Sensitive Path Oriented Malicious Data Generation for Web Applications

SQL injection always threatens the security of web applications. Static analysis and taint analysis are widely used to find vulnerable code paths, called sensitive paths, to detect SQL injection vulnerabilities. But false positives inevitably exists. To alleviate this problem, researchers try to generate test cases to cover sensitive paths. But it can only validate the feasibility of sensitive paths. This paper proposes a sensitive path-oriented malicious data generation to expose SQL injection vulnerabilities of sensitive paths on web applications. In more detail, taint analysis, genetic algorithm, and machine learning are integrated to generate malicious data to reveal SQL injection automatically. Taint analysis is used to find sensitive paths for Web applications. Based on sensitive paths’ historical attacked results by malicious data, a predictive model is constructed by machine learning to distinguish what malicious data is more likely to detect SQL injection vulnerability. A genetic algorithm is employed with the predictive model to generate malicious data to detect SQL injection vulnerability. The experiments are conducted on five open source web applications, and the results demonstrate that our approach is more efficient in malicious data generation for SQL injection vulnerability detection.