改进大规模SQL注入渗透测试管理的增强自动化脚本方法

Razman Hakim Abdul Raman
{"title":"改进大规模SQL注入渗透测试管理的增强自动化脚本方法","authors":"Razman Hakim Abdul Raman","doi":"10.1109/ISCAIE.2019.8743936","DOIUrl":null,"url":null,"abstract":"Typically, in an assessment project for a web application or database with a large scale and scope, tasks required to be performed by a security analyst are such as SQL injection and penetration testing. To carry out these large-scale tasks, the analyst will have to perform 100 or more SQLi penetration tests on one or more target. This makes the process much more complex and much harder to implement. This paper attempts to compare large-scale SQL injections performed with Manual Methods, which is the benchmark, and the proposed SQLiAutoScript Method. The SQLiAutoScript method uses sqlmap as a tool, in combination with sqlmap scripting and logging features, to facilitate a more effective and manageable approach within a large scale of hundreds or thousands of SQL injection penetration tests. Comparison of the test results for both Manual and SQLiAutoScript approaches and their benefits is included in the comparative analysis. The tests were performed over a scope of 24 SQL injection (SQLi) tests that comprises over 100,000 HTTP requests and injections, and within a total testing run-time period of about 50 hours. The scope of testing also covers both SQLiAutoScript and Manual methods. In the SQLiAutoScript method, each SQL injection test has its own sub-folder and files for data such as results (output), progress (traffic logs) and logging. In this way across all SQLi tests, the results, data and details related to SQLi tests are logged, available, traceable, accurate and not missed out. Available and traceable data also facilitates traceability of failed SQLi tests, and higher recovery and reruns of failed SQLi tests to maximize increased attack surface upon the target.","PeriodicalId":369098,"journal":{"name":"2019 IEEE 9th Symposium on Computer Applications & Industrial Electronics (ISCAIE)","volume":"49 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"Enhanced Automated-Scripting Method for Improved Management of SQL Injection Penetration Tests on a Large Scale\",\"authors\":\"Razman Hakim Abdul Raman\",\"doi\":\"10.1109/ISCAIE.2019.8743936\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Typically, in an assessment project for a web application or database with a large scale and scope, tasks required to be performed by a security analyst are such as SQL injection and penetration testing. To carry out these large-scale tasks, the analyst will have to perform 100 or more SQLi penetration tests on one or more target. This makes the process much more complex and much harder to implement. This paper attempts to compare large-scale SQL injections performed with Manual Methods, which is the benchmark, and the proposed SQLiAutoScript Method. The SQLiAutoScript method uses sqlmap as a tool, in combination with sqlmap scripting and logging features, to facilitate a more effective and manageable approach within a large scale of hundreds or thousands of SQL injection penetration tests. Comparison of the test results for both Manual and SQLiAutoScript approaches and their benefits is included in the comparative analysis. The tests were performed over a scope of 24 SQL injection (SQLi) tests that comprises over 100,000 HTTP requests and injections, and within a total testing run-time period of about 50 hours. The scope of testing also covers both SQLiAutoScript and Manual methods. In the SQLiAutoScript method, each SQL injection test has its own sub-folder and files for data such as results (output), progress (traffic logs) and logging. In this way across all SQLi tests, the results, data and details related to SQLi tests are logged, available, traceable, accurate and not missed out. Available and traceable data also facilitates traceability of failed SQLi tests, and higher recovery and reruns of failed SQLi tests to maximize increased attack surface upon the target.\",\"PeriodicalId\":369098,\"journal\":{\"name\":\"2019 IEEE 9th Symposium on Computer Applications & Industrial Electronics (ISCAIE)\",\"volume\":\"49 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2019-04-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2019 IEEE 9th Symposium on Computer Applications & Industrial Electronics (ISCAIE)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ISCAIE.2019.8743936\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 IEEE 9th Symposium on Computer Applications & Industrial Electronics (ISCAIE)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISCAIE.2019.8743936","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 1

摘要

通常,在一个规模和范围较大的web应用程序或数据库的评估项目中,需要由安全分析师执行的任务包括SQL注入和渗透测试。为了执行这些大规模任务,分析人员必须在一个或多个目标上执行100个或更多的SQLi渗透测试。这使得这个过程更加复杂,也更加难以实现。本文试图比较以Manual Methods为基准执行的大规模SQL注入和提出的SQLiAutoScript Method。SQLiAutoScript方法使用sqlmap作为工具,结合sqlmap脚本和日志功能,在大规模的数百或数千个SQL注入渗透测试中提供更有效和可管理的方法。对比分析中包括了Manual和SQLiAutoScript方法的测试结果及其优点的比较。测试在24个SQL注入(SQLi)测试范围内执行,这些测试包括超过100,000个HTTP请求和注入,并且在大约50小时的总测试运行周期内执行。测试的范围还包括SQLiAutoScript和Manual方法。在SQLiAutoScript方法中,每个SQL注入测试都有自己的子文件夹和数据文件,例如结果(输出)、进度(流量日志)和日志记录。通过这种方式,在所有SQLi测试中,与SQLi测试相关的结果、数据和细节都被记录下来,可用、可跟踪、准确且不会遗漏。可用和可跟踪的数据还有助于跟踪失败的SQLi测试,提高失败的SQLi测试的恢复和重新运行,从而最大限度地增加对目标的攻击面。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
Enhanced Automated-Scripting Method for Improved Management of SQL Injection Penetration Tests on a Large Scale
Typically, in an assessment project for a web application or database with a large scale and scope, tasks required to be performed by a security analyst are such as SQL injection and penetration testing. To carry out these large-scale tasks, the analyst will have to perform 100 or more SQLi penetration tests on one or more target. This makes the process much more complex and much harder to implement. This paper attempts to compare large-scale SQL injections performed with Manual Methods, which is the benchmark, and the proposed SQLiAutoScript Method. The SQLiAutoScript method uses sqlmap as a tool, in combination with sqlmap scripting and logging features, to facilitate a more effective and manageable approach within a large scale of hundreds or thousands of SQL injection penetration tests. Comparison of the test results for both Manual and SQLiAutoScript approaches and their benefits is included in the comparative analysis. The tests were performed over a scope of 24 SQL injection (SQLi) tests that comprises over 100,000 HTTP requests and injections, and within a total testing run-time period of about 50 hours. The scope of testing also covers both SQLiAutoScript and Manual methods. In the SQLiAutoScript method, each SQL injection test has its own sub-folder and files for data such as results (output), progress (traffic logs) and logging. In this way across all SQLi tests, the results, data and details related to SQLi tests are logged, available, traceable, accurate and not missed out. Available and traceable data also facilitates traceability of failed SQLi tests, and higher recovery and reruns of failed SQLi tests to maximize increased attack surface upon the target.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
Developing the Maturity Model for Gig Economy Business Processes Dark Data Management as frontier of Information Governance Information Governance derivatives of Social Solidarity Economy Initiatives Exponentially Adaptive Sine-Cosine Algorithm for Global Optimization Wireless Hand Gesture Controlled Robotic Arm Via NRF24L01 Transceiver
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1