Liu, L, Xu, J, Yang, H, Guo, C, Kang, J, Xu, S, Zhang, B and Si, G (2016) 'An effective penetration test approach based on feature matrix for exposing SQL Injection Vulnerability.' In: Reisman, S, Ahamed, S.I, Liu, L, Milojicic, D, Claycomb, W, Matskin, M, Sato, H, Nakamura, M, Cimato, S, Lung, C.H and Zhang, Z, eds. Proceedings: 2016 IEEE 40th Annual Computer Software and Applications Conference Workshops. IEEE Computer Society, Los Alamitos, pp. 123-132. ISBN 9781467388450

Official URL:


Among all the Web application security issues, SQL Injection Vulnerability (SQLIV) is one of the most serious problems. How to test SQLIV effectively is of great importance. To address this issue, this paper describes a novel approach that is the utilization of Feature Matrix (FM) model for SQLIV black-box penetration test. Firstly, FM is introduced, which integrates the general SQLIV penetration test features for SQLIV. Each row of the matrix is defined as a test pattern, named Global Test Pattern (GTP). Then, GTP Selection (GTPS) process is used to select legal GTPs for general SQLIV penetration test. Secondly, to find out the optimum FM during SQLIV penetration test procedure automatically, Dynamic Matrix Selection (DMS) algorithm is described, which is based on dynamic tree pruning. Finally, a prototype tool SQLEXP is developed, the experiments of which are carried out under the context of two target Web applications and about 30000 real Internet URLs. The results show that the proposed approach can effectively improve the testing effect for SQLIV penetration test compared with two benchmarking testing tools.

Item Type: Book Chapter or Section

ISSN 0730-3157

Keywords: Testing, Heuristic algorithms, Process control, Frequency modulation, Grammar, Prototypes, Security
Divisions: College of Liberal Arts
Date Deposited: 05 Mar 2017 20:24
Last Modified: 05 Mar 2017 20:24
Request a change to this item or report an issue Request a change to this item or report an issue
Update item (repository staff only) Update item (repository staff only)