Research on mock attack testing for SQL injection vulnerability in multi-defense level web applications

摘要

The testing methods for hunting vulnerabilities in web applications can be mainly classified into two categories: white box testing and black box testing. This paper focuses on the research on black box testing for the SQL injection vulnerability. Through the combination of fuzzy test and mock attack testing, a new testing method for hunting SQL injection is proposed, in which the injection parameters can be divided into several sets of equivalence classes according to the defined multi-defense levels of testee web systems. By injecting the most representative parameters selected from each equivalence classes, the mock attack testing for hunting SQL injection can be very effective and low cost. Experimental result shows that this method can achieve desirable result for SQLI mock attack testing in real web applications.