Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Idea: Using System Level Testing for Revealing SQL Injection-Related Error Message Information Leaks Ben Smith Laurie Williams Andrew Austin North Carolina.

Published byAlvin Stephens Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Idea: Using System Level Testing for Revealing SQL Injection-Related Error Message Information Leaks Ben Smith Laurie Williams Andrew Austin North Carolina."— Presentation transcript:

1 1 Idea: Using System Level Testing for Revealing SQL Injection-Related Error Message Information Leaks Ben Smith Laurie Williams Andrew Austin North Carolina State University

2 2 Motivation In the CWE/SANS Top 25 Most Dangerous Programming Errors: SQL injection vulnerabilities Error message information leak vulnerabilities These vulnerabilities are related –Ensuring that input falls within desired range –Handling the case when input is out of range

3 3 Why? How?

4 4 Objective The goal of this research is to assess the relative effectiveness of system and unit level testing of web applications to reveal both SQL injection vulnerabilities and error message information leakage vulnerabilities when used with an iterative test automation practice by a feature development team.

5 Agenda Motivation and Objective Background –What is feature development? –What’s a hotspot? Case Study on Four Java Web Apps Discussion 5

6 Feature Development 6 DatabaseApplication Logic User Interface Write Tests Edit Patient Information Database Application Logic User Interface Write Tests View Operational Profile Database Application Logic User Interface Write Tests

7 7 HOTSPOT

8 Agenda Motivation and Objective Background –What is feature development? –What’s a hotspot? Case Study on Four Java Web Apps Discussion 8

9 9 Case Study Four open source Java web applications (SourceForge.net): 1.How many malicious tests are included in the unit tests distributed with the applications? 2.What percentage of hotspots are executed by the unit tests distributed with the applications? 3.How does this number compare to the unit tests set’s statement coverage?

10 Subject Web Apps ProjectiTrustHispactaLogicServicesTuduLists Version4.00.0.31.82.2 Lines of Code7707199150116178 Production Classes 14342155132 Database Classes20415 10

11 Results ProjectiTrustHispactaLogicServicesTuduLists Hotspots92234813 Covered by Intrinsic Tests 8920473 Coverage97%87%98%23% Statement Coverage 84%49%53%40% Intrinsic Tests with Malicious Input 0000 11

12 Case Study, cont’d 4.Write system level test cases that execute every hotspot with input that is typical (safe) and then that is malicious. Do these tests expose: –SQL Injection Vulnerabilities? –Error Message Information Leakage Vulnerabilities? 12

13 Results, cont’d ProjectiTrustHispactaLogicServicesTuduLists System Level Tests EMIL Vulnerabilities 2294 SQLI Vulnerabilities 0000 13

14 Case Study, cont’d 5.Augment the unit tests in the same fashion that execute every hotspot with input that is typical (safe) and then that is malicious. Do these tests expose Error Message Information Leakage Vulnerabilities? 14

15 Results, cont’d ProjectiTrustHispactaLogicServicesTuduLists System Level Tests EMIL Vulnerabilities 2294 SQLI Vulnerabilities 0000 Unit Level Tests EMIL Vulnerabilities 0000 15

16 Agenda Motivation and Objective Background –What is feature development? –What’s a hotspot? Case Study on Four Java Web Apps Discussion 16

17 17 Summary Unit and system testing every hotspot did not expose any SQL injection vulnerabilities System level testing revealed 17 error message information leak vulnerabilities Attempted to expose the error message vulnerabilities at the unit level and we could not

18 18

19 19 Easy Solution

20 20 Conclusions Prepared statements (when used correctly) effectively protect against SQL injection attacks System level testing must be used to expose error message information leakage vulnerabilities when used with an iterative test automation practice by a feature development team.

21 21 Questions?

22 22 $username = $_POST[‘username’]; $password = $_POST[‘password’]; $result = mysql_query( “select * from users where username = ‘’ OR 1=1 ---’ AND password = ‘$password’”); $firstresult = mysql_fetch_array($result); $role = $firstresult[‘role’]; $_COOKIE[‘userrole’] = $role SQL Injection Attacks ‘ OR 1=1 --

Download ppt "1 Idea: Using System Level Testing for Revealing SQL Injection-Related Error Message Information Leaks Ben Smith Laurie Williams Andrew Austin North Carolina."

Similar presentations

SQL Injection Stephen Frein Comcast.

SQL Injection Stephen Frein Comcast.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection Yuji Kosuga, Kenji Kono, Miyuki Hanaoka Keio University Miho Hishiyama,

Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection Yuji Kosuga, Kenji Kono, Miyuki Hanaoka Keio University Miho Hishiyama,
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
James Walden, Maureen Doyle Northern Kentucky University Students: Andrew Plunkett, Rob Lenhof, John Murray.

James Walden, Maureen Doyle Northern Kentucky University Students: Andrew Plunkett, Rob Lenhof, John Murray.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
SQL-Injection attacks Damir Lizdek & Dan Rundlöf Language-based security.

SQL-Injection attacks Damir Lizdek & Dan Rundlöf Language-based security.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
Approaches to Application Security – DSM

Approaches to Application Security – DSM
A Framework for Automated Web Application Security Evaluation

A Framework for Automated Web Application Security Evaluation
1.NET Web Forms Security Issues © 2002 by Jerry Post.

1.NET Web Forms Security Issues © 2002 by Jerry Post.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
Web Application Security Testing Automation.. Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved.1 What types of automated testing are there?

Web Application Security Testing Automation.. Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved.1 What types of automated testing are there?

Similar presentations

Ads by Google