Design and implementation of a SQL injection vulnerability detection tool on RESTful API

doi:10.7523/j.issn.1002-1175.2013.03.021

Abstract

Abstract:

RESTful APIs have new features in styles of parameter and calling, and typical web flaw scanners perform poorly on these APIs. We designed and implemented the first SQL injection flaw detection tool called RASIVD targeting RESTful APIs. The experiment results show that, compared to traditional tools, RASIVD detects more API SQL injection flaws and has no false positive, which indicates the efficiency of RASIVD.

Key words: RESTful API, SQL injection, vulnerability detection, Oauth

CLC Number:

TP393

LUO Qi-Han, ZHANG Yu-Qing, LIU Qi-Xu. Design and implementation of a SQL injection vulnerability detection tool on RESTful API[J]. , 2013, 30(3): 417-424.

References

[1] Wikipedia. Amazon Web services[EB/OL].[2011-12-30]. http://en.wikipedia.org/wiki/Amazon_Web_Services.

[2] Mitra N, Ericsson, Lafon Y, W3C. SOAP protocol[S/OL]. (2007-04-27)[2012-03-03]. http://www.w3.org/TR/soap/.

[3] Wikipedia. Representational state transfer[EB/OL].(2011-12-30)[2012-03-03]. http://en.wikipedia.org/wiki/Representational_state _transfer.

[4] Vieira M, Antunes N, Madeira H. Using Web security scanners to detect vulnerabilities in web services[C]//The 40th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. Piscataway: IEEE Computer Society, 2010: 566-571.

[5] Antunes N, Vieira M. Detecting SQL injection vulnerabilities in Web services[C]//The 4th Latin-American Symposium on Dependable Computing. Piscataway: IEEE Computer Society, 2009: 17-24.

[6] Antunes N, Laranjeiro, Vieira M, et al. Effective detection of SQL/XPath injection vulnerabilities in Web services[C]//2009 IEEE International Conference on Services Computing. Piscataway: IEEE Computer Society, 2009: 260-267.

[7] OWASP. WSFuzzer[CP/OL].(2010-09-13)[2012-03-03]. https://www.owasp.org/index.php/Category:OWASP_WSFuzzer_ Project.

[8] MeiJunjin. An approach for SQL injection vulnerability detection[C]//The Sixth International Conference on Information Technology: New Generations. Piscataway: IEEE Computer Society, 2009: 1411-1414.

[9] Martin M, Lam M S. Automatic generation of XSS and SQL injection attacks with goal-directed model checking[C]//The 17th USENIX Security Symposium. California: USENIX Association Berkeley, 2008: 31-43.

[10] Fu X,Lu X,Peltsverger B,et al.A static analysis framework for detecting SQL injection vulnerabilities[C]//The 31st Annual International Computer Software and Applications Conference.Piscataway:IEEE Computer Society,2007:87-94.

[11] Kosuga Y, Kono K, Hanaoka M, et al. Sania: Syntactic and semantic analysis for automated testing against SQL injection[C]//The 23rd Annual Computer Security Applications Conference. Los Alamitos: IEEE Computer Society, 2007: 107-116.

[12] Fielding R T. Architectural styles and the design of network-based software architectures[D]. Irvine: University of California, Irvine, 2000.

[13] Atwood M, Balfanz D, Bounds D, et al. OAuth core 1.0 revision A[S/OL].(2009-06-24)[2012-01-03]. http://oauth.net/core/1.0a/.

[14] Hammer-Lahav E. RFC 5849, The OAuth 1.0 protocol[S/OL].(2010-04-30)[2012-01-03]. http://tools.ietf.org/html/rfc5849.

[15] Hammer-Lahav E. The OAuth 2.0 protocol[S/OL].(2011-09-22)[2012-01-03]. http://tools.ietf.org/html/draft-ietf-oauth-v2-22.

[16] Acunetix. Acunetix Web vulnerability scanner[CP/OL].(2011-12-27)[2012-01-03]. http://www.acunetix.com/vulnerability-scanner/.

[17] IBM. IBM rational AppScan[CP/OL].(2011-12-27)[2012-01-03]. http://www-01.ibm.com/software/awdtools/appscan/.

[18] Chinotec Technologies Company. Paros[CP/OL].(2006-08-08)[2012-01-03]. http://www.parosproxy.org/.