Modular Blackbox SQL Injection Vulnerability Web Scanning

dc.contributor.authorDegerman, Miriam
dc.contributor.authorDubrefjord, Dennis
dc.contributor.departmentChalmers tekniska högskola / Institutionen för data och informationstekniksv
dc.contributor.examinerSabelfeld, Andrei
dc.contributor.supervisorEriksson, Benjamin
dc.date.accessioned2021-06-29T13:32:00Z
dc.date.available2021-06-29T13:32:00Z
dc.date.issued2021sv
dc.date.submitted2020
dc.description.abstractThe use of web applications has increased heavily the last couple of decades. In line with this, an increasing amount of sensitive data is stored on web servers. Furthermore, SQL injections are one of the most common web application security risks. It can have devastating consequences, as it can cause confidential data to be read, modified and deleted. It could even allow an attacker to gain administrative privileges on the server database and compromise individual machines or entire networks. A popular approach to finding web vulnerabilities is using autonomous web vul nerability scanners. In order for a scanner to be successful, it needs to be good at both crawling the web and detecting vulnerabilities when presented with possible attack vectors. For the most part, these two components are integrated to some degree. Our hypothesis is that web vulnerability scanners would benefit from using a modular approach instead. By allowing for easy exchange of crawler and detection module used in a scanner, the scanner could be optimised for specific tasks, whether that be finding SQL injections or other vulnerabilities. It could also be adapted to various types of web applications as different crawlers specialize on different areas. To test the hypothesis, we have developed a modular design that can be used to combine crawlers and detection modules. We have also implemented a scanner using the modular design as a proof of concept. The results show that the modular approach benefits from the advantages of both crawler and detection module used and it outperforms state-of-the-art web vulnerability scanners in both code coverage and vulnerabilities found. Moreover, the modular scanner was the only scanner that was able to find three previously unknown vulnerabilities in the web application WSPortal.sv
dc.identifier.coursecodeMPCSNsv
dc.identifier.urihttps://hdl.handle.net/20.500.12380/302825
dc.language.isoengsv
dc.setspec.uppsokTechnology
dc.subjectComputer sciencesv
dc.subjectengineeringsv
dc.subjectmaster thesissv
dc.subjectSQL injectionsv
dc.subjectweb scanningsv
dc.subjectweb vulnerabilitiessv
dc.subjectmodularsv
dc.subjectmodularitysv
dc.titleModular Blackbox SQL Injection Vulnerability Web Scanningsv
dc.type.degreeExamensarbete för masterexamensv
dc.type.uppsokH

Ladda ner

Original bundle

Visar 1 - 1 av 1
Hämtar...
Bild (thumbnail)
Namn:
CSE 21-86 Degerman Dubrefjord.pdf
Storlek:
1.48 MB
Format:
Adobe Portable Document Format
Beskrivning:

License bundle

Visar 1 - 1 av 1
Hämtar...
Bild (thumbnail)
Namn:
license.txt
Storlek:
1.51 KB
Format:
Item-specific license agreed upon to submission
Beskrivning: