Attack Generation and Vulnerability Discovery in Penetration Testing using Sql Injection
Keywords:
Testing, Security Testing, Penetration Testing, Sql InjectionAbstract
Now a days the use of the world wide web (www) is increasing rapidly and leading to security breaches of a system so testing the software system has been made iterative. Testing requires effort, time and skilful person. Hacking mostly occur in banking sector and business organizations because they maintain all the conï¬dential information. One of the hacking technique is commonly occur in banking sector is sql injection. Security testing can be done by two ways i.e static analysis which is otherwise known as white box testing and by dynamic analysis which is known as black box testing.In this paper we have shown the penetration testing of web application to detect the sql injection vulnerability. This paper describes the penetration testing processes and mainly focuses on vulnerability discovery, attack generation and obtain the test cases and maintaining a pentester database which store all the attack responses. We have taken an internet banking transaction case study. This paper has the main motivation is to detect the sql injection by the attack generation. In sql injection system the attacker might insert a malicious code in the user input ï¬eld and trying to gain access the confidential and sensitive information from the database and making the database insecure. Penetration testing is widely used to simulate an attack of the web application and then analysis the attack pattern and give better solution to the system. This paper has given an overview of the penetration testing process and sql injection attack and a pentester database.
References
Halfond WGJ, Orso , Improving penetration testing through static and dynamic analysis, Software Testing, Verification, And Reliability(2011).
Pulei Xiong, Liam Peyton, A Model-Driven Penetration Test Framework for Web Applications, 2010 Eighth Annual International Conference on Privacy, Security and Trust.
Lashanda Dukes,Xiaohong yuan, A case study on web application security testing with tools and manual testing, 2013.
Halfond WGJ, Orso A. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks, Proceedings of the International Conference on Automated Software Engineering, Long Beach, CA, U.S.A., November 2005;174183.
T. Pietraszek and C. V. Berghe , Defending Against Injection Attacks through Context-Sensitive String Evaluation, In Proceedings of Recent Advances in Intrusion Detection (RAID2005), 2005
Bernard Stepien, Liam Peyton, Pulei Xiong , Using TTCN-3 as a Modeling Language for Web Penetration
www.owasp.org
A. Kie zun, P. J. Guo, K. Jayaraman, and M. D. Ernst, Automatic creationof SQL injection and cross site scripting attacks, in Proc. of ICSE, 2009.
Lei Xu, Baowen, A frame work for web application testing, International Conference on Cyberworlds, 2004.
Nuno Antunes, Marco Vieira, Evaluating and Improving Penetration Testing in Web Services, IEEE,2012.
Halfond WGJ, Viegas J, Orso A, A classification of SQL-injection attacks and counter measures, Proceedings of the International Symposium on Secure Software Engineering, Washington, DC, U.S.A., March 2006.
Halfond WGJ, Orso A, Manolios P. WASP: Protecting web applications using positive tainting and syntax-aware evaluation, Transactions on Software Engineering 2008; 34(1):6581.
G . Buehrer, B. W. Weide, and P. A. Sivilotti, Using parse tree validation to prevent SQL injection attacks, in Proceedings of the 5th international workshop on Software engineering and middleware, 2005, p. 113.
Sutton M, Greene A, Amini P. Fuzzing, Brute Force Vulnerability Discovery, Addison-Wesley: Reading, MA,2007.
Arkin B, Stender S. McGraw G, Software penetration testing. IEEE Security and Privacy 2005; 3(1):8487.
Downloads
Published
How to Cite
Issue
Section
License
This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors contributing to this journal agree to publish their articles under the Creative Commons Attribution 4.0 International License, allowing third parties to share their work (copy, distribute, transmit) and to adapt it, under the condition that the authors are given credit and that in the event of reuse or distribution, the terms of this license are made clear.
