To measure the effectiveness of Sania-attributes, we also evaluated Sania without using them for the same applications in the previous section. Table 4.10 shows the results for Sania without any attribute. Compared with the results for Sania in Table 4.7, the number of trials is larger, a lot of false positives occurred, and fewer vulnerabilities were found. In this section, we present the details of their causes.
4.4.3.1 Accuracy of Attacks
Table 4.11 shows the number of vulnerabilities that Sania without any attribute found. The table reveals that the same number of singular attacks were successful, but two fewer combination attacks were successful and one fewer vulnerable slot was found in comparison to the Sania results in Table 4.8. We confirmed that the undiscovered target slot was truly vulnerable and determined that it was afalse negative. This result indicates that the Sania-attributes that are intended to reduce false positives can also reduce false negatives.
The undiscovered slot was a set of two parameters in the user registration page of Bookstore. The page requires the client to enter the same value to the two param- eters, member_password and member_password2, in a request. When the applica- tion receives a user request, the value of the two parameters are validated. If they are
CHAPTER 4. DETECTION OF SQL INJECTION VULNERABILITIES
Table 4.12: Details of false positives for Sania w/o any one attribute
Sania w/o any one attribute
Subject w/o skip- w/o length- w/o equivalent- w/o structure-
attribute attribute attribute attribute
E-learning 0 0 0 4 (1) Bookstore 216 (40) 0 36 (4) 0 Portal 306 (45) 190 (21) 0 0 Event 163 (27) 14 (2) 0 0 Classifieds 122 (20) 0 0 0 EmplDir 54 (9) 0 0 0 total 861 (141) 204 (23) 36 (4) 4 (1)
equal, the application registers a new user, but if not, the application returns an error page without issuing any SQL query. In the evaluation of Sania with all attributes, we attached equivalent-attributes to the two parameters. So, Sania successfully inserted at- tack codes to them, let the application issue an SQL query, and this resulted in detecting the vulnerability. However, Sania without any attribute had no means of knowing which parameter had to share the same value with others and could not let the application issue any SQL query.
4.4.3.2 False Positives
We evaluated Sania without using one of the attributes to measure the effectiveness of each Sania-attribute. Table 4.12 shows the false positives occurred in this evaluation. Compared with the results of the false positives of Sania in Table 4.9, quite a lot of false positives occurred. Note that the total number of all false positives in Table 4.12 is not identical to that of the false positives in Sania without all attributes (shown in Ta- ble 4.10), because some false positives were reported multiple times in this evaluation.
Skip-attribute Table 4.12 reveals that Sania without skip-attributes generated a lot
of false positives. They are caused by receiving unintended SQL queries, when the values of stateful parameters are used for attacking. In the evaluation of Sania with all attributes, we manually attached skip-attributes to stateful parameters so that Sania did not attempt to insert attack codes to the parameters.
Length-attribute The lengths of some columns in the databases used in thePortal
and Event applications are small. Sania without length-attributes does not know the acceptable length of an attack code, so the attempt to insert an overly long attack code always failed, and results in false positive when the unintended SQL query is detected.
On the other hand, Sania with length-attributes verifies the length of an attack code before sending attacks.
Equivalent-attribute Sania without equivalent-attributes generated false positives
because of the data mismatching of the values of several parameters that must have the same value. If data mismatching is detected and the web application returns an error page that issues an unintended SQL query, a false positive occurs. Sania without equivalent-attributes does not know which parameters should share the same value, so it attempts to insert a different value to each parameter. On the other hand, Sania with equivalent-attributes properly inserts the same value to the parameters specified by the equivalent-attributes.
Structure-attribute The four false positives in E-learning were caused by dynamic
queries. A web page in the subject allows the user to enter an arithmetic expression as well as a number in a single field. Since the tree structure of an arithmetic expres- sion in SQL queries differs from that of a number, Sania regards the difference as a successful attack. Sania without structure-attributes did not know which target slot is allowed to have a subtree, so it raised an alert every time the structure of an SQL query was changed. On the other hand, Sania can correctly judge dynamic queries us- ing structure-attributes. In the evaluation of Sania with all attributes, we attached an arithmeticExpression attribute to the target slot. As a result, Sania successfully avoided these false positives.