research-article

Proposing SQL statement coverage metrics

Authors:

Laurie WilliamsAuthors Info & Claims

SESS '08: Proceedings of the fourth international workshop on Software engineering for secure systems

Pages 49 - 56

https://doi.org/10.1145/1370905.1370912

Published: 17 May 2008 Publication History

Abstract

An increasing number of cyber attacks are occurring at the application layer when attackers use malicious input. These input validation vulnerabilities can be exploited by (among others) SQL injection, cross site scripting, and buffer overflow attacks. Statement coverage and similar test adequacy metrics have historically been used to assess the level of functional and unit testing which has been performed on an application. However, these currently-available metrics do not highlight how well the system protects itself through validation. In this paper, we propose two SQL injection input validation testing adequacy metrics: target statement coverage and input variable coverage. A test suite which satisfies both adequacy criteria can be leveraged as a solid foundation for input validation scanning with a blacklist. To determine whether it is feasible to calculate values for our two metrics, we perform a case study on a web healthcare application and discuss some issues in implementation we have encountered. We find that the web healthcare application scored 96.7% target statement coverage and 98.5% input variable coverage.

References

[1]

B. Beizer, Software testing techniques: Van Nostrand Reinhold Co. New York, NY, USA, 1990.

Digital Library

[2]

S. W. Boyd and A. D. Keromytis, "SQLrand: Preventing SQL injection attacks," in Proceedings of the 2nd Applied Cryptography and Network Security (ACNS) Conference, Yellow Mountain, China, pp. 292--304, 2004.

[3]

B. Brenner, "CSI 2007: Developers need Web application security assistance," in SearchSecurity.com, 2007.

[4]

M. Cobb, "Making the case for Web application vulnerability scanners," in SearchSecurity.com, 2007.

[5]

W. G. Halfond, J. Viegas, and A. Orso, "A Classification of SQL-Injection Attacks and Countermeasures," in Proceedings of the International Symposium on Secure Software Engineering, March, Arlington, VA, 2006.

[6]

W. G. J. Halfond and A. Orso, "AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks," in Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering, Long Beach, CA, USA, pp. 174--183, 2005.

Digital Library

[7]

W. G. J. Halfond and A. Orso, "Command-Form Coverage for Testing Database Applications," Proceedings of the IEEE and ACM International Conference on Automated Software Engineering, pp. 69--78, 2006.

Digital Library

[8]

Y. W. Huang, S. K. Huang, T. P. Lin, and C. H. Tsai, "Web application security assessment by fault injection and behavior monitoring," in Proceedings of the 12th International Conference on World Wide Web, Budapest, Hungary, pp. 148--159, 2003.

Digital Library

[9]

S. Kals, E. Kirda, C. Kruegel, and N. Jovanovic, "SecuBat: a web vulnerability scanner," in Proceedings of the 15th international conference on World Wide Web, Edinburgh, Scotland pp. 247--256, 2006.

Digital Library

[10]

G. McGraw, Software Security: Building Security in. Upper Saddle River, NJ: Addison-Wesley Professional, 2006.

Digital Library

[11]

J. Offutt, "Quality attributes of Web software applications," IEEE Software, vol. 19, no. 2, pp. 25--32, 2002.

Digital Library

[12]

E. Ogren, "App Security's Evolution," in DarkReading.com, 2007.

[13]

T. Pietraszek and C. V. Berghe, "Defending against injection attacks through context-sensitive string evaluation," in Recent Advances in Intrusion Detection (RAID). Seattle, WA, 2005.

Digital Library

[14]

F. S. Rietta, "Application layer intrusion detection for SQL injection," in Proceedings of the 44th annual southeast regional conference, New York, NY, pp. 531--536, 2006.

Digital Library

[15]

D. Scott and R. Sharp, "Developing secure Web applications," Internet Computing, IEEE, vol. 6, no. 6, pp. 38--45, 2002.

Digital Library

[16]

Z. Su and G. Wassermann, "The essence of command injection attacks in web applications," in Proceedings of the Annual Symposium on Principles of Programming Languages, Charleston, SC, pp. 372--382, 2006.

Digital Library

[17]

H. H. Thompson and J. A. Whittaker, "Testing for software security," Dr. Dobb's Journal, vol. 27, no. 11, pp. 24--34, 2002.

[18]

D. Willmor and S. M. Embury, "Exploring test adequacy for database systems," in Proceedings of the 3rd UK Software Testing Research Workshop, Sheffield, UK, pp. p123--133, 2005.

[19]

H. Zhu, P. A. V. Hall, and J. H. R. May, "Software Unit Test Coverage and Adequacy," ACM Computing Surveys, vol. 29, no. 4, 1997.

Digital Library

Cited By

Alves HFonseca BAntunes N(2016)Experimenting Machine Learning Techniques to Predict Vulnerabilities2016 Seventh Latin-American Symposium on Dependable Computing (LADC)10.1109/LADC.2016.32(151-156)Online publication date: Oct-2016
https://doi.org/10.1109/LADC.2016.32
Matsunaga AAntunes NMoraes R(2016)Coverage Metrics and Detection of Injection Vulnerabilities: An Experimental Study2016 12th European Dependable Computing Conference (EDCC)10.1109/EDCC.2016.32(45-52)Online publication date: Sep-2016
https://doi.org/10.1109/EDCC.2016.32
Dao TShibayama E(2011)Security sensitive data flow coverage criterion for automatic security testing of web applicationsProceedings of the Third international conference on Engineering secure software and systems10.5555/1946341.1946352(101-113)Online publication date: 9-Feb-2011
https://dl.acm.org/doi/10.5555/1946341.1946352
Show More Cited By

Index Terms

Proposing SQL statement coverage metrics
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging

Recommendations

Measuring the effectiveness of output filtering against SQL injection attacks
ACMSE '14: Proceedings of the 2014 ACM Southeast Conference

SQL injection (SQLi) attacks present severe risks to applications; they may result in the unintended exposure, modification, corruption, or deletion of information. An error in a single line of code can introduce a vulnerability to an application, ...
SQL injection authentication security threat

The study examines SQL injection as a serious threat to application security, with a particular emphasis on how it affects database data integrity, which is essential to server functionality. Attackers can insert harmful SQL queries into the data being ...
Attack Model Based Penetration Test for SQL Injection Vulnerability
COMPSACW '12: Proceedings of the 2012 IEEE 36th Annual Computer Software and Applications Conference Workshops

The penetration test is a crucial way to enhance the security of web applications. Improving accuracy is the core issue of the penetration test research. The test case is an important factor affecting the penetration test accuracy. In this paper, we ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SESS '08: Proceedings of the fourth international workshop on Software engineering for secure systems

May 2008

72 pages

ISBN:9781605580425

DOI:10.1145/1370905

Program Chairs:
Bart De Win
Katholieke Universiteit Leuven, Belgium
,
Seok-Won Lee
University of North Carolina at Charlotte
,
Mattia Monga
Università a degli Studi di Milano, Italy

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 May 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ICSE '08

Sponsor:

ICSE '08: International Conference on Software Engineering

May 17 - 18, 2008

Leipzig, Germany

Acceptance Rates

Overall Acceptance Rate 8 of 11 submissions, 73%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
701
Total Downloads

Downloads (Last 12 months)8
Downloads (Last 6 weeks)0

Reflects downloads up to 21 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Alves HFonseca BAntunes N(2016)Experimenting Machine Learning Techniques to Predict Vulnerabilities2016 Seventh Latin-American Symposium on Dependable Computing (LADC)10.1109/LADC.2016.32(151-156)Online publication date: Oct-2016
https://doi.org/10.1109/LADC.2016.32
Matsunaga AAntunes NMoraes R(2016)Coverage Metrics and Detection of Injection Vulnerabilities: An Experimental Study2016 12th European Dependable Computing Conference (EDCC)10.1109/EDCC.2016.32(45-52)Online publication date: Sep-2016
https://doi.org/10.1109/EDCC.2016.32
Dao TShibayama E(2011)Security sensitive data flow coverage criterion for automatic security testing of web applicationsProceedings of the Third international conference on Engineering secure software and systems10.5555/1946341.1946352(101-113)Online publication date: 9-Feb-2011
https://dl.acm.org/doi/10.5555/1946341.1946352
Smith BWilliams L(2011)Using SQL Hotspots in a Prioritization Heuristic for Detecting All Types of Web Application VulnerabilitiesProceedings of the 2011 Fourth IEEE International Conference on Software Testing, Verification and Validation10.1109/ICST.2011.15(220-229)Online publication date: 21-Mar-2011
https://dl.acm.org/doi/10.1109/ICST.2011.15
Dao TShibayama E(2011)Security Sensitive Data Flow Coverage Criterion for Automatic Security Testing of Web ApplicationsEngineering Secure Software and Systems10.1007/978-3-642-19125-1_8(101-113)Online publication date: 2011
https://doi.org/10.1007/978-3-642-19125-1_8
Dao TShibayama E(2010)Coverage criteria for automatic security testing of web applicationsProceedings of the 6th international conference on Information systems security10.5555/1940366.1940378(111-124)Online publication date: 17-Dec-2010
https://dl.acm.org/doi/10.5555/1940366.1940378
Alalfi MCordy JDean T(2010)Automating Coverage Metrics for Dynamic Web ApplicationsProceedings of the 2010 14th European Conference on Software Maintenance and Reengineering10.1109/CSMR.2010.21(51-60)Online publication date: 15-Mar-2010
https://dl.acm.org/doi/10.1109/CSMR.2010.21
Dao TShibayama E(2010)Coverage Criteria for Automatic Security Testing of Web ApplicationsInformation Systems Security10.1007/978-3-642-17714-9_9(111-124)Online publication date: 2010
https://doi.org/10.1007/978-3-642-17714-9_9
Smith BWilliams LAustin A(2010)IdeaProceedings of the Second international conference on Engineering Secure Software and Systems10.1007/978-3-642-11747-3_15(192-200)Online publication date: 3-Feb-2010
https://dl.acm.org/doi/10.1007/978-3-642-11747-3_15
De Win BLee SMonga MSchäfer WDwyer MGruhn V(2008)The fourth international workshop on software engineering for secure systemsCompanion of the 30th international conference on Software engineering10.1145/1370175.1370251(1069-1070)Online publication date: 10-May-2008
https://dl.acm.org/doi/10.1145/1370175.1370251

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents