Attack Generation and Vulnerability Discovery in Penetration Testing using Sql Injection
J. Upadhyaya1 , N. Panda2 , A.A. Acharya3
Section:Research Paper, Product Type: Journal Paper
Volume-2 ,
Issue-3 , Page no. 167-173, Mar-2014
Online published on Mar 30, 2014
Copyright © J. Upadhyaya, N. Panda, A.A. Acharya . This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
View this paper at Google Scholar | DPI Digital Library
How to Cite this Paper
- IEEE Citation
- MLA Citation
- APA Citation
- BibTex Citation
- RIS Citation
IEEE Style Citation: J. Upadhyaya, N. Panda, A.A. Acharya, “Attack Generation and Vulnerability Discovery in Penetration Testing using Sql Injection,” International Journal of Computer Sciences and Engineering, Vol.2, Issue.3, pp.167-173, 2014.
MLA Style Citation: J. Upadhyaya, N. Panda, A.A. Acharya "Attack Generation and Vulnerability Discovery in Penetration Testing using Sql Injection." International Journal of Computer Sciences and Engineering 2.3 (2014): 167-173.
APA Style Citation: J. Upadhyaya, N. Panda, A.A. Acharya, (2014). Attack Generation and Vulnerability Discovery in Penetration Testing using Sql Injection. International Journal of Computer Sciences and Engineering, 2(3), 167-173.
BibTex Style Citation:
@article{Upadhyaya_2014,
author = {J. Upadhyaya, N. Panda, A.A. Acharya},
title = {Attack Generation and Vulnerability Discovery in Penetration Testing using Sql Injection},
journal = {International Journal of Computer Sciences and Engineering},
issue_date = {3 2014},
volume = {2},
Issue = {3},
month = {3},
year = {2014},
issn = {2347-2693},
pages = {167-173},
url = {https://www.ijcseonline.org/full_paper_view.php?paper_id=91},
publisher = {IJCSE, Indore, INDIA},
}
RIS Style Citation:
TY - JOUR
UR - https://www.ijcseonline.org/full_paper_view.php?paper_id=91
TI - Attack Generation and Vulnerability Discovery in Penetration Testing using Sql Injection
T2 - International Journal of Computer Sciences and Engineering
AU - J. Upadhyaya, N. Panda, A.A. Acharya
PY - 2014
DA - 2014/03/30
PB - IJCSE, Indore, INDIA
SP - 167-173
IS - 3
VL - 2
SN - 2347-2693
ER -
VIEWS | XML | |
3584 | 3409 downloads | 3525 downloads |
Abstract
Now a days the use of the world wide web (www) is increasing rapidly and leading to security breaches of a system so testing the software system has been made iterative. Testing requires effort, time and skilful person. Hacking mostly occur in banking sector and business organizations because they maintain all the conï¬dential information. One of the hacking technique is commonly occur in banking sector is sql injection. Security testing can be done by two ways i.e static analysis which is otherwise known as white box testing and by dynamic analysis which is known as black box testing.In this paper we have shown the penetration testing of web application to detect the sql injection vulnerability. This paper describes the penetration testing processes and mainly focuses on vulnerability discovery, attack generation and obtain the test cases and maintaining a pentester database which store all the attack responses. We have taken an internet banking transaction case study. This paper has the main motivation is to detect the sql injection by the attack generation. In sql injection system the attacker might insert a malicious code in the user input ï¬eld and trying to gain access the confidential and sensitive information from the database and making the database insecure. Penetration testing is widely used to simulate an attack of the web application and then analysis the attack pattern and give better solution to the system. This paper has given an overview of the penetration testing process and sql injection attack and a pentester database.
Key-Words / Index Term
Testing, Security Testing , Penetration Testing, Sql Injection
References
[1] Halfond WGJ, Orso , Improving penetration testing through static and dynamic analysis, Software Testing, Veriï¬cation, And Reliability(2011).
[2] Pulei Xiong, Liam Peyton, A Model-Driven Penetration Test Framework for Web Applications, 2010 Eighth Annual International Conference on Privacy, Security and Trust.
[3] Lashanda Dukes,Xiaohong yuan, A case study on web application security testing with tools and manual testing, 2013.
[4] Halfond WGJ, Orso A. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks, Proceedings of the International Conference on Automated Software Engineering, Long Beach, CA, U.S.A., November 2005;174183.
[5] T. Pietraszek and C. V. Berghe , Defending Against Injection Attacks through Context-Sensitive String Evaluation, In Proceedings of Recent Advances in Intrusion Detection (RAID2005), 2005
[6] Bernard Stepien, Liam Peyton, Pulei Xiong , Using TTCN-3 as a Modeling Language for Web Penetration
[7] www.owasp.org
[8] A. Kie zun, P. J. Guo, K. Jayaraman, and M. D. Ernst, Automatic creationof SQL injection and cross site scripting attacks, in Proc. of ICSE, 2009.
[9] Lei Xu, Baowen, A frame work for web application testing, International Conference on Cyberworlds, 2004.
[10] Nuno Antunes, Marco Vieira, Evaluating and Improving Penetration Testing in Web Services, IEEE,2012.
[11] Halfond WGJ, Viegas J, Orso A, A classification of SQL-injection attacks and counter measures, Proceedings of the International Symposium on Secure Software Engineering, Washington, DC, U.S.A., March 2006.
[12] Halfond WGJ, Orso A, Manolios P. WASP: Protecting web applications using positive tainting and syntax-aware evaluation, Transactions on Software Engineering 2008; 34(1):6581.
[13] G . Buehrer, B. W. Weide, and P. A. Sivilotti, Using parse tree validation to prevent SQL injection attacks, in Proceedings of the 5th international workshop on Software engineering and middleware, 2005, p. 113.
[14] Sutton M, Greene A, Amini P. Fuzzing, Brute Force Vulnerability Discovery, Addison-Wesley: Reading, MA,2007.
[15] Arkin B, Stender S. McGraw G, Software penetration testing. IEEE Security and Privacy 2005; 3(1):8487.