Mimicry-Based Testing of Runtime SQLi Prevention Approaches
There are many techniques to prevent SQL injections at runtime. Runtime-based approaches, in general, provide finer-grain protection than web application firewalls (WAFs). Most of the runtime techniques identify malicious queries based on their structure. In essence, they disallow queries that are structurally different to what has been classified as benign. In this paper we present our technique, called MimiFuzz, to test such protection mechanisms. We focus on testing protections related to confidentiality and thus try to exfiltrate data stored in databases. MimiFuzz generates data exfiltration queries that mimic the queries that are permitted by the runtime SQLi protection mechanisms. Our experiments, using the benchbase benchmark suite, show that MimiFuzz enhances Sqlmap, which is the state-of-the-art SQLi test generator.
Tue 29 AprDisplayed time zone: Eastern Time (US & Canada) change
14:00 - 15:30 | Paper Presentations 3 and Tutorial 2SBFT at 104 Chair(s): Matteo Biagiola Università della Svizzera italiana | ||
14:00 15mPaper | AutoStub: Genetic Programming-Based Stub Creation for Symbolic Execution SBFT Felix Mächtle University of Luebeck, Nils Loose University of Luebeck, Jan-Niclas Serr University of Luebeck, Jonas Sander University of Luebeck, Thomas Eisenbarth University of Lübeck | ||
14:15 15mResearch paper | Mimicry-Based Testing of Runtime SQLi Prevention Approaches SBFT Anjana Perera Oracle Labs, Australia, François Gauthier Oracle Labs, Kostyantyn Vorobyov Oracle Labs, Matthew Harris Oracle Labs, Paddy Krishnan Oracle Labs, Australia | ||
14:30 60mTutorial | Tutorial by Miguel Romero-Arjona and Aitor Arrieta SBFT Miguel Romero-Arjona SCORE Lab, I3US Institute, Universidad de Sevilla, Seville, Spain, Aitor Arrieta Mondragon University | ||