Idea: Using System Level Testing for Revealing SQL Injection-Related Error Message Information Leaks: Difference between revisions
Programsam (talk | contribs) |
Programsam (talk | contribs) |
||
| Line 7: | Line 7: | ||
== 1. Introduction == | == 1. Introduction == | ||
In this paper, we examine two input validation vulnerabilities that are in the CWE/SANS Top 25 Most Dangerous Programming Errors<sup>1</sup> due to their prevalence and potential damage: SQL injection vulnerabilities and error message information leak vulnerabilities. SQL injection vulnerabilities occur when a lack of input validation could allow a user to force unintended system behavior by altering the logical structure of a SQL statement using SQL reserved words and special characters<sup>[1, 2]</sup>. The CWE categorizes SQL injection vulnerabilities as a subset of input validation vulnerabilities, which occur when a system does not assert that input falls within an acceptable range, allowing the system to be exploited to perform unintended functionality<sup>[3]</sup>. Error message information leak vulnerabilities are caused when an application does not correctly handle an exceptional condition and, as a result, sensitive information is revealed to the attacker<sup>[4, 5]</sup>. We contend that in web applications, where security is paramount, input validation is comprised of both ensuring that input falls within an acceptable range (e.g. “integer”) and that the application fails gracefully when input is not within said range. | In this paper, we examine two input validation vulnerabilities that are in the CWE/SANS Top 25 Most Dangerous Programming Errors<sup>1</sup> due to their prevalence and potential damage: SQL injection vulnerabilities and error message information leak vulnerabilities. ''SQL injection vulnerabilities'' occur when a lack of input validation could allow a user to force unintended system behavior by altering the logical structure of a SQL statement using SQL reserved words and special characters<sup>[1, 2]</sup>. The CWE categorizes SQL injection vulnerabilities as a subset of ''input validation vulnerabilities'', which occur when a system does not assert that input falls within an acceptable range, allowing the system to be exploited to perform unintended functionality<sup>[3]</sup>. ''Error message information leak vulnerabilities'' are caused when an application does not correctly handle an exceptional condition and, as a result, sensitive information is revealed to the attacker<sup>[4, 5]</sup>. We contend that in web applications, where security is paramount, input validation is comprised of both ensuring that input falls within an acceptable range (e.g. “integer”) and that the application fails gracefully when input is ''not'' within said range. | ||
To expose and mitigate SQL injection vulnerabilities at the white box level, a development team can execute unit tests that assert that malicious input is rejected by the components that communicate with the database<sup>[6]</sup>. In some development methodologies, components are constructed in horizontal slices that emanate from the ground up—the components that perform logic and interact with the database are composed and tested long before the user interface. However, in an iterative development methodology, teams build software on a feature-by-feature basis in vertical slices that extend from the database to the user interface. Additionally, test-driven development implies the incremental creation of tests throughout the development process<sup>[7]</sup>. | To expose and mitigate SQL injection vulnerabilities at the white box level, a development team can execute unit tests that assert that malicious input is rejected by the components that communicate with the database<sup>[6]</sup>. In some development methodologies, components are constructed in horizontal slices that emanate from the ground up—the components that perform logic and interact with the database are composed and tested long before the user interface. However, in an ''iterative development methodology'', teams build software on a feature-by-feature basis in vertical slices that extend from the database to the user interface. Additionally, test-driven development implies the incremental creation of tests throughout the development process<sup>[7]</sup>. | ||
''The goal of this research is to assess the relative effectiveness of system and unit level testing of web applications to reveal both SQL injection vulnerabilities and error message information leakage vulnerabilities when used with an iterative test automation practice by a feature development team.'' We conducted a case study on four Java-based open source web applications: iTrust<sup>2</sup>, Hispacta<sup>3</sup>, LogicServices<sup>4</sup>, and TuduLists<sup>5</sup>. In our case study, we executed and compared JUnit<sup>6</sup> unit tests and HtmlUnit<sup>7</sup> system level tests. The purpose of this study is to determine whether system level testing<sup>8</sup> could be used in an iterative or test-driven development scenario to expose both parts of input validation earlier in the lifecycle—an important component of building security in from the beginning<sup>[8]</sup>. | ''The goal of this research is to assess the relative effectiveness of system and unit level testing of web applications to reveal both SQL injection vulnerabilities and error message information leakage vulnerabilities when used with an iterative test automation practice by a feature development team.'' We conducted a case study on four Java-based open source web applications: iTrust<sup>2</sup>, Hispacta<sup>3</sup>, LogicServices<sup>4</sup>, and TuduLists<sup>5</sup>. In our case study, we executed and compared JUnit<sup>6</sup> unit tests and HtmlUnit<sup>7</sup> system level tests. The purpose of this study is to determine whether system level testing<sup>8</sup> could be used in an iterative or test-driven development scenario to expose both parts of input validation earlier in the lifecycle—an important component of building security in from the beginning<sup>[8]</sup>. | ||