tianjin, China |
BookMark | eNotj89Kw0AYxFfQg9Y-gQj7Aon7J9lkjxJaLURUGrx4KF823zYryaYkW7Bv36A9zAw_GAbmjlz7wSMhj5zFnDP9VAz9YVYfC8ZVnGmR5Lm-Ikud5TxRmdRMKHFLvle_h2Fyfk-3nyXd-B80wQ2efh07jyPUrnPhREM7Dsd9Sz_QYxjhr1HhFGgNEzZ0prXzLiDdBpj9DUzrPN6TGwvdhMtLLki1XlXFa1S-v2yK5zJymoWoVo2ywI2xWqDJQEsQNQjVNFrlNk0yxqS20hhQObBU1FqZmhtpmzRNLFq5IA__sw4Rd4fR9TCedpfH8gxnYVN5 |
ContentType | Conference Proceeding |
DBID | 6IE 6IL CBEJK RIE RIL |
DOI | 10.1109/CompComm.2016.7924889 |
DatabaseName | IEEE Electronic Library (IEL) Conference Proceedings IEEE Proceedings Order Plan All Online (POP All Online) 1998-present by volume IEEE Xplore All Conference Proceedings IEEE Xplore IEEE Proceedings Order Plans (POP All) 1998-Present |
DatabaseTitleList | |
Database_xml | – sequence: 1 dbid: RIE name: IEEE Xplore url: https://proxy.k.utb.cz/login?url=https://ieeexplore.ieee.org/ sourceTypes: Publisher |
DeliveryMethod | fulltext_linktorsrc |
EISBN | 9781467390262 1467390267 9781467390255 1467390259 |
EndPage | 1175 |
ExternalDocumentID | 7924889 |
Genre | orig-research |
GroupedDBID | 6IE 6IL CBEJK RIE RIL |
ID | FETCH-LOGICAL-i90t-b6d6fa1ccf92ec7a93a2ba26dd968f5470039f3cca68a052b96cb1c3fd554fef3 |
IEDL.DBID | RIE |
IngestDate | Thu Jun 29 18:37:51 EDT 2023 |
IsPeerReviewed | false |
IsScholarly | false |
Language | English |
LinkModel | DirectLink |
MergedId | FETCHMERGED-LOGICAL-i90t-b6d6fa1ccf92ec7a93a2ba26dd968f5470039f3cca68a052b96cb1c3fd554fef3 |
PageCount | 5 |
ParticipantIDs | ieee_primary_7924889 |
PublicationCentury | 2000 |
PublicationDate | 2016-Oct. |
PublicationDateYYYYMMDD | 2016-10-01 |
PublicationDate_xml | – month: 10 year: 2016 text: 2016-Oct. |
PublicationDecade | 2010 |
PublicationTitle | 2016 2nd IEEE International Conference on Computer and Communications (ICCC) |
PublicationTitleAbbrev | CompComm |
PublicationYear | 2016 |
Publisher | IEEE |
Publisher_xml | – name: IEEE |
Score | 1.7047817 |
Snippet | Penetration test is one of the most used SQL Injection Vulnerability (SQLIV) testing technology. Focused on the insufficiency of test accuracy problem in SQLIV... |
SourceID | ieee |
SourceType | Publisher |
StartPage | 1171 |
SubjectTerms | finite state machine FSM software testing SQL injection Switching circuits Testing Uniform resource locators web application security |
Title | Exposing SQL Injection Vulnerability through Penetration Test based on Finite State Machine |
URI | https://ieeexplore.ieee.org/document/7924889 |
hasFullText | 1 |
inHoldings | 1 |
isFullTextHit | |
isPrint | |
link | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV3PS8MwFA7bTp5UNvE3OXg0XX-saXOWjSlOJk4ZeBjJSyJT6URaUP9689I6UTx4a0ohJY_0-17zfe8RchInLt8CABZBqhkezDEZas6U4uDYgx1wQO_w5IqPbwcX83TeIqdrL4wxxovPTICX_ixfr6DCX2X9zCULeS7apJ2Hce3Vakw5USj6uIHQVYF6LR40z_5omuIxY7RJJl-z1VKRp6AqVQAfvwox_vd1tkjv251Hp2vc2SYtU3TJ_fAN9VfFA725vqTnxaOXWBX0rnrGutJeAvtOm648dOq-cE29XDpzuEARzDR1o9ESSSj1HJROvNLS9MhsNJydjVnTOIEtRVgyxTW3MgKwIjaQSZHIWMmYay14btNBhoZcm7jY8VyGaawEBxVBYrXjFtbYZId0ilVhdgnNpXYEz3EYm0mXiaXKsTWXM6ZcIhOMYY90cV0WL3VpjEWzJPt_3z4gGxibWgt3SDrla2WOHKaX6tgH8xO0rqXJ |
link.rule.ids | 310,311,786,790,795,796,802,27958,55109 |
linkProvider | IEEE |
linkToHtml | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV1NS8NAEB1qPehJpRW_3YNHk6ZJs0nO0tJqUypGKXgo-ylVSUUSUH-9s5tYUTx4y4bAhh2y7032vRmAMz_AfEsI4XRFKB1zMOcwT1KHcyqQPegeFcY7nE7o8LZ3OQtnDThfeWGUUlZ8plxzac_y5VKU5ldZJ8JkIY6TNVhHnPeSyq1V23Jw3DGfkPFVGMUWdeunf7RNsagx2IL0a75KLPLklgV3xcevUoz_faFtaH_788h0hTw70FB5C-77b0aBlT-Qm-sxGeWPVmSVk7vy2VSWtiLYd1L35SFT3OPqirkkQ2QgBs4kwdFgYWgosSyUpFZrqdqQDfrZxdCpWyc4i8QrHE4l1awrhE58JSKWBMznzKdSJjTWYS8yllwdYPRozLzQ5wkVvCsCLZFdaKWDXWjmy1ztAYmZRIqHLEZHDHOxkCNfw6wxpMxwQV_sQ8usy_ylKo4xr5fk4O_bp7AxzNLxfDyaXB3CpolTpYw7gmbxWqpjRPiCn9jAfgKf_Kkf |
openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.title=2016+2nd+IEEE+International+Conference+on+Computer+and+Communications+%28ICCC%29&rft.atitle=Exposing+SQL+Injection+Vulnerability+through+Penetration+Test+based+on+Finite+State+Machine&rft.au=Lei+Liu&rft.au=Jing+Xu&rft.au=Chenkai+Guo&rft.au=Jiehui+Kang&rft.date=2016-10-01&rft.pub=IEEE&rft.spage=1171&rft.epage=1175&rft_id=info:doi/10.1109%2FCompComm.2016.7924889&rft.externalDocID=7924889 |