Doctoral thesis (Dissertations and theses)
Automated Security Testing of Web-Based Systems Against SQL Injection Attacks
Appelt, Dennis
2016
 

Files


Full Text
thesis.pdf
Author preprint (2.41 MB)
Download

All documents in ORBilu are protected by a user license.

Send to



Details



Keywords :
Security Testing; Penetration Testing; SQL Injection
Abstract :
[en] Injection vulnerabilities, such as SQL injection (SQLi), are ranked amongst the most dangerous types of vulnerabilities. Despite having received much attention from academia and practitioners, the prevalence of SQLi is common and the impact of their successful exploitation is severe. In this dissertation, we propose several security testing approaches that evaluate web applications and services for vulnerabilities and common IT infrastructure components such as for their resilience against attacks. Each of the presented approaches covers a different aspect of security testing, e.g. the generation of test cases or the definition of test oracles, and in combination they provide a holistic approach. The work presented in this dissertation was conducted in collaboration with SIX Payment Services (formerly CETREL S.A.). SIX Payment Services is a leading provider of financial services in the area of payment processing, e.g. issuing of credit and debit cards, settlement of card transactions, online payments, and point-of-sale payment terminals. We analyse the challenges SIX is facing in security testing and base our testing approaches on assumptions inferred from our findings. Specifically, the devised testing approaches are automated, applicable in black box testing scenarios, able to assess and bypass Web Application Firewalls (WAF), and use an accurate test oracle. The devised testing approaches are evaluated with SIX’ IT platform, which consists of various web services that process several thousand financial transactions daily. The main research contributions in this dissertation are: - An assessment of the impact of Web Application Firewalls and Database Intrusion Detection Systems on the accuracy of SQLi testing. - An input mutation technique that can generate a diverse set of test cases. We propose a set of mutation operators that are specifically designed to increase the likelihood of generating successful attacks. - A testing technique that assesses the attack detection capabilities of a Web Application Firewall (WAF) by systematically generating attacks that try to bypass it. - An approach that increases the attack detection capabilities of a WAF by inferring a filter rule from a set of bypassing attacks. The inferred filter rule can be added to the WAF’s rule set to prevent attacks from bypassing. - An automated test oracle that is designed to meet the specific requirements of testing in an industrial context and that is independent of any specific test case generation technique.
Disciplines :
Computer science
Author, co-author :
Appelt, Dennis ;  University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Language :
English
Title :
Automated Security Testing of Web-Based Systems Against SQL Injection Attacks
Defense date :
24 June 2016
Institution :
Unilu - University of Luxembourg, Luxembourg, Luxembourg
Degree :
Docteur en Informatique
President :
Jury member :
Pretschner, Alexander
Vieira, Marco
Focus Area :
Security, Reliability and Trust
FnR Project :
FNR4800382 - Black-box Security Testing For Web Applications And Services, 2012 (01/10/2012-30/06/2016) - Dennis Appelt
Name of the research project :
Black-Box Security Testing for Web Applications and Services
Funders :
FNR - Fonds National de la Recherche [LU]
Available on ORBilu :
since 07 July 2016

Statistics


Number of views
684 (60 by Unilu)
Number of downloads
1725 (33 by Unilu)

Bibliography


Similar publications



Contact ORBilu