References of "Alshahwan, Nadia 40080183"
     in
Bookmark and Share    
Full Text
Peer Reviewed
See detailAutomated Testing for SQL Injection Vulnerabilities: An Input Mutation Approach
Appelt, Dennis UL; Nguyen, Duy Cu UL; Briand, Lionel UL et al

in Proc. of the International Symposium on Software Testing and Analysis 2014 (2014, July 21)

Web services are increasingly adopted in various domains, from finance and e-government to social media. As they are built on top of the web technologies, they suffer also an unprecedented amount of ... [more ▼]

Web services are increasingly adopted in various domains, from finance and e-government to social media. As they are built on top of the web technologies, they suffer also an unprecedented amount of attacks and exploitations like the Web. Among the attacks, those that target SQL injection vulnerabilities have consistently been top-ranked for the last years. Testing to detect such vulnerabilities before making web services public is crucial. We present in this paper an automated testing approach, namely μ4SQLi, and its underpinning set of mutation operators. μ4SQLi can produce effective inputs that lead to executable and harmful SQL statements. Executability is key as otherwise no injection vulnerability can be exploited. Our evaluation demonstrated that the approach is effective to detect SQL injection vulnerabilities and to produce inputs that bypass application firewalls, which is a common configuration in real world. [less ▲]

Detailed reference viewed: 446 (34 UL)
Full Text
See detailBlack-box SQL Injection Testing
Appelt, Dennis UL; Alshahwan, Nadia UL; Nguyen, Duy Cu UL et al

Report (2014)

Web services are increasingly adopted in various domains, from finance and e-government to social media. As they are built on top of the web technologies, they suffer also an unprecedented amount of ... [more ▼]

Web services are increasingly adopted in various domains, from finance and e-government to social media. As they are built on top of the web technologies, they suffer also an unprecedented amount of attacks and exploitations like the Web. Among the attacks, those that target SQL injection vulnerabilities have consistently been top-ranked for the last years. Testing to detect such vulnerabilities before making web services public is crucial. We present in this report an automated testing approach, namely μ4SQLi, and its underpinning set of mutation operators. μ4SQLi can produce effective inputs that lead to executable and harmful SQL statements. Executability is key as otherwise no injection vulnerability can be exploited. Our evaluation demonstrated that the approach outperforms contemporary known attacks in terms of vulnerability detection and the ability to get through an application firewall, which is a popular configuration in real world. [less ▲]

Detailed reference viewed: 664 (59 UL)
Full Text
Peer Reviewed
See detailModel Based Test Validation and Oracles for Data Acquisition Systems
Di Nardo, Daniel UL; Alshahwan, Nadia UL; Briand, Lionel UL et al

in IEEE/ACM International Conference on Automated Software Engineering (2013, November)

Detailed reference viewed: 244 (37 UL)
Full Text
Peer Reviewed
See detailCoverage-Based Test Case Prioritisation: An Industrial Case Study
Di Nardo, Daniel UL; Alshahwan, Nadia UL; Briand, Lionel UL et al

in IEEE International Conference on Software Testing, Verification and Validation (ICST) (2013, March)

Detailed reference viewed: 228 (25 UL)
Full Text
Peer Reviewed
See detailAssessing the Impact of Firewalls and Database Proxies on SQL Injection Testing
Appelt, Dennis UL; Alshahwan, Nadia UL; Briand, Lionel UL

in Springer LNCS series (2013)

This paper examines the effects and potential benefits of utilising Web Application Firewalls (WAFs) and database proxies in SQL injection testing of web applications and services. We propose testing the ... [more ▼]

This paper examines the effects and potential benefits of utilising Web Application Firewalls (WAFs) and database proxies in SQL injection testing of web applications and services. We propose testing the WAF itself to refine and evaluate its security rules and prioritise fixing vulnerabilities that are not protected by the WAF. We also propose using database proxies as oracles for black-box security testing instead of relying only on the output of the application under test. The paper also presents a case study of our proposed approaches on two sets of web services. The results indicate that testing through WAFs can be used to prioritise vulnerabilities and that an oracle that uses a database proxy finds more vulnerabilities with fewer tries than an oracle that relies only on the output of the application. [less ▲]

Detailed reference viewed: 286 (36 UL)