Idea: Using System Level Testing for Revealing SQL Injection-Related Error Message Information Leaks: Difference between revisions
Programsam (talk | contribs) |
Programsam (talk | contribs) |
||
| Line 50: | Line 50: | ||
<center> | <center> | ||
'''Table 1. Information about the test subjects (n=4)''' | '''Table 1. Information about the test subjects (n=4)''' | ||
|- | {|- | ||
| '''Projects''' | | '''Projects''' | ||
| '''iTrust''' | | '''iTrust''' | ||
| Line 57: | Line 57: | ||
| '''TuduLists''' | | '''TuduLists''' | ||
|- | |- | ||
|} | |||
</center> | |||
# '''Identify and Instrument Hotspots'''. We manually inspected the source code to discover any point where the system interacts with the database. We note here that hotspots can take many forms; we explain this issue more below. We have written the Java program <code>SQLMarker</code>, introduced in our earlier work<sup>[9]</sup>. <code>SQLMarker</code> keeps a record of the execution state at runtime for each uniquely identified hotspot<sup>13</sup>. <code>SQLMarker</code> has a method, <code>SQLMarker.mark()</code>, which passes the line number and file name to a research database that stores whether the hotspot has been executed. | # '''Identify and Instrument Hotspots'''. We manually inspected the source code to discover any point where the system interacts with the database. We note here that hotspots can take many forms; we explain this issue more below. We have written the Java program <code>SQLMarker</code>, introduced in our earlier work<sup>[9]</sup>. <code>SQLMarker</code> keeps a record of the execution state at runtime for each uniquely identified hotspot<sup>13</sup>. <code>SQLMarker</code> has a method, <code>SQLMarker.mark()</code>, which passes the line number and file name to a research database that stores whether the hotspot has been executed. | ||