2015 10th International Conference on Broadband and Wireless Computing, Communication and Applications
Static-Based Test Case Dynamic Generation for SQLIVs Detection
Ling Li1, Junxin Qi2,3, Nan Liu1, Lifang Han1, Baojiang Cui2,3
1. China Electric Power Research Institute, Beijing, China
2. School of Computer Science, Beijing University of Posts and Telecommunications, Beijing, China
3. National Engineering Laboratory for Mobile Network Security, China
4. Email: [email protected]
Abstract—We proposed a novel approach to generate test cases
for detecting SQLIVs (SQL Injection vulnerabilities), one of
the most foremost threats to Web applications. Dynamic
testing procedures need to construct an appropriate test to
launch a simulated attack on the target system, so test case
generation is a crucial step, which directly affects the efficiency
of detection. The traditional test case generation technologies
have many flaws, for example, blind injection would create a
lot of invalid test cases that fail to reach the sink point of
vulnerability after filtered out. On the other hand, the test
structure far from comprehensive would lead to blind test
spots, giving rise to inefficiency and high false alarm rate.
Therefore, we propose to use static analysis results to guide test
case dynamic generation. A sequence of injection points and
filter missing information of SQL vulnerabilities obtained in
the static analysis can be passed as parameters to the dynamic
detection module to generate more targeted test parameters. In
order to generate more accurate test set, we parse the test
parameters into two parts: the parameter basic structure and
the parameter control information, which will help eliminate a
lot of unnecessary redundancy attacks. This kind of joint test
case generation is just the innovative point of our paper,
practically making for more efficient and accurate dynamic
detection.
Keywords-test case generation; static analysis; SQLIVs;
dynamic detection
I. INTRODUCTION
In this Internet+ era, as the web applications becoming
more and more complicated on user experience, the security
problem of network grows. We are witnessing an increase in
the number and sophistication of attacks that target them.
Many web-based applications need to use a private
document to store sensitive data which can be accessed by
network. Many greedy hackers try to utilize a variety of
attacks methods by all means to obtain these sensitive data.
In particular, SQLIVs(SQL injection vulnerabilities) in
which specially crafted input strings result in illegal queries
to a database, has become one of the most foremost threats to
Web applications.
Because anyone including the internal users and external
users, even the administrator, can use information systems to
transfer incredible data, injection vulnerability is most
common in the Web security risks. SQL (Structured Query
Language) is a standard database manipulation Language.
Today's information systems are supported by database,
978-1-4673-8315-8/15 $31.00 © 2015 IEEE 173
DOI 10.1109/BWCCA.2015.59
Authorized licensed use limited to: University of Technology Sydney. Downloaded on September 24,2024 at 07:13:17 UTC from IEEE Xplore. Restrictions apply.
which is inseparable from the SQL. SQL injection attacks
(SQLIA) generally use SQL syntax, which makes all
database software based on SQL language standard, such as
SQL Server, Oracle, MySQL and DB2, are likely to be
attacked. And SQLIA has nothing to do with Web
programming language itself, so ASP, JSP, PHP, cannot
completely escape in theory, so the SQLIA is extensive and
easy to implement. SQL injection vulnerability (SQLIV)
stems from program’s permission for dynamic SQL requests
decided by user input. As SQL command is a bridge that
crosses from the front-end WEB application and the back-
end database, this vulnerability may enable the attacker to
pass in the URL, form, or other input domain to execute
arbitrary SQL commands, and thus to the operation of the
database of the vicious. Once an attack succeeds, any data in
the database can be manipulated by attackers, who can
elevate privileges directly in the database and to do
everything harmful as a system administrator. Even more
terrorist, the harm can be spread from the database to the
operating system and even the whole network.
In recent years, detection work for SQL injection
vulnerabilities has drawn greater attention. A number of
techniques have been proposed to address SQLIV. These
include input character filtering or input validation [9], static
analysis [11] , runtime monitoring [12], combination of static
and runtime monitoring [4], automatic fixing of source code
[2], etc. Increasingly, automated detection tools are being
used to identify SQL Injection vulnerabilities. Many of these
tools are designed with the technique of program testing,
such as the famous Saner[3], AMNEsIA[4] and JCrasher[5].
Saner first carries out static analysis on control flow and data
flow of the entire system to look for the injection points,
derivation points and sink points, and then summarizes
filtering process through pollution paths. During the next
dynamic detection procedure, Saner constructs test cases for
high-risk injection points making use of information
obtained from static analysis to simulate user inputs.
AMNEsIA creates SQL query mode for each access points to
database in the program, monitors SQL statements
dynamically generated by the process, and compares with the
query mode of this point to explore SQL injection
vulnerabilities. JCrasher analyzes the type information of
Java classes and code structures, uses the trajectory analysis
method to determine the space of function parameters, builds
various types of test cases based on random data, and
simulates user inputs that cause an exception in the program
to detect flaws.
Our study focuses on the generation of test cases, which
is a crucial step that provides dynamic validation with the
data base. On one hand, parameters evolve variously not
only with program’s uncertain execution, but also in case of
the same function, so blind exhaustive creation of test cases
is very inefficient and has low coverage. On the other hand,
most programs have a certain degree of filtering on user
input or use parameterized statements to prevent SQL
injection. So in order to avoid the test cases filtered out
before arriving at executive function, restricted information
of parameters must be taken into consideration. In this paper,
we take advantage of static analysis results to guide dynamic
test case generation, combining the parameter base structure
with control information to generate a structured set of test
cases.
The rest of this paper is organized as follows. In section 2,
we introduce the SQL injection and automated test case
generation technique, and explain the concept of SQL
injection point, which is closely related to SQL injection
vulnerabilities in the program. In section 3, some crucial
technical methods used to generate test cases are given. In
section 4, the overall framework of static-based test case
dynamic generation technique is presented, and we expound
the process in detail. Section 5 presents our empirical
evaluation and, finally, we conclude and outline future work
in Section 6.
II. BACKGROUND
A. SQL injection
SQL injection vulnerabilities (SQILVs) stem from the
lack of input validation. Web applications accept malicious
input without properly checked or strict filter the input
values prior to their use, which can lead to illegal access to
the database.
In many cases, SQL queries are dynamically constructed
via user input. Despite there being several safer ways to
make SQL queries in systems such as using
PreparedStatement, queries are often dynamically generated
in string concatenations, an unsafe and poor programming
practice. We provide an example of an SQLIA by using the
ode snippet of server side application shown in Figure 1.
Line 2 and 3 extract user supplied information from
Username and Password field into sUser and sPassword
variables, respectively. The user input is not filtered and a
dynamic SQL query is generated in Line 5 and 6. Let us
assume that a user provides valid username and password,
which are “guest” and “secret”, respectively. Then, the
generated query at Line 6 becomes “select id, level from
members where username =’guest’ and password
= ’secret’”. The database engine executes the query at Line 7
and the user is authenticated with valid UserID at Line 9. A
malicious user might supply input “’ or 1=1 -- ” in the first
field and leave the second input field as blank. The resultant
query will be “select id, level from members where username
=’’ or 1=1 --’ and password =’’”. The resultant query is a
tautology as the query portion after the symbol “--” will be
174
Authorized licensed use limited to: University of Technology Sydney. Downloaded on September 24,2024 at 07:13:17 UTC from IEEE Xplore. Restrictions apply.
ignored by the database engine (as it is comment symbol).
The syntax of the altered query is correct. Therefore, the
attacker will be able to skip the authentication after the query
is executed and assume the identity of the first user of the
table members. Halfond et al. classify SQLIAs into seven
categories. They are tautologies, union queries,
illegal/logical incorrect queries, piggybacked queries, stored
procedures, inference attacks, and alternate encodings (or
Hex encoded queries) [6].
1. String LoginAction (HttpServletRequest request, …)
throws IOException{
2. String sUser = getParameter(request, “Username”);
3. String sPassword = getParameter(request,
“Password”);
4. java.sql.ResultSet rs = null;
5. String query = “select id, level from members where ”;
6. query = query + “username=’”+sUser+
“’ and password =’”+sPassword+”’”;
7. java.sql.ResultSet rs = statement.executeQuery(query);
8. if(rs.next()) // username and password passed
9. session.setAttribute(“UserID”, rs.getString(1));
…
}
Figure 1. Code snippet for an example of SQLIVs written in Java
SQL injection point, the entry of the SQL injection, is a
function statement for interacting with background database,
where attack statements enter into the program execution. To
detect SQL injection vulnerabilities, we first need to get SQL
injection points in the program that set limits on parameters
to structure test cases. Web communication protocol is based
on HTTP protocol. The main ways that users submit data to
the application are GET, POST, COOKIE, and HTTP
headers[7]. Different request modes have their separate
limits for the data length and format, which will be
considered in the parameter control information to guide the
test case generation.
B. Test case generation
Dynamic testing procedures need to construct an
appropriate test to launch a simulated attack on the target
system. Sufficient test cases can make the test more effective,
but redundant test cases can bring false positives. So , the
generation of test cases is very important to the accuracy and
efficiency of SQLIV testing. However, most of the studies
on the test of SOLIVs focus on the information gathering
and feedback information analysis processes, but pay little
attention to the test case generation technique. Traditional
test case generation technologies have many flaws. For
example, a lot of enumeration test cases fail to reach the sink
point of vulnerability after filtered out. On the other hand,
the test structure far from comprehensive would lead to blind
test spots, giving rise to inefficiency and high false alarm
rate. In recent years, although a few researches have been
carried on the approaches of test cases generation for
detecting SQLIV[15,16,17,18,19], the results are still
insufficient.
III. TECHNIQUE
We parse the constructed test case model into two parts
that is parameter basic structure and parameter control
information. In order to generate more accurate test cases,
the parameter control information will be parsed into
multiple elements, including replacement license,
vulnerability location, variable rule, filter omission,
response analysis, which later we will give in details
A. Parse parameter basic structure
Before construction, we must particularly analysis the
basic structure of SQL parameters, the body of test cases,
which are actually a fragment in a series of SQL statements.
Random construction directly to the entire SQL statement
can be blind and inefficient. So we resolve the test cases
structure to multiple elements, including variable element for
user input. In accordance with the scheduled rules, we create
test cases formed by these elements.
Figure 2. The parameter basic structure of test case
As Figure 1 shows, the parameter basic structure is
composed of the following six elements: prefix endpoint
(PreEnd), prefix of the parameters (Prefix), SQL keyword
(keyword), constants and variables (ParN), suffix of the
parameters (suffix), suffix endpoint (sufEnd). PreEnd
semantically separates SQL statements usually by quotation
marks to insure them not affected by each other. Prefix is
used to adjust the SQL statement front logic usually by "or"
or "and". Keyword is extremely important that marks the
function of this SQL statement. For example, "select" means
query, and "union" means joint. ParN is a variable element
which we change according to the environment parameters
and combine with others according to certain rules, in order
to obtain a large number of test cases. Suffix, complement to
Prefix, limits the scope and conditions of the SQL statement
that can be a symbol or conditional. SufEnd, opposite to
PreEnd, located right at the end of the SQL statement, and
usually composed of annotation symbols so that subsequent
SQL statements will be commented out to work to ensure the
successful realization of the one at present, marks the closure
and boundary.
B. Combine parameter control information
Parameter control information is a collection of the
limitation elements on the parameters, relating to the
generation accuracy and efficiency, and even the
175
Authorized licensed use limited to: University of Technology Sydney. Downloaded on September 24,2024 at 07:13:17 UTC from IEEE Xplore. Restrictions apply.
performance of the whole system. Parameter control
information including vulnerability location, replacement
license, variable rule, filter omission, response analysis. We
record these elements into the control file according to the
combination rules, and read them when parameters are
automatically generated. Figure 2 presents the composition
of parameter control information.
• Vulnerability location the positions in the code that
can be injected, may exist in the Url, Form, cookies,
and HTTP headers, etc.
• Replacement license represents if there are some
elements in parameters can be replaced or not.
• Variable rule evolution rules of SQL injection
parameters, numbers or strings, length limit, and
coding transformation, etc.
• Filter omission omissions of input filter obtained
from static analysis, such as data type, data length,
data format, etc.
• Response analysis summarization and analysis
about the server’s feedback after receiving the data
results.
Figure 3. The parameter basic structure of test case
In order to construct more accurate test cases, we must
make full use of the parameter control information which
obtained from formatted static analysis results according to
the above mentioned elements combination. The system later
loads each element in a certain order to guide the generation
procedure of test cases.
IV. PROPOSED SYSTEM
In this paper, we take advantage of static analysis results
to guide dynamic test case generation, combining the
parameter base structure with control information to generate
a structured set of test cases. Figure 3 shows the overall
framework of our proposed Static-Based Test Case Dynamic
Generation for SQLIVs.
First, the system starts from the static analysis to collect
loopholes node position and filtering omissions, loading
WEB application source code.
Second, these analysis results will be unified format to
normative analysis ones that will passed to dynamic
generation module. Later, the system obtains the source code
segment of injection points, parse the parameters into
formatted SQL statements, and deposit them in the XML
document.
Next, On the basis of parameter control information, we
configure replaceable element to preliminary generate test
parameters. At this point, the vulnerability location is loaded
in parameter control information to get the location of the
vulnerabilities exist (these locations are obtained in the
process of preliminary static analysis). Combined with
filtering missing information, preliminary tentative injection
data are constructed, prepared for the final test cases
generated. Generated data are designed for the filter
omissions, such as developers’ negligence on the length of
the user input validation when coding which will be included
in filter omission. After the initial test cases generated, the
system sends the injection request to the server and performs
simulate injection operation.
Then, according to the application response, we can
determine whether the server is affected by the initial test
cases. If not, return again read holes location information and
filter the missing information, the system returns to

vulnerability location information and constructs new
Figure 5. Reading process for parameter control information file
parameter to try again, until form a substantial attack on the
target system.
Finally, according to these successful injection inputs, we V. EVALUATION
create a batch of structured test cases on the basis of variable
rules within bounds. To demonstrate the supposed effectiveness of this
method, we applied our technique to three Struts-based web
applications [8] from the open-source repository Sourceforge
and each of them depends on a database backend with
different kinds of SQL injection vulnerabilities. Details are
listed in Table I . The third column (URL Sequences) lists
the number of URLs in the applications that are not repeated,
as injection points. The fourth column (Ends in SQL sink)
lists the number of SQL sink functions that user input can
reach through mentioned URLs. We focus on one injection
point (namely one URL) for each application to generate test
cases. As the results present in Table II, our method shows
higher accuracy than blind exhaustive method that the
majority of our test cases can reach the sink functions and
trigger the vulnerabilities.

TABLE I. APPLICATION DETAILS

Application Description URL Ends in
Sequences SQL sink
PersonalBlog Blogging software 15 2
JOrganizer Address book 356,358 260
JGossip Forum system 1,062,539 16031

TABLE II. EXPERIMENTAL RESULTS

Application Our technique Blind creation
total reach sink total reach sink
PersonalBlog 50 41 50 16
JOrganizer 50 29 50 5
JGossip 50 32 50 7

Figure 4. Static-based test case dynamic generation technique framework
for SQLIVs
Reading elements in parameter control file should be in a
certain order. Figure 4 shows the reading process in details.
VI. CONCLUSION
SQL injection vulnerability is one of the most foremost
threats to Web applications which perform critical missions
and handle sensitive information. Attacks that exploit such
type of vulnerabilities increase rapidly over time. Automated
testing techniques are important, not only to detect
vulnerabilities in web services before they can be published,
but also to reduce testing effort in contexts where the
numbers of services and their input parameters are large.
Dynamic detection of the source code has been proved to be
a kind of effective preventive measure. As a crucial step, the
generation of test cases relates to the efficiency and

176

Authorized licensed use limited to: University of Technology Sydney. Downloaded on September 24,2024 at 07:13:17 UTC from IEEE Xplore. Restrictions apply.
performance of the whole detection system. However, little
research on test case generation has considered the
sanitization process performed by the applications to prevent
potential malicious inputs, leading to a lot of invalid cases.
In this paper, we have presented a novel approach to the
test case generation for detecting SQL vulnerabilities. The
approach takes advantages of a sequence of injection points
and their filter omissions, obtained from the static analysis
and passed as parameters to the dynamic detection module,
to generate more targeted test cases. We parse the test
parameters into two parts: the parameter basic structure and
the parameter control information, which will help eliminate
a lot of ineffective test cases. We have implemented our
approach to show that this kind of joint test case generation
practically makes for more efficient and accurate dynamic
detection. In our future work, we will further refine our test
case model and enrich the parameter control information to
get more accurate constraint conditions.
ACKNOWLEDGMENT
This work was supported by National Natural Science
Foundation of China( No.61272493).
REFERENCES
[1] Anley C, Anley C. Advanced SQL Injection in SQL Server
Applications[J]. Insight Security Research .chris Anley.advanced Sql
Injection in Sql Server Application, 2002.
[2] Thomas S, Williams L. Using Automated Fix Generation to Secure
SQL Statements[C]// Software Engineering for Secure Systems,
2007. SESS '07: ICSE Workshops 2007. Third International
Workshop on. IEEE, 2007:9.
[3] Balzarotti D, Cova M, Felmetsger V, et al. Saner: Composing Static
and Dynamic Analysis to Validate Sanitization in Web
Applications[C]// Security and Privacy, 2008. SP 2008. IEEE
Symposium on. IEEE, 2008:387-401. W. Halfond and A. Orso.
AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection
Attacks. In International Conference on Automated Software
Engineering (ASE), pages 174-183, November 2005.
[4] Csallner C, Smaragdakis Y. JCrasher: an automatic robustness tester
for Java[J]. Software—practice & Experience, 2004, 34(11):2004.
[5] Gould W. G. Halfond, J. Viegas, and A. Orso, “A Classification of
SQL-Injection Attacks and Countermeasures”, In Proceedings of the
177
Authorized licensed use limited to: University of Technology Sydney. Downloaded on September 24,2024 at 07:13:17 UTC from IEEE Xplore. Restrictions apply.
International Symposium on Secure Software Engineering (ISSSE
2006),Arlington, Virginia, Mar. 2006.
[6] Halfond W G J, Orso A, Manolios P. Using positive tainting and
syntax-aware evaluation to counter SQL injection attacks[J]. Sigsoft
Fse, 2006:175--185.
[7] Martin M, Lam M S. Automatic Generation Of Xss And Sql Injection
Attacks With Goal-Directed Model Checking[J]. Usenix Security,
2008.
[8] Michael Howard and David C. LeBlanc, “WritingSecure Code”,
Second Edition, Microsoft Press, 2002.
[9] Michael Emmi , Rupak Majumdar , Koushik Sen, Dynamic test input
generation for database applications, Proceedings of the 2007
international symposium on Software testing and analysis, July 09-12,
2007, London, United Kingdom
[10] Z. Su and G. Wasserman, “The Essence of Command Injection
Attacks in Web Applications”, In Proceedings of Symposium on
Principles of Programming Languages POPL’06, Jan 2006, South
Carolina, USA, pp. 372-382.
[11] Buehrer G T, Weide B W, Sivilotti P A G. Using parse tree validation
to prevent SQL injection attacks[J]. Proceedings of the International
Workshop on Software Engineering & Middleware at Joint Fse &
Esec, 2005:106--113.
[12] Yuetang Deng , Phyllis Frankl , David Chays, Testing database
transactions with AGENDA, Proceedings of the 27th international
conference on Software engineering, May 15-21, 2005, St. Louis,
MO, USA
[13] Myra B. Cohen , Peter B. Gibbons , Warwick B. Mugridge , Charles
J. Colbourn, Constructing test suites for interaction testing,
Proceedings of the 25th International Conference on Software
Engineering, May 03-10, 2003, Portland, Oregon
[14] Visser W, Psreanu C S, Khurshid S. Test Input Generation with
Java PathFinder[J]. Proceedings of Issta, 2004, 29(4):97-107.
[15] Y. Shin, L. Williams, T. Xie, “SQLUnitgen: Test case generation for
SQL injection detection,” North Carolina State University, Raleigh
Technical report (NCSU CSC TR), Vol. 21, 2006.
[16] J. Wang, R. C. W. Phan, J. N. Whitley, D. J. Parish, “Augmented
attack tree modeling of SQL injection attacks,” Information
Management and Engineering (ICIME), IEEE, 2010: 182-186.
[17] A. Marback, H. Do, K. He, S. Kondamarri, D. Xu, “Security test
generation using threat trees,” Automation of Software Test (AST
09), ICSE Workshop on IEEE, 2009: 62-99.
[18] Liu L, Xu J, Li M, et al. A Dynamic SQL Injection Vulnerability Test
Case Generation Model Based on the Multiple Phases Detection
Approach[C]// 2013 IEEE 37th Annual Computer Software and
Applications ConferenceIEEE Computer Society, 2013:256-261.