IMPROVING WEB APPLICATION TESTING

Abstract

Web and web application are part and parcel of current use of internet. Web applications are used in simple applications like photo album, discussion forum to on-line store, auctions and internet banking. Many corporate processes rely on a web application used in intranet or internet environment. Web sites are dynamic, static, and most of the time a combination of both. Web sites need protection in their database to assure security. Online data theft has recently become a very serious issue, and recent cases have been widely publicized over concerns for the confidentiality of personally identifiable information. Web applications vulnerabilities allow attackers to perform malicious actions that range from gaining unauthorized account access to obtaining sensitive data. As early as 2002, the CSI & FBI survey reported that more than 50% of online databases experience a security breach each year. As a matter of fact, Injection Flaws – and particularly SQL Injections (SQLI) – appear among the OWASP’s Top Ten most critical web applications vulnerabilities list [35]. The primary focus of our research was to secure the web applications and improve the way in which the web applications are tested. So that every loop hole in an application and the attacks that are injected on the web application can be detected. Therefore, to secure the web applications we have developed reliable black box vulnerability scanner for detecting SQLI vulnerabilities which is called as SQLIVS (SQL injection vulnerability scanner). The black box approach is based on simulation of SQLI attacks against web applications. It analyzes the value submitted by users through HTML forms, URL parameters whether clean or normal parameters and look for possible attack patterns. SQLIVS proposes a simple and effective method to accurately detect and prevent SQLIV by using SQL query parameters. To further improve the web application testing process I have introduced a new paradigm called as QUIT paradigm that focuses on the key features of regression testing both in software and web applications. This paradigm also tells about the dissimilarities that exist between the regression testing criteria for software and web application. The proposed technique for SQLIVS showed promising results as compared to other techniques. Two new essential features have been added in this technique, one of which handles the phenomenon of login form disappearance and the other feature provides an expandable payload which gives the opportunity to the user to add new attack patterns to SQLIVS database. This way SQLIVS can be easily extended to support different and new SQLI attacks.