基于有限状态机的渗透测试暴露SQL注入漏洞

Lei Liu, Jing Xu, Chenkai Guo, Jiehui Kang, Sihan Xu, Biao Zhang
{"title":"基于有限状态机的渗透测试暴露SQL注入漏洞","authors":"Lei Liu, Jing Xu, Chenkai Guo, Jiehui Kang, Sihan Xu, Biao Zhang","doi":"10.1109/COMPCOMM.2016.7924889","DOIUrl":null,"url":null,"abstract":"Penetration test is one of the most used SQL Injection Vulnerability (SQLIV) testing technology. Focused on the insufficiency of test accuracy problem in SQLIV black-box penetration test process, we discuss the limitation of the traditional approaches based on test case library enumerating methods and propose a SQLIV Penetration Test approach based on Finite State Machine (SPT-FSM). The proposed approach establishes FSM based on the states corresponding to different SQLIV penetration test cases, map the statuses of test cases and their relevant responses, and analyzes the transition regularity of the established FSM for the testing of SQLIV with dynamic nature and states transition characteristics. We conduct experiments about the proposed approach and compare it with a popular state-of-the-art benchmarking tool. The experimental results show that the proposed approach can effectively improve the accuracy of SQLIV penetration test by reducing False Negatives (FN) and False Positives (FP).","PeriodicalId":210833,"journal":{"name":"2016 2nd IEEE International Conference on Computer and Communications (ICCC)","volume":"178 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"9","resultStr":"{\"title\":\"Exposing SQL Injection Vulnerability through Penetration Test based on Finite State Machine\",\"authors\":\"Lei Liu, Jing Xu, Chenkai Guo, Jiehui Kang, Sihan Xu, Biao Zhang\",\"doi\":\"10.1109/COMPCOMM.2016.7924889\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Penetration test is one of the most used SQL Injection Vulnerability (SQLIV) testing technology. Focused on the insufficiency of test accuracy problem in SQLIV black-box penetration test process, we discuss the limitation of the traditional approaches based on test case library enumerating methods and propose a SQLIV Penetration Test approach based on Finite State Machine (SPT-FSM). The proposed approach establishes FSM based on the states corresponding to different SQLIV penetration test cases, map the statuses of test cases and their relevant responses, and analyzes the transition regularity of the established FSM for the testing of SQLIV with dynamic nature and states transition characteristics. We conduct experiments about the proposed approach and compare it with a popular state-of-the-art benchmarking tool. The experimental results show that the proposed approach can effectively improve the accuracy of SQLIV penetration test by reducing False Negatives (FN) and False Positives (FP).\",\"PeriodicalId\":210833,\"journal\":{\"name\":\"2016 2nd IEEE International Conference on Computer and Communications (ICCC)\",\"volume\":\"178 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2016-10-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"9\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2016 2nd IEEE International Conference on Computer and Communications (ICCC)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/COMPCOMM.2016.7924889\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 2nd IEEE International Conference on Computer and Communications (ICCC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/COMPCOMM.2016.7924889","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 9

摘要

渗透测试是最常用的SQL注入漏洞(SQLIV)测试技术之一。针对SQLIV黑盒渗透测试过程中测试精度问题的不足,讨论了基于测试用例库枚举方法的传统方法的局限性,提出了一种基于有限状态机(SPT-FSM)的SQLIV渗透测试方法。该方法基于不同SQLIV渗透测试用例所对应的状态建立FSM,映射测试用例的状态及其响应,并分析所建立FSM的转换规律,用于具有动态性和状态转换特征的SQLIV测试。我们对所提出的方法进行了实验,并将其与流行的最先进的基准测试工具进行了比较。实验结果表明,该方法通过减少误报(FN)和误报(FP),可以有效提高SQLIV渗透测试的准确性。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
Exposing SQL Injection Vulnerability through Penetration Test based on Finite State Machine
Penetration test is one of the most used SQL Injection Vulnerability (SQLIV) testing technology. Focused on the insufficiency of test accuracy problem in SQLIV black-box penetration test process, we discuss the limitation of the traditional approaches based on test case library enumerating methods and propose a SQLIV Penetration Test approach based on Finite State Machine (SPT-FSM). The proposed approach establishes FSM based on the states corresponding to different SQLIV penetration test cases, map the statuses of test cases and their relevant responses, and analyzes the transition regularity of the established FSM for the testing of SQLIV with dynamic nature and states transition characteristics. We conduct experiments about the proposed approach and compare it with a popular state-of-the-art benchmarking tool. The experimental results show that the proposed approach can effectively improve the accuracy of SQLIV penetration test by reducing False Negatives (FN) and False Positives (FP).
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
Secure routing in IoT with multi-objective simulated annealing Modeling of TCM packing robot and its kinematics simulation and optimization Iterative decision-directed channel estimation for MIMO-OFDM system A systemic performance evaluation method for Residue Number System A dynamic hierarchical quotient topology model based optimal path finding algorithm in complex networks
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1