Research On Model Driven Penetration Test For SQL Injection Vulnerability In Web Applications

Web applications are increasingly important in various internet transactions. Thesecurity vulnerabilities in web applications, however, pose serious threat to thecurrent web security. A lot of web applications have security vulnerabilities harmingtheir safety. Therefore, it’s distinctly imperative to ascertain whether a webapplication has vulnerability through the security testing.Penetration test is a mock attack security testing approach to detect softwarevulnerability. It has many advantages in detecting vulnerability in web applications,so the research on it draws more and more academic attention. However, the currentresearch on the SQL injection penetration test has not given the appropriate theory toguide generating adequate SQL injection penetration test case (attack pattern library).This leads to the current SQL injection penetration test cannot adequately test the webapplication defense mechanisms thus unable to find the SQL injection vulnerabilityhidden behind the inadequate defense mechanism, which causes the false negativeand impairs the test accuracy.This dissertation aims to improve the accuracy of SQL injection penetration testby improving SQL injection penetration test case. We propose a model driven SQLinjection penetration test method. The core idea of this proposed method is to guidethe generation of SQL injection penetration test case through the SQL injection attackmodel and test case model. The SQL injection penetration test case generation,therefore, is achieved in two steps: i) Building model of the penetration test case; andii) Instantiating the penetration test case model.The research work and innovation of this dissertation mainly include:1) Establish the security goal model based SQL injection attack model and attackmodel-driven SQL injection penetration test framework. We build new SQL injectionattack model based on the security goal model method. Compared with the existingmodels proposed by other related work, the new model can more fully describe theregularity of SQL injection attack input, the SQL injection vulnerability features and the attack vectors. Accordingly, we propose an attack model driven SQL injectionpenetration test framework, in which the new SQL injection attack model guides theSQL injection test case generation. This research is the innovation of SQL injectionattack modeling and improving the SQL injection test case through the guidance ofSQL injection attack model.2) Establish formal modeling approach for the SQL injection penetration testcase. Under the guidance of the proposed new SQL injection attack model, we buildthe SQL injection penetration test case model, including two aspects: describing theregularity of SQL injection attack input through formal symbolic; describing thefeature of SQL injection vulnerability through formal language. Then we establishedthe modeling method for describing the SQL injection attack input and the judgingcriteria of SQL injection vulnerability existence. The penetration test case input canbe correctly specified under the guidance of model, the test case model is the“reminder” of what test case should be used. Besides, the test case model can achievethe finite description for the infinite test case input. This research is the innovation ofestablishing formal description for the SQL injection penetration test case.3) Propose the instantiation method for the SQL injection penetration test casemodel. We propose a series of new coverage criteria of SQL injection penetration testcase. These criteria are the guidance of test case model instantiation and the adequacymetric of penetration test case. According to the proposed instantiation method andcoverage criteria, the SQL injection penetration test case model can be transformedinto executable test case. These improved test cases can improve the accuracy of SQLinjection penetration test, the proposed coverage criteria can expound how many testcases should be used. This research is the innovation of establishing the instantiationmethod for the SQL injection penetration test case model and the adequacy metric ofpenetration test case.4) Propose the SQL injection penetration test case evaluation method based onthe multi-level defense mechanism web application. We set two levels of defenseagainst the SQL injection attack in the channels that the subject web applicationsaccess their back-end databases, thus seed the SQL injection vulnerabilities withdifferent detection difficulty in the subject web applications. In such SQL injection penetration test case evaluation platform, only the adequate and organized SQLinjection penetration test case set can find all seeded SQL injection vulnerabilitieswithin feasible time. In these proposed evaluation platforms, we use different testcase set to detect the seeded SQL injection vulnerability, the test result shows that thetest case set we proposed can more thoroughly find the seeded SQL injectionvulnerabilities than random enumeration test case set and other SQL injection attackmodel based test case set, thus reduce the false negative of penetration test, whichdemonstrates the superiority and feasibility of our approach.