files/journal/2022-09-02_12-54-44-000000_354.png

Journal of Engineering and Applied Sciences

ISSN: Online 1818-7803
ISSN: Print 1816-949x
About US
Editors
Issues
Pages
Indexed in
97
Views
0
Downloads

Security Testing of Web Applications for Detecting and Exploiting Second-Order SQL Injection Vulnerabilities

Najla’a Ateeq Mohammed Draib, Abu Bakar Md Sultan, Abdul Azim B Abd Ghani and Hazura Zulzalil
Page: 8426-8431 | Received 21 Sep 2022, Published online: 21 Sep 2022

Download Citation
https://doi.org/10.36478/jeasci.2018.8426.8431

Full Text Reference XML File PDF File

Abstract

SQL injection is considered one of the most serious issues affecting web application's security. It occurs when an attacker tries to access the back-end database of web applications by exploiting improper user input validation vulnerabilities. There are two types of SQL injection, namely, first-order SQL injection and second-order SQL injection. Most of the existing research works addressing this issue focus on detecting the first-order SQL injection with a common assumption that preventing first-order injection attack makes web applications secure against other SQL injection attacks. However, second-order injection attacks can occur in applications that are secured against first-order injection attacks. This is a dangerous security problem which can occasionally, lead to dire consequences. In this study, we present our work-in-progress that uses a static taint analysis and symbolic execution approach for detecting second-order SQL injection vulnerabilities. We first use static taint analysis to identify candidate vulnerabilities. Then, we use symbolic execution to generate those input vectors that make the program execution satisfy conditions and confirm the existence of SQL injection vulnerabilities. This is the first technique of which we are aware that generates input vectors that expose second-order SQL injection vulnerabilities. The initial analysis of our proposed approach shows some promising results.

How to cite this article:

Najla’a Ateeq Mohammed Draib, Abu Bakar Md Sultan, Abdul Azim B Abd Ghani and Hazura Zulzalil. Security Testing of Web Applications for Detecting and Exploiting Second-Order SQL Injection Vulnerabilities.
DOI: https://doi.org/10.36478/jeasci.2018.8426.8431
URL: https://www.makhillpublications.co/view-article/1816-949x/jeasci.2018.8426.8431