SOLUTIONS FOR AUTO-TESTING AND AUTO-WARNING WEBSITE ERRORS BASED ON THE RESULTS OF THE WEBSITE ERROR SCANNING TOOLS

Phạm Duy Lộc, Phan Thị Thanh Nga

Abstract


Nowadays, there are commercial and free tools to automatically test websites’ security which is considered to be the positive point for pen-tester. In contrast, these tools might also produce false alerts. To minimize these false alerts, it is necessary to develop a tool which helps pen-tester verify alerts manually or automatically with cross-checking results collected from many pen-test tools. We name this tool PAT (Pen-Test Assistance Tool). PAT is able to save experiences from previous successful checking for future check. PAT also can check vulnerabilities automatically based on report of pen-test tools and warn website errors to web-masters automatically via email. In the first version of PAT, we focus on SQL Injection vulnerabilities in ASP.NET websites.

Keywords


SQL injection attacks; PAT; Web vulnerability scanner.

References


Mihir Gandhi, JwalantBaria, “SQL INJECTION Attacks in Web Application”, International Journal of Soft Computing and Engineering (IJSCE), ISSN: 2231-2307, Volume-2, Issue-6, January (2013).

AtefehTajpour, Suhaimi Ibrahim, Mohammad Sharifi, “Web Application Security by SQL Injection DetectionTools”, IJCSI International Journal of Computer Science Issues, Vol. 9, Issue 2, No 3, March (2012).

Priyanka, Vijay Kumar Bohat, “Detection of SQL Injection Attack and Various Prevention Strategies”, International Journal of Engineering and Advanced Technology (IJEAT) ISSN: 2249 – 8958, Volume-2, Issue-4, April (2013).

Chad Dougherty, “Practical Identification of SQL Injection Vulnerabilities”, United States Computer Emergency Readiness Team (US-CERT), October 25, (2012).

Inyong Lee , Soonki Jeong Sangsoo Yeoc, Jongsub Moond, “A novel method for SQL injection attack detection based on removing SQL query attribute”, Journal Of mathematical and computer modeling, Elsevier (2011).

Z. Su and G. Wassermann “The essence of command injection attacks in web applications”, In ACM Symposium on Principles of Programming Languages, Jan. (2006).

S. Thomas, L. Williams, and T. Xie, “On automated prepared statement generation to remove SQL injection vulnerabilities”, Information and Software Technology 51, 589–598, (2009).

K. Ahmad, J. Shekhar, and K.P. Yadav, “A Potential Solution to Mitigate SQL Injection Attack” VSRD Technical & Non-Technical Journal, 145-152, Vol. I, (2010).

L. Kishori and K. Sunil, “Detection And Prevention of SQL-Injection Attacks of Web Application Using Comparing Length of SQL Query”, ISSN: 2278- 5140, Volume-1, Issue February, (2012).

Wikipedia, http://en.wikipedia.org/wiki/SQL_injection

Acunetix Web Vulnerability Scanner, http://www.acunetix.com

Netsparker Web Vulnerability Scanner, www.mavitunasecurity.com

Nexpose, http://www.rapid7.com/products/nexpose

Retina Web Security Scanner, www.beyondtrust.com

Nessus Vulnerability Scanner, www.tenable.com

OWASP Zed Attack Proxy Project, www.owasp.org




DOI: http://dx.doi.org/10.37569/DalatUniversity.6.2.42(2016)

Refbacks

  • There are currently no refbacks.


Copyright (c) 2016 Phạm Duy Lộc, Phan Thị Thanh Nga

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Editorial Office of DLU Journal of Science
Room.15, A25 Building, 01 Phu Dong Thien Vuong Street, Dalat, Lamdong
Email: tapchikhoahoc@dlu.edu.vn - Phone: (+84) 263 3 555 131

Creative Commons License
Based on Open Journal Systems
Developed by Information Technology Department