期刊文献+

Structured Query Language Injection Penetration Test Case Generation Based on Formal Description

Structured Query Language Injection Penetration Test Case Generation Based on Formal Description
下载PDF
导出
摘要 Aiming to improve the Structured Query Language( SQL) injection penetration test accuracy through the formalismguided test case generation,an attack purpose based attack tree model of SQL injection is proposed,and then under the guidance of this model, the formal descriptions for the SQL injection vulnerability feature and SQL injection attack inputs are established. Moreover,according to new coverage criteria,these models are instantiated and the executable test cases are generated.Experiments show that compared with the random enumerated test case used in other works,the test case generated by our method can detect the SQL injection vulnerability more effectively. Therefore,the false negative is reduced and the test accuracy is improved. Aiming to improve the Structured Query Language( SQL) injection penetration test accuracy through the formalismguided test case generation,an attack purpose based attack tree model of SQL injection is proposed,and then under the guidance of this model, the formal descriptions for the SQL injection vulnerability feature and SQL injection attack inputs are established. Moreover,according to new coverage criteria,these models are instantiated and the executable test cases are generated.Experiments show that compared with the random enumerated test case used in other works,the test case generated by our method can detect the SQL injection vulnerability more effectively. Therefore,the false negative is reduced and the test accuracy is improved.
作者 韩明 苗长云
出处 《Journal of Donghua University(English Edition)》 EI CAS 2015年第3期446-452,共7页 东华大学学报(英文版)
基金 National Natural Science Foundation of China(No.51274150) Tianjin Major Project of Application Foundation and Advanced Technology,China(No.12JCZDJC27800)
关键词 software security penetration test web application structured query language(SQL) injection test case software security penetration test web application structured query language (SQL) injection test case . .
  • 相关文献

参考文献21

  • 1Halfond W G J, Choudhaiy S R, Oreo A. Penetration Testing with Improved Input Vector Identification [ C ]. Proceedings of the 2nd International Conference on Software Testing, Verification, and Validation, Denver, CO, USA, 2009 ; 346-355.
  • 2Antunes J, Neves N, Correia M, et al. Vulnerability Discovery with Attack Injection [ J ]. IEEE Transactions on Software Engineering, 2010 , 36(3) : 357-370.
  • 3Roongruangsuwan S, Daengdej I. A Test Case Prioritization Method with Practical Weight Factors [ J ]. Journal of Software Engineering, 2010 , 4(3) : 193-214.
  • 4Bau J, Bursztein E, Gupta D, et al. State of the Art; Automated Black-Box Web Application Vulnerability Testing [ C ]. Proceedings of the 2010 IEEE Symposium on Security and Privacy, Berkeley/Oakland, CA, USA, 2010; 332-345.
  • 5Antunes N, Vieira M. Detecting SQL Injection Vulnerabilities in Web Services [ C ]. Proceedings of the 4th Latin-American Symposium on Dependable Computing, Joao Pessoa, Brazil, 2009; 17-24.
  • 6Halfond W G J, Choudhary S R, Orso A. Improving Penetration Testing Through Static and Dynamic Analysis [ J ]. Software Testing Verification and Reliability, 2011, 21(3) ; 195-214.
  • 7McAllister S, Kirda E, Kruegel C. Leveraging User Interactions for In-Depth Testing of Web Applications [ C ]. Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection, Cambridge, MA, United States, 2008: 191 -210.
  • 8Huang Y W, Tsai C H, Lin TP, et al. A Testing Framework forWeb Application Security Assessment [ J]. Computer Networks,2005 , 48(5): 739-761.
  • 9Doupi A, Cova M, Vigna G. Why Johnny Can’t Pentest; an Analysis of Black-Box Web Vulnerability Scanners [ C ]. Proceedings of the 7 th GI International Conference on Detection of Intrusions and Malware and Vulnerability Assessment, Bonn, Germany, 2010; 111-131.
  • 10Xiong P, Peyton L. A Model-Driven Penetration Test Framework for Web Applications [ C ]. Proceedings of the 2010 8th Annual International Conference on Privacy Security and Trust, Ottawa, ON, Canada, 2010; 173-180.

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部