Automated Testing for SQL Injection Vulnerabilities: An Input Mutation Approach
1 like1,050 views
The document describes an approach called μ4SQLi for automated testing of SQL injection vulnerabilities. It uses an input mutation technique where valid test cases are manipulated to become SQL injection attacks through the application of 12 mutation operators. These operators are grouped into behavior-changing, syntax-repairing, and obfuscation categories. The approach monitors traffic between the system under test and database to detect if tests trigger vulnerabilities. The evaluation compares μ4SQLi against standard attacks on two web applications, with and without a web application firewall, to determine which technique performs better. The results show μ4SQLi generates more exploitable vulnerabilities, especially in the presence of a firewall.
Automated Testing for SQL Injection Vulnerabilities: An Input Mutation Approach
- 1. Automated Testing for SQL Injection Vulnerabilities: An Input Mutation Approach Dennis Appelt, Cu D. Nguyen, Nadia Alshahwan, Lionel Briand Software Verification and Validation Laboratory Interdisciplinary Centre for Security, Reliability and Trust University of Luxembourg 25, July, 2014
- 2. Web Apps are at risk OWASP Top 10 2013 2 A1 – Injec;on A2 – Broken Authen;ca;on and Session Management A3 – Cross-‐Site Scrip;ng A4 – Insecure Object References …
- 4. 4
- 5. Background
- 6. Defini;on 6 SQL Injec;on aNacks target database-‐driven systems by injec;ng SQL code fragments into vulnerable input parameters that are not properly checked and sani;sed.
- 7. Example Example code vulnerable to SQL injec;on: 1 . $sql = "Select * From hotelList where country =’";! 2 . $sql = $sql . $country;! 3 . $sql = $sql . ’"’;! 3 . $result = mysql_query($sql) or die(mysql_error());! Parameter assignment: $country ß Luxembourg Resul;ng statement: 1. SELECT * FROM hotelList WHERE country=’Luxembourg’! 7
- 8. Example Example code vulnerable to SQL injec;on: 1 . $sql = "Select * From hotelList where country =’";! 2 . $sql = $sql . $country;! 3 . $sql = $sql . ’"’;! 3 . $result = mysql_query($sql) or die(mysql_error());! Parameter assignment: $country ß ‘ or 1=1 -- Resul;ng statement: 1. SELECT * FROM hotelList WHERE country=’’ OR 1=1 --’! 8
- 9. Automated Tes;ng for SQL Injec;on Vulnerabili;es An Input Muta;on Approach 9
- 10. 10 Black-‐Box
- 11. 11 Focus on Exploitable Vulnerabili;es
- 12. 12 Automated Test Execu;on
- 14. Approach
- 15. Approach -‐ Overview 15 WAF SUT Monitor Data base Test generator XAVIER DB WSDL Proxy Input samples test reports
- 16. Approach – Test Genera;on 16 WAF SUT Monitor Data base Test generator XAVIER DB WSDL Proxy Input samples test reports We want to generated test cases that • result in executable SQL statements • bypass the web applica;on firewall
- 17. Approach – Test Genera;on • μ4SQLi – Muta;on approach: manipulate legal test cases to become SQLi aNacks 17
- 18. Approach – Test Genera;on • μ4SQLi – Muta;on approach: manipulate legal test cases to become SQLi aNacks – 12 muta;on operators grouped in 3 categories • Behavior-‐changing • Syntax-‐repairing • Obfusca;on 18
- 19. Approach – Test Genera;on • μ4SQLi – Muta;on approach: manipulate legal test cases to become SQLi aNacks – 12 muta;on operators grouped in 3 categories • Behavior-‐changing • Syntax-‐repairing • Obfusca;on – A large number of test cases can be generated 19
- 20. Behavior-‐changing MO Example of a behavior-‐changing muta;on operator Valid Input John Doe Apply MO_or Malicious Input John Doe’ OR ‘a’=‘a SELECT * FROM users WHERE name=‘John Doe’ OR ‘a’=‘a’ Execute SUT Behavior-‐changing 20
- 21. Syntax-‐repairing MO Example of a syntax-‐repairing muta;on operator Malicious Input John Doe’ OR ‘a’=‘a SELECT * FROM users WHERE func(‘$userinput’) SELECT * FROM users WHERE func(‘John Doe’ OR ‘a’=‘a’) Execute SUT Behavior-‐changing è Incorrect SQL syntax, will not execute Statement without user input: 21
- 22. Syntax-‐repairing MO Example of a syntax-‐repairing muta;on operator SELECT * FROM users WHERE func(‘$userinput’) Statement without user input: Malicious Input John Doe’) OR ‘a’=‘a’ # SELECT * FROM users WHERE func(‘John Doe’) OR ‘a’=‘a’ #’) Execute SUT Syntax-‐repairing 22
- 23. Obfusca;on MO Example of an obfusca;on muta;on operator Malicious Input John Doe’/*/OR+‘a’=x’61 SELECT * FROM users WHERE name=‘John Doe’/*/OR+‘a’=x’61’ Execute SUT Obfusca;on 23
- 24. Approach – Test Oracle 24 WAF SUT Monitor Data base Test generator XAVIER DB WSDL Proxy Input samples test reports Monitor: -‐ Observes the traffic between SUT and database -‐ Detects if a test case triggered an SQLi vulnerability
- 25. Approach – Test Oracle • Inspects if a SQL statement which has been injected into is executable. 25 $country ß ‘) OR 1=1 -- SELECT * FROM hotelList WHERE country=’’) OR 1=1 --’!
- 26. Approach – Test Oracle • Inspects if a SQL statement which has been injected into is executable. $country ß ‘) OR 1=1 -- èANack is not executed 26 SELECT * FROM hotelList WHERE country=’’) OR 1=1 --’! Syntax Error: Missing Opening Parenthesis
- 27. Evalua;on
- 28. Subjects 28 Applica,on # Opera,ons # Parameters KLoC Hotel Reserva;on Service 7 21 1.5 SugarCRM 26 87 352 Total 33 108 353.5 Each subject is tested with and without firewall à 4 dis;nct experiment setups
- 29. Baseline – Standard ANacks • Consists of standard aNacks – List of 137 SQLi aNacks – Diverse set of known paNerns • State-‐of-‐the-‐art tools use such aNacks – E.g. BurpSuite, SoapUI 29
- 30. Research Ques;ons RQ1: Are standard a*acks and mutated a*acks (generated by μ4SQLi) likely to reveal exploitable SQLi vulnerabili?es? RQ2: With and without the presence of the WAF, which input genera?on technique performs be*er? 30
- 31. Variables 31 T – total number of test cases that generate SQL statements that get flagged by the monitor Te – as T but in addi;on flagged SQL statements must be executable
- 32. Variables 32 T – total number of test cases that generate SQL statements that get flagged by the monitor Te – as T but in addi;on flagged SQL statements must be executable SUT DB ti s1 s2 … sn
- 33. Variables 33 T – total number of test cases that generate SQL statements that get flagged by the monitor Te – as T but in addi;on flagged SQL statements must be executable SUT DB ti s1 s2 … sn If at least one statement is flagged, ti reveals a vulnerabilityà increment T If the flagged statement is executable à increment Te
- 34. 34 Results Standard ANacks μ4SQLi
- 35. Research Ques;on 1 Are standard a*acks and mutated a*acks (generated by μ4SQLi) likely to reveal exploitable SQLi vulnerabili?es? 35
- 36. Research Ques;on 1 Are standard a*acks and mutated a*acks (generated by μ4SQLi) likely to reveal exploitable SQLi vulnerabili?es? 36 Answer Both techniques can reveal SQLi vulnerabili?es when no firewall was used. Most vulnerabili?es are highly likely to be detected with at most a few dozen test cases or less.
- 37. Research Ques;on 2 37 With and without the presence of the WAF, which input genera?on technique performs be*er?
- 38. Research Ques;on 2 38 With and without the presence of the WAF, which input genera?on technique performs be*er? Answer μ4SQLi generates a higher percentage of tests that can reveal SQLi vulnerabili?es. Further, in the presence of a WAF, μ4SQLi is also capable of doing so.
- 39. Summary
- 42. WAF SUT Monitor Data base Test generator XAVIER DB WSDL Proxy Input samples test reports
- 43. WAF SUT Monitor Data base Test generator XAVIER DB WSDL Proxy Input samples test reports
- 44. Backup Slides
- 45. Operator Name Descrip,on Behavior-‐Changing Operators MO_or Adds an OR-‐clause to the input MO_and Adds an AND-‐clause to the input MO_semi Adds semicolon followed by an addi;onal SQL statement Syntax-‐Repairing Operators MO_par Appends a parenthesis to a valid input MO_cmt Adds a comment command (-‐-‐ or #) to an input MO_qot Adds a single or double quote to an input Obfusca,on Operators MO_wsp Changes the encoding of whitespaces MO_chr Changes the encoding of a character literal MO_html Changes the encoding of an input to HTML en;ty encoding MO_per Changes the encoding of an input to percentage encoding MO_bool Rewrites a boolean expression while preserving it’s truth value MO_keyw Changes capitaliza;on and inserts comments into SQL keywords 45
- 46. Approach – Test Genera;on Valid Test Case req_hotelServer_getRoomsByRate.xml 1 <soapenv:Envelope> 2 <soapenv:Header/> 3 <soapenv:Body> 4 <urn:getRoomsByRate> 5 <minPrice xsi:type="xsd:float">100</minPrice> 6 <maxPrice xsi:type="xsd:float">400</maxPrice> 7 <country xsi:type="xsd:string">France</country> 8 <start xsi:type="xsd:integer">1</start> 9 </urn:getRoomsByRate> 10 </soapenv:Body> 11 </soapenv:Envelope> 12 <soapenv:Envelope> <soapenv:Header/> <soapenv:Body> <urn:getRoomsByRate> <minPrice xsi:type="xsd:float">100</minPrice> <maxPrice xsi:type="xsd:float">400</maxPrice> <country xsi:type="xsd:string">"||not 0--</country> <start xsi:type="xsd:integer">1</start> </urn:getRoomsByRate> </soapenv:Body> </soapenv:Envelope> μ4SQLi SQLi Test Case 46
- 47. 47 Results Standard ANacks μ4SQLi
- 48. 48 Results Standard ANacks μ4SQLi
- 49. 49 Results Standard ANacks μ4SQLi
- 50. Results without WAF Subject Parameter Standard AMacks μ4SQLi %T %Te %T %Te HotelRS country 12.41 5.84 40.62 21.80 arrDate 35.04 9.49 42.05 12.50 depDate 35.04 9.49 42.96 12.03 name 35.04 9.49 43.36 12.91 address 35.04 9.49 39.81 11.00 email 35.04 9.49 41.73 11.23 SugarCRM value 37.23 0 41.48 22.51 ass_user_id 32.85 8.03 42.49 13.91 query1 32.85 3.65 9.82 0.30 query2 54.74 5.84 81.72 33.45 order_by 59.85 10.95 85.98 33.55 rel_mod_qry 47.45 2.92 49.79 0
- 51. Results with WAF Subject Parameter Standard AMacks μ4SQLi %T %Te %T %Te HotelRS country 0.73 0 36.84 20.69 arrDate 2.19 0 42.05 12.50 depDate 5.84 0 42.96 12.03 name 6.57 0 43.36 12.91 address 7.30 0 39.81 11.00 email 6.57 0 41.73 11.23 SugarCRM value 2.19 0 37.42 20.48 ass_user_id 5.11 0 29.35 6.89 query1 0.73 0 8.97 0.20 query2 3.65 0 76.56 31.43 order_by 7.30 0 80.08 31.96 rel_mod_qry 6.57 0 44.82 0