MUSIC: Mutation-based SQL injection vulnerability checking

Proceedings - International Conference on Quality Software

Volumn , Issue , 2008, Pages 77-86

  Shahriar, Hossain ^a   Zulkernine, Mohammad ^a  

^a QUEEN S UNIVERSITY   (Canada)

Author keywords

[No Author keywords available]

Indexed keywords

COMPUTER CRIME; COMPUTER SOFTWARE; JAVA PROGRAMMING LANGUAGE; PROGRAMMING THEORY; STATISTICAL TESTS; TEST FACILITIES; TESTING; WAVELET ANALYSIS; WEB SERVICES; WORLD WIDE WEB;

INPUT FILTERS; INTERNATIONAL CONFERENCES; JAVA SERVER PAGES; MUTATION ANALYSIS; MUTATION OPERATORS; OPEN SOURCES; PRIVATE INFORMATION; QUALITY SOFTWARE; SOURCE CODING; SQL-INJECTION; TEST CASES; TEST DATA; WEB-BASED APPLICATIONS;

EQUIPMENT TESTING;

EID: 52449112561     PISSN: 15506002     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/QSIC.2008.33     Document Type: Conference Paper

References (22)

1. The Open Web Application Security Project (OWASP), www.owasp.org (Accessed Feb 2008)
2. G. Buehrer, B. W. Weide, P. A. G. Sivilotti, "Using parse tree validation to prevent SQL injection attacks", Proceedings of the 5th International Workshop on Software Engineering and Middleware (SEM '05), Lisbon, Portugal, 2005, pp. 106-113.
3. S. W. Boyd and A. D. Keromytis, "SQLrand: Preventing SQL injection attacks", In Proceedings of the 2nd Applied Cryptography and Network Security Conf. (ACNS 2004), Jun. 2004, pp. 292-302.
4. Z. Su and G. Wasserman, "The Essence of Command Injection Attacks in Web Applications", In Proceedings of Symposium on Principles of Programming Languages POPL '06, Jan 2006, South Carolina, USA, pp. 372-382.
5. rd Annual Computer Security Applications Conference, 2007 (ACSAC 2007), Miami, Dec 2007, pp. 107-117.
6. W. Halfond, and A. Orso, "AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks", In Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering (ASE 2005), Nov 2005, Long Beach, CA, USA, pp.174-183.
7. Y. Shin, L. Williams, and T. Xie, "SQLUnitGen: SQL Injection Testing Using Static and Dynamic Analysis", In Proceedings of the International Symposium on Software Reliability Engineering (ISSRE), 2006, Raleigh, NC, ISBN 978-0-9671473-3-3-8.
8. L. A. Gordon, M. P. Loeb, W.Lucyshyn, and R. Richardson., "Ninth CSI/FBI computer crime and security survey", Technical Report RL32331, C.S.I. Computer Security Institute, 2004.
9. S. Thomas and L. Williams, "Using Automated Fix Generation to Secure SQL Statements", In Proceedings of Third International Workshop on Software Engineering for Secure Systems (SESS '07), Minneapolis, 2007, pp. 9-14.
10. SQL Injection Walkthrough, www.securiteam.com/securityreviews/5DP0N1P76E. html (Accessed Feb 2008)
11. J. Lin and J. Chen, "The Automatic Defense Mechanism for Malicious Injection Attack", In Proceedings of Seventh International Conference on Computer and Information Technology (CIT2007), Fukushima, Japan, Oct 2007, pp. 709-714.
12. Michael Howard and David C. LeBlanc, "Writing Secure Code", Second Edition, Microsoft Press, 2002.
13. K. Kemalis and T. Tzouramanis, "SQL-IDS: A Specification-based Approach for SQL-Injection Detection", In Proceedings of 23rd ACM Symposium on Applied Computing (SAC'08), Mar 2008, Fortaleza, pp. 2153-2158.
14. W.K. Chan, S.C. Cheung, and T.H. Tse, "Fault-based Testing of Database Application Programs with Conceptual Data Model", In Proceedings of the Fifth International Conference on Quality Software (QSIC 2005), Los Alamitos, California, 2005
15. J. Tuya, M. Suárez-Cabal, and C. Riva, "Mutating Database Queries", Information and Software Technology, 49(4) 398-417, April 2007.
16. Jcrasher, Accessed from www.cc.gatech.edu/jcrasher.
17. R. DeMillo, R. Lipton, and F. Sayward, "Hints on test data selection: Help for the practicing programmer", IEEE Computer Magazine, Volume 11, Issue 4, 1978, pp. 34-41.
18. W. E. Howden, "Weak mutation testing and completeness of test sets," IEEE Transaction on Software Engineering, Volume 8, Number 4, July 1982, pp. 371-379.
19. W. G. Halfond, J. Viegas, and A. Orso, "A Classification of SQL-Injection Attacks and Countermeasures", In Proceedings of the International Symposium on Secure Software Engineering (ISSSE 2006), Arlington, Virginia, Mar. 2006.
20. T. Mouelhi, Y. Le Traon, and B. Baudry. "Testing security policies: going beyond functional testing". In Proceedings of International Symposium on Software Reliability Engineering (ISSRE'07), Trollhättan, Sweden, November 2007.
21. H. Zhu, P. A. V. Hall, and J. H. R. May, "Software Unit Test Coverage and Adequacy", ACM Computing Surveys (CSUR), Volume 29, Issue 4, Dec. 1997, pp. 366-427.
22. Open Source Web Applications with Source Code in ASP, JSP, PHP, Perl, ColdFusion, ASP.NET/C#, http://gotocode.com (Accessed Feb 2008).