research-article

DeepSQLi: deep semantic learning for testing SQL injection

Authors:

Tao ChenAuthors Info & Claims

ISSTA 2020: Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis

Pages 286 - 297

https://doi.org/10.1145/3395363.3397375

Published: 18 July 2020 Publication History

Abstract

Security is unarguably the most serious concern for Web applications, to which SQL injection (SQLi) attack is one of the most devastating attacks. Automatically testing SQLi vulnerabilities is of ultimate importance, yet is unfortunately far from trivial to implement. This is because the existence of a huge, or potentially infinite, number of variants and semantic possibilities of SQL leading to SQLi attacks on various Web applications. In this paper, we propose a deep natural language processing based tool, dubbed DeepSQLi, to generate test cases for detecting SQLi vulnerabilities. Through adopting deep learning based neural language model and sequence of words prediction, DeepSQLi is equipped with the ability to learn the semantic knowledge embedded in SQLi attacks, allowing it to translate user inputs (or a test case) into a new test case, which is se- mantically related and potentially more sophisticated. Experiments are conducted to compare DeepSQLi with SQLmap, a state-of-the-art SQLi testing automation tool, on six real-world Web applications that are of different scales, characteristics and domains. Empirical results demonstrate the effectiveness and the remarkable superiority of DeepSQLi over SQLmap, such that more SQLi vulnerabilities can be identified by using a less number of test cases, whilst running much faster.

References

[1]

Dennis Appelt, Nadia Alshahwan, and Lionel C. Briand. 2013. Assessing the Impact of Firewalls and Database Proxies on SQL Injection Testing. In FITTEST'13: Proc. Workshop of the 2013 Future Internet Testing-First International. 32-47.

[2]

Dennis Appelt, Cu Duy Nguyen, Lionel C. Briand, and Nadia Alshahwan. 2014. Automated testing for SQL injection vulnerabilities: an input mutation approach. In ISSTA'14: Proc. of the 2014 International Symposium on Software Testing and Analysis. 259-269.

Digital Library

[3]

Dennis Appelt, Cu D. Nguyen, Annibale Panichella, and Lionel C. Briand. 2018. A Machine-Learning-Driven Evolutionary Approach for Testing Web Application Firewalls. IEEE Trans. Reliability 67, 3 ( 2018 ), 733-757.

[4]

Davide Ariu, Igino Corona, Roberto Tronci, and Giorgio Giacinto. 2015. Machine Learning in Security Applications. Trans. MLDM 8, 1 ( 2015 ), 3-39.

[5]

Ilies Benikhlef, Chenghong Wang, and Sangirov Gulomjon. 2016. Mutation based SQL injection test cases generation for the web based application vulnerability testing. In ICENCE'16: Proc. of the 2nd International Conference on Electronics, Network and Computer Engineering.

[6]

Josip Bozic, Bernhard Garn, Dimitris E. Simos, and Franz Wotawa. 2015. Evaluation of the IPO-Family algorithms for test case generation in web security testing. In ICST'15 Workshops: Proc. Workshop of the 2015 Eighth IEEE International Conference on Software Testing, Verification and Validation. 1-10.

[7]

Peter F. Brown, Stephen Della Pietra, Vincent J. Della Pietra, Jennifer C. Lai, and Robert L. Mercer. 1992. An Estimate of an Upper Bound for the Entropy of English. Computational Linguistics 18, 1 ( 1992 ), 31-40.

[8]

Chenyu, Mao, Fan, and Guo. 2016. Defending SQL Injection Attacks basedon Intention-Oriented Detection. In ICCSE'16: Proc. of the 11th International Conference on Computer Science & Education. IEEE, 939-944.

[9]

Mark Curphey and Rudolph Arawo. 2006. Web application security assessment tools. IEEE Security & Privacy 4, 4 ( 2006 ), 32-41.

Digital Library

[10]

Linhao Dong, Shuang Xu, and Bo Xu. [n.d.]. Speech-Transformer : A NoRecurrence Sequence-to-Sequence Model for Speech Recognition. In ICASSP'18: Proc. of the 2018 IEEE International Conference on Acoustics, Speech and Signal Processing.

[11]

Rohan Doshi, Noah Apthorpe, and Nick Feamster. 2018. Machine Learning DDoS Detection for Consumer Internet of Things Devices. In SP Workshop'18: Proc. of the 2018 IEEE Security and Privacy. 29-35.

[12]

David Guthrie, Ben Allison, Wei Liu, Louise Guthrie, and Yorick Wilks. 2006. A Closer Look at Skip-gram Modelling. In LREC'06: Proc. of the 5th International Conference on Language Resources and Evaluation. 1222-1225.

[13]

Halfond, William GJ, Choudhary, Shauvik Roy, Orso, and Alessandro. 2009. Penetration testing with improved input vector identification. In ICST'09: Proc. of the 2nd International Conference on Software Testing Verification and Validation. 346-355.

[14]

William G. J. Halfond and Alessandro Orso. 2005. AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks. In ASE'05: Proc. of the 20th IEEE/ACM International Conference on Automated Software Engineering. 174-183.

[15]

William G. J. Halfond, Alessandro Orso, and Panagiotis Manolios. 2006. Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In SIGSOFT'06: Proc. of the 14th ACM International Symposium on Foundations of Software Engineering. 175-185.

Digital Library

[16]

William G. J. Halfond, Alessandro Orso, and Pete Manolios. 2008. WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation. IEEE Trans. Software Eng. 34, 1 ( 2008 ), 65-81.

Digital Library

[17]

Cheng-Zhi Anna Huang, Ashish Vaswani, Jakob Uszkoreit, Ian Simon, Curtis Hawthorne, Noam Shazeer, Andrew M. Dai, Matthew D. Hofman, Monica Dinculescu, and Douglas Eck. 2019. Music Transformer: Generating Music with Long-Term Structure. In ICLR'19: Proc. of the 7th International Conference on Learning Representations.

[18]

Nal Kalchbrenner, Edward Grefenstette, and Phil Blunsom. 2014. A Convolutional Neural Network for Modelling Sentences. In ACL'14: Proc. of the 52nd Association for Computational Linguistics. 655-665.

[19]

Adam Kiezun, Philip J. Guo, Karthick Jayaraman, and Michael D. Ernst. 2009. Automatic creation of SQL Injection and cross-site scripting attacks. In ICSE'09: Proc. of the 31st International Conference on Software Engineering. 199-209.

[20]

Mi-Yeon Kim and Dong Hoon Lee. 2014. Data-mining based SQL injection attack detection using internal query trees. Expert Syst. Appl. 41, 11 ( 2014 ), 5416-5430.

[21]

Diederik P. Kingma and Jimmy Ba. 2015. Adam: A Method for Stochastic Optimization. In ICLR'15: Proc. of the 52nd Association for Computational Linguistics.

[22]

Huichen Li, Xiaojun Xu, Chang Liu, Teng Ren, Kun Wu, Xuezhi Cao, Weinan Zhang, Yong Yu, and Dawn Song. 2018. A Machine Learning Approach to Prevent Malicious Calls over Telephony Networks. In SP'18: Proc. of the 2018 IEEE Symposium on Security and Privacy. 53-69.

[23]

Ofer Maor and Amichai Shulman. 2004. SQL injection signatures evasion. Imperva, Inc., Apr ( 2004 ).

[24]

Stuart McDonald. 2002. SQL Injection: Modes of attack, defense, and why it matters. White paper, GovernmentSecurity. org ( 2002 ).

[25]

Volodymyr Mnih, Nicolas Heess, Alex Graves, and Koray Kavukcuoglu. 2014. Recurrent Models of Visual Attention. In NIPS'14: Proc. of the 2014 Neural Information Processing Systems. 2204-2212.

[26]

Veselin Raychev, Martin T. Vechev, and Eran Yahav. 2014. Code completion with statistical language models. In PLDI'14: Proc. of the 2014 Programming Language Design and Implementation. 419-428.

Digital Library

[27]

Naghmeh Moradpoor Sheykhkanloo. 2017. A Learning-based Neural Network Model for the Detection and Classification of SQL Injection Attacks. IJCWT 7, 2 ( 2017 ), 16-41.

[28]

Sanjib Sinha. 2018. SQL Mapping. In Beginning Ethical Hacking with Kali Linux. Springer, 221-258.

[29]

Jaroslaw Skaruz and Franciszek Seredynski. 2007. Recurrent neural networks towards detection of SQL attacks. In IPDPS'07: Proc. of the 21th International Parallel and Distributed Processing Symposium. 1-8.

[30]

Julian Thomé, Alessandra Gorla, and Andreas Zeller. 2014. Search-based security testing of web applications. In SBST'14: Proc. of the 7th International Workshop on Search-Based Software Testing. 5-14.

Digital Library

[31]

Wei Tian, Jufeng Yang, Jing Xu, and Guannan Si. 2012. Attack Model Based Penetration Test for SQL Injection Vulnerability. In COMPSAC'12: Proc. Workshops of the 36th Annual IEEE Computer Software and Applications. 589-594.

[32]

Ashish Vaswani, Noam Shazeer, Niki Parmar, Jakob Uszkoreit, Llion Jones, Aidan N. Gomez, Lukasz Kaiser, and Illia Polosukhin. 2017. Attention is All you Need. In NIPS'17: Proc. of the 2017 Neural Information Processing Systems. 5998-6008.

[33]

Oriol Vinyals, Lukasz Kaiser, Terry Koo, Slav Petrov, Ilya Sutskever, and Geoffrey E. Hinton. 2015. Grammar as a Foreign Language. In NIPS'15: Proc. of the 2015 Neural Information Processing Systems. 2773-2781.

Cited By

Ding WAbdel-Basset MAli AMoustafa N(2025)Large language models for cyber resilience: A comprehensive review, challenges, and future perspectivesApplied Soft Computing10.1016/j.asoc.2024.112663170(112663)Online publication date: Feb-2025
https://doi.org/10.1016/j.asoc.2024.112663
Gui ZWang EDeng BZhang MChen YWei SXie WWang B(2024)SqliGPT: Evaluating and Utilizing Large Language Models for Automated SQL Injection Black-Box DetectionApplied Sciences10.3390/app1416692914:16(6929)Online publication date: 7-Aug-2024
https://doi.org/10.3390/app14166929
Bai YSun MZhang LWang YLiu SLiu YTan JYang YLv C(2024)Enhancing Network Attack Detection Accuracy through the Integration of Large Language Models and Synchronized Attention MechanismApplied Sciences10.3390/app1409382914:9(3829)Online publication date: 30-Apr-2024
https://doi.org/10.3390/app14093829
Show More Cited By

Index Terms

DeepSQLi: deep semantic learning for testing SQL injection
1. Security and privacy
  1. Software and application security
    1. Web application security
2. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging

Recommendations

Security vulnerabilities and mitigation techniques of web applications
SIN '13: Proceedings of the 6th International Conference on Security of Information and Networks

Web applications contain vulnerabilities, which may lead to serious security breaches such as stealing of confidential information. To protect against security breaches, it is necessary to understand the detailed steps of attacks and the pros and cons ...
Mitigation of SQL Injection Attacks using Threat Modeling

Day after day, SQL Injection (SQLI) attack is consistently proliferating across the globe. According to Open Web Application Security Project (OWASP) Top Ten Cheat Sheet-2014, SQLI is at top in the list of online attacks. The cause of spread of SQLI is ...
SQL injection attack: Detection, prioritization & prevention
Abstract
Web applications have become central in the digital landscape, providing users instant access to information and allowing businesses to expand their reach. Injection attacks, such as SQL injection (SQLi), are prominent attacks on web applications,...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ISSTA 2020: Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis

July 2020

591 pages

ISBN:9781450380089

DOI:10.1145/3395363

General Chair:
Sarfraz Khurshid
University of Texas at Austin, USA
,
Program Chair:
Corina S. Păsăreanu
Carnegie Mellon University Silicon Valley / NASA Ames Research Center, USA

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 July 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ISSTA '20

Sponsor:

SIGSOFT

ISSTA '20: 29th ACM SIGSOFT International Symposium on Software Testing and Analysis

July 18 - 22, 2020

Virtual Event, USA

Acceptance Rates

Overall Acceptance Rate 58 of 213 submissions, 27%

Upcoming Conference

ISSTA '25

Sponsor:
sigsoft

34th ACM SIGSOFT International Symposium on Software Testing and Analysis

June 25 - 28, 2025

Trondheim , Norway

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

25
Total Citations
View Citations
756
Total Downloads

Downloads (Last 12 months)126
Downloads (Last 6 weeks)9

Reflects downloads up to 17 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Ding WAbdel-Basset MAli AMoustafa N(2025)Large language models for cyber resilience: A comprehensive review, challenges, and future perspectivesApplied Soft Computing10.1016/j.asoc.2024.112663170(112663)Online publication date: Feb-2025
https://doi.org/10.1016/j.asoc.2024.112663
Gui ZWang EDeng BZhang MChen YWei SXie WWang B(2024)SqliGPT: Evaluating and Utilizing Large Language Models for Automated SQL Injection Black-Box DetectionApplied Sciences10.3390/app1416692914:16(6929)Online publication date: 7-Aug-2024
https://doi.org/10.3390/app14166929
Bai YSun MZhang LWang YLiu SLiu YTan JYang YLv C(2024)Enhancing Network Attack Detection Accuracy through the Integration of Large Language Models and Synchronized Attention MechanismApplied Sciences10.3390/app1409382914:9(3829)Online publication date: 30-Apr-2024
https://doi.org/10.3390/app14093829
Zhou SHuang MSun YLi K(2024)Evolutionary Multi-objective Optimization for Contextual Adversarial Example GenerationProceedings of the ACM on Software Engineering10.1145/36608081:FSE(2285-2308)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3660808
Liang HLi XXiao DLiu JZhou YWang ALi J(2024)Generative Pre-Trained Transformer-Based Reinforcement Learning for Testing Web Application FirewallsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.325252321:1(309-324)Online publication date: Jan-2024
https://doi.org/10.1109/TDSC.2023.3252523
Mohamed NAhmed A(2024)AI in Combatting Man-in-the-Middle Attacks: A Comprehensive Review2024 15th International Conference on Computing Communication and Networking Technologies (ICCCNT)10.1109/ICCCNT61001.2024.10725789(1-6)Online publication date: 24-Jun-2024
https://doi.org/10.1109/ICCCNT61001.2024.10725789
Coscia ADentamaro VGalantucci SMaci APirlo G(2024)PROGESI: A PROxy Grammar to Enhance Web Application Firewall for SQL Injection PreventionIEEE Access10.1109/ACCESS.2024.343809212(107689-107703)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3438092
Mahesh RChellathurai SThirunavukkarasu MRaman P(2024)SQL Injection Attack Detection and Prevention Based on Manipulating the SQL Query Input AttributesComputational Sciences and Sustainable Technologies10.1007/978-3-031-50993-3_17(213-221)Online publication date: 3-Feb-2024
https://doi.org/10.1007/978-3-031-50993-3_17
Alghawazi MAlghazzawi DAlarifi S(2023)Deep Learning Architecture for Detecting SQL Injection Attacks Based on RNN Autoencoder ModelMathematics10.3390/math1115328611:15(3286)Online publication date: 26-Jul-2023
https://doi.org/10.3390/math11153286
Guan YHe JLi TZhao HMa B(2023)SSQLi: A Black-Box Adversarial Attack Method for SQL Injection Based on Reinforcement LearningFuture Internet10.3390/fi1504013315:4(133)Online publication date: 30-Mar-2023
https://doi.org/10.3390/fi15040133
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents