The document describes an approach called μ4SQLi for automated testing of SQL injection vulnerabilities. It uses an input mutation technique where valid test cases are manipulated to become SQL injection attacks through the application of 12 mutation operators. These operators are grouped into behavior-changing, syntax-repairing, and obfuscation categories. The approach monitors traffic between the system under test and database to detect if tests trigger vulnerabilities. The evaluation compares μ4SQLi against standard attacks on two web applications, with and without a web application firewall, to determine which technique performs better. The results show μ4SQLi generates more exploitable vulnerabilities, especially in the presence of a firewall.

1. Automated Testing for SQL Injection
Vulnerabilities: An Input Mutation
Approach
Dennis Appelt, Cu D. Nguyen, Nadia Alshahwan, Lionel Briand
Software Verification and Validation Laboratory
Interdisciplinary Centre for Security, Reliability and Trust
University of Luxembourg
25, July, 2014

2. Web
Apps
are
at
risk
OWASP
Top
10
2013
2
A1
–
Injec;on
A2
–
Broken
Authen;ca;on
and
Session
Management
A3
–
Cross-­‐Site
Scrip;ng
A4
–
Insecure
Object
References
…

3. SQL
Injec;on
Incidents
3

4. 4

5. Background

6. Defini;on
6
SQL
Injec;on
aNacks
target
database-­‐driven
systems
by
injec;ng
SQL
code
fragments
into
vulnerable
input
parameters
that
are
not
properly
checked
and
sani;sed.

7. Example
Example
code
vulnerable
to
SQL
injec;on:
1 . $sql = "Select * From hotelList where country =’";!
2 . $sql = $sql . $country;!
3 . $sql = $sql . ’"’;!
3 . $result = mysql_query($sql) or die(mysql_error());!
Parameter
assignment:
$country ß Luxembourg
Resul;ng
statement:
1. SELECT * FROM hotelList WHERE country=’Luxembourg’!
7

8. Example
Example
code
vulnerable
to
SQL
injec;on:
1 . $sql = "Select * From hotelList where country =’";!
2 . $sql = $sql . $country;!
3 . $sql = $sql . ’"’;!
3 . $result = mysql_query($sql) or die(mysql_error());!
Parameter
assignment:
$country ß ‘ or 1=1 --
Resul;ng
statement:
1. SELECT * FROM hotelList WHERE country=’’ OR 1=1 --’!
8

9. Automated
Tes;ng
for
SQL
Injec;on
Vulnerabili;es
An
Input
Muta;on
Approach
9

10. 10
Black-­‐Box

11. 11
Focus
on
Exploitable
Vulnerabili;es

12. 12
Automated
Test
Execu;on

13. 13
Input-­‐Muta;on

14. Approach

15. Approach
-­‐
Overview
15
WAF SUT
Monitor
Data
base
Test
generator
XAVIER
DB
WSDL Proxy
Input
samples
test reports

16. Approach
–
Test
Genera;on
16
WAF SUT
Monitor
Data
base
Test
generator
XAVIER
DB
WSDL Proxy
Input
samples
test reports
We
want
to
generated
test
cases
that
• result
in
executable
SQL
statements
• bypass
the
web
applica;on
firewall

17. Approach
–
Test
Genera;on
• μ4SQLi
– Muta;on
approach:
manipulate
legal
test
cases
to
become
SQLi
aNacks
17

18. Approach
–
Test
Genera;on
• μ4SQLi
– Muta;on
approach:
manipulate
legal
test
cases
to
become
SQLi
aNacks
– 12
muta;on
operators
grouped
in
3
categories
• Behavior-­‐changing
• Syntax-­‐repairing
• Obfusca;on
18

19. Approach
–
Test
Genera;on
• μ4SQLi
– Muta;on
approach:
manipulate
legal
test
cases
to
become
SQLi
aNacks
– 12
muta;on
operators
grouped
in
3
categories
• Behavior-­‐changing
• Syntax-­‐repairing
• Obfusca;on
– A
large
number
of
test
cases
can
be
generated
19

20. Behavior-­‐changing
MO
Example
of
a
behavior-­‐changing
muta;on
operator
Valid
Input
John
Doe
Apply
MO_or
Malicious
Input
John
Doe’
OR
‘a’=‘a
SELECT
*
FROM
users
WHERE
name=‘John
Doe’
OR
‘a’=‘a’
Execute
SUT
Behavior-­‐changing
20

21. Syntax-­‐repairing
MO
Example
of
a
syntax-­‐repairing
muta;on
operator
Malicious
Input
John
Doe’
OR
‘a’=‘a
SELECT
*
FROM
users
WHERE
func(‘$userinput’)
SELECT
*
FROM
users
WHERE
func(‘John
Doe’
OR
‘a’=‘a’)
Execute
SUT
Behavior-­‐changing
è Incorrect SQL syntax,
will not execute
Statement without user input:
21

22. Syntax-­‐repairing
MO
Example
of
a
syntax-­‐repairing
muta;on
operator
SELECT
*
FROM
users
WHERE
func(‘$userinput’)
Statement without user input:
Malicious
Input
John
Doe’)
OR
‘a’=‘a’
#
SELECT
*
FROM
users
WHERE
func(‘John
Doe’)
OR
‘a’=‘a’
#’)
Execute
SUT
Syntax-­‐repairing
22

23. Obfusca;on
MO
Example
of
an
obfusca;on
muta;on
operator
Malicious
Input
John
Doe’/*/OR+‘a’=x’61
SELECT
*
FROM
users
WHERE
name=‘John
Doe’/*/OR+‘a’=x’61’
Execute
SUT
Obfusca;on
23

24. Approach
–
Test
Oracle
24
WAF SUT
Monitor
Data
base
Test
generator
XAVIER
DB
WSDL Proxy
Input
samples
test reports
Monitor:
-­‐ Observes
the
traffic
between
SUT
and
database
-­‐ Detects
if
a
test
case
triggered
an
SQLi
vulnerability

25. Approach
–
Test
Oracle
• Inspects
if
a
SQL
statement
which
has
been
injected
into
is
executable.
25
$country ß ‘) OR 1=1 --
SELECT * FROM hotelList WHERE country=’’) OR 1=1 --’!

26. Approach
–
Test
Oracle
• Inspects
if
a
SQL
statement
which
has
been
injected
into
is
executable.
$country ß ‘) OR 1=1 --
èANack
is
not
executed
26
SELECT * FROM hotelList WHERE country=’’) OR 1=1 --’!
Syntax
Error:
Missing
Opening
Parenthesis

27. Evalua;on

28. Subjects
28
Applica,on
#
Opera,ons
#
Parameters
KLoC
Hotel
Reserva;on
Service
7
21
1.5
SugarCRM
26
87
352
Total
33
108
353.5
Each
subject
is
tested
with
and
without
firewall
à
4
dis;nct
experiment
setups

29. Baseline
–
Standard
ANacks
• Consists
of
standard
aNacks
– List
of
137
SQLi
aNacks
– Diverse
set
of
known
paNerns
• State-­‐of-­‐the-­‐art
tools
use
such
aNacks
– E.g.
BurpSuite,
SoapUI
29

30. Research
Ques;ons
RQ1:
Are
standard
a*acks
and
mutated
a*acks
(generated
by
μ4SQLi)
likely
to
reveal
exploitable
SQLi
vulnerabili?es?
RQ2:
With
and
without
the
presence
of
the
WAF,
which
input
genera?on
technique
performs
be*er?
30

31. Variables
31
T
–
total
number
of
test
cases
that
generate
SQL
statements
that
get
flagged
by
the
monitor
Te
–
as
T
but
in
addi;on
flagged
SQL
statements
must
be
executable

32. Variables
32
T
–
total
number
of
test
cases
that
generate
SQL
statements
that
get
flagged
by
the
monitor
Te
–
as
T
but
in
addi;on
flagged
SQL
statements
must
be
executable
SUT
DB
ti
s1
s2
…
sn

33. Variables
33
T
–
total
number
of
test
cases
that
generate
SQL
statements
that
get
flagged
by
the
monitor
Te
–
as
T
but
in
addi;on
flagged
SQL
statements
must
be
executable
SUT
DB
ti
s1
s2
…
sn
If
at
least
one
statement
is
flagged,
ti
reveals
a
vulnerabilityà
increment
T
If
the
flagged
statement
is
executable
à
increment
Te

34. 34
Results
Standard
ANacks
μ4SQLi

35. Research
Ques;on
1
Are
standard
a*acks
and
mutated
a*acks
(generated
by
μ4SQLi)
likely
to
reveal
exploitable
SQLi
vulnerabili?es?
35

36. Research
Ques;on
1
Are
standard
a*acks
and
mutated
a*acks
(generated
by
μ4SQLi)
likely
to
reveal
exploitable
SQLi
vulnerabili?es?
36
Answer
Both
techniques
can
reveal
SQLi
vulnerabili?es
when
no
firewall
was
used.
Most
vulnerabili?es
are
highly
likely
to
be
detected
with
at
most
a
few
dozen
test
cases
or
less.

37. Research
Ques;on
2
37
With
and
without
the
presence
of
the
WAF,
which
input
genera?on
technique
performs
be*er?

38. Research
Ques;on
2
38
With
and
without
the
presence
of
the
WAF,
which
input
genera?on
technique
performs
be*er?
Answer
μ4SQLi
generates
a
higher
percentage
of
tests
that
can
reveal
SQLi
vulnerabili?es.
Further,
in
the
presence
of
a
WAF,
μ4SQLi
is
also
capable
of
doing
so.

39. Summary

42. WAF SUT
Monitor
Data
base
Test
generator
XAVIER
DB
WSDL Proxy
Input
samples
test reports

43. WAF SUT
Monitor
Data
base
Test
generator
XAVIER
DB
WSDL Proxy
Input
samples
test reports

44. Backup
Slides

45. Operator
Name
Descrip,on
Behavior-­‐Changing
Operators
MO_or
Adds
an
OR-­‐clause
to
the
input
MO_and
Adds
an
AND-­‐clause
to
the
input
MO_semi
Adds
semicolon
followed
by
an
addi;onal
SQL
statement
Syntax-­‐Repairing
Operators
MO_par
Appends
a
parenthesis
to
a
valid
input
MO_cmt
Adds
a
comment
command
(-­‐-­‐
or
#)
to
an
input
MO_qot
Adds
a
single
or
double
quote
to
an
input
Obfusca,on
Operators
MO_wsp
Changes
the
encoding
of
whitespaces
MO_chr
Changes
the
encoding
of
a
character
literal
MO_html
Changes
the
encoding
of
an
input
to
HTML
en;ty
encoding
MO_per
Changes
the
encoding
of
an
input
to
percentage
encoding
MO_bool
Rewrites
a
boolean
expression
while
preserving
it’s
truth
value
MO_keyw
Changes
capitaliza;on
and
inserts
comments
into
SQL
keywords
45

46. Approach
–
Test
Genera;on
Valid
Test
Case
req_hotelServer_getRoomsByRate.xml
1 <soapenv:Envelope>
2 <soapenv:Header/>
3 <soapenv:Body>
4 <urn:getRoomsByRate>
5 <minPrice xsi:type="xsd:float">100</minPrice>
6 <maxPrice xsi:type="xsd:float">400</maxPrice>
7 <country xsi:type="xsd:string">France</country>
8 <start xsi:type="xsd:integer">1</start>
9 </urn:getRoomsByRate>
10 </soapenv:Body>
11 </soapenv:Envelope>
12
<soapenv:Envelope>
<soapenv:Header/>
<soapenv:Body>
<urn:getRoomsByRate>
<minPrice xsi:type="xsd:float">100</minPrice>
<maxPrice xsi:type="xsd:float">400</maxPrice>
<country xsi:type="xsd:string">"||not 0--</country>
<start xsi:type="xsd:integer">1</start>
</urn:getRoomsByRate>
</soapenv:Body>
</soapenv:Envelope>
μ4SQLi
SQLi
Test
Case
46

47. 47
Results
Standard
ANacks
μ4SQLi

48. 48
Results
Standard
ANacks
μ4SQLi

49. 49
Results
Standard
ANacks
μ4SQLi

50. Results
without
WAF
Subject
Parameter
Standard
AMacks
μ4SQLi
%T
%Te
%T
%Te
HotelRS
country
12.41
5.84
40.62
21.80
arrDate
35.04
9.49
42.05
12.50
depDate
35.04
9.49
42.96
12.03
name
35.04
9.49
43.36
12.91
address
35.04
9.49
39.81
11.00
email
35.04
9.49
41.73
11.23
SugarCRM
value
37.23
0
41.48
22.51
ass_user_id
32.85
8.03
42.49
13.91
query1
32.85
3.65
9.82
0.30
query2
54.74
5.84
81.72
33.45
order_by
59.85
10.95
85.98
33.55
rel_mod_qry
47.45
2.92
49.79
0

51. Results
with
WAF
Subject
Parameter
Standard
AMacks
μ4SQLi
%T
%Te
%T
%Te
HotelRS
country
0.73
0
36.84
20.69
arrDate
2.19
0
42.05
12.50
depDate
5.84
0
42.96
12.03
name
6.57
0
43.36
12.91
address
7.30
0
39.81
11.00
email
6.57
0
41.73
11.23
SugarCRM
value
2.19
0
37.42
20.48
ass_user_id
5.11
0
29.35
6.89
query1
0.73
0
8.97
0.20
query2
3.65
0
76.56
31.43
order_by
7.30
0
80.08
31.96
rel_mod_qry
6.57
0
44.82
0