Black-box SQL injection detection with seeded evolutionary fuzzing

Abstract

The increasingly valuable information being made available through web applications has made them an attractive and lucrative target for attackers. Flaws in the design or implementation of web applications, known as vulnerabilities, present an opportunity to attackers compromise their security. One of the most critical vulnerabilities is SQL Injection which, when successfully exploited, can allow attackers to bypass authentication and gain unauthorized access to sensitive information. By exploiting this vulnerability, attackers are also able to compromise the integrity of data. Several defensive programming techniques, such as parameterized queries, are available to mitigate the risk associated with SQL Injection. However, due to limitations of these techniques, bad coding practices and the dynamic nature of the underlying implementation technologies, this vulnerability is still prevalent today, with over 70 reports submitted in the NIST database during the first quarter of 2017. This study proposes a black-box approach to automating the detection of SQL Injection vulnerabilities in web applications. Through inference techniques, the proposed approach infers the flow of control and data in the web application. This information is then leveraged during attack generation by an evolutionary fuzzing component which, using an attack grammar, attempts to generate inputs exploiting the parameters identified as being potentially vulnerable to SQL Injection. The experiments conducted on two open-source systems as part of this study indicate that the proposed approach is effective both in identifying relevant parameters and in detecting SQL Injection vulnerabilities. During the conducted experiments, the proposed approach was able to correctly identify 92% of the HTTP request parameters propagated into SQL statements and detect 92% of the vulnerabilities. When compared to two state-of-the-art white-box and black-box solutions, the proposed approach was able to detect 13 additional SQL Injection vulnerabilities over and above the 19 vulnerabilities detected by these solutions. Based on an initial evaluation, seeding the attack generation component with an attack dictionary encourages earlier convergence of inputs towards exposing vulnerabilities. While not conclusive, to the best of my knowledge, this is the first study which investigates the effect of seeding an attack dictionary during evolutionary fuzzing in the context of vulnerability detection.