An Inferential Metamorphic Testing Approach to Eliminating False Positives in SQLIV Penetration Test

Authors

Li Liu, Chongqing University
Guoxin Su, University of WollongongFollow
Jinqi Xu, Nankai UniversityFollow
Biao Zhang, Nankai University
Jiehui Kang, Nankai University
Sihan Xu, Nankai University
Peng Li, Nankai University
Guannan Si, Nankai University

RIS ID

113645

Publication Details

Liu, L., Su, G., Xu, J., Zhang, B., Kang, J., Xu, S., Li, P. & Si, G. (2017). An Inferential Metamorphic Testing Approach to Eliminating False Positives in SQLIV Penetration Test. IEEE Computers, Software, and Applications Conference (COMPSAC 2017) (pp. 675-680). United States: IEEE.

Abstract

SQL Injection Vulnerability (SQLIV) has been the top-ranked threat to the Web security consistently for many years. Penetration tests, which are a most widely adopted technique to detect SQLIV, are usually affected by testing inaccuracy. This problem is even worse in inference based, blind penetration tests for online Web sites, where Web page variations (such as those caused by inbuilt dynamic modules or user interactions) may lead to a large number of False Positives (FP).