Dissertation/ Thesis
Automated GUI Security Testing : SQL Injection Detection
| Title: | Automated GUI Security Testing : SQL Injection Detection |
|---|---|
| Authors: | Nakka Chandrasekhar, Aryan, Lekkala, Sumanth Chowdary |
| Publisher Information: | Blekinge Tekniska Högskola, Institutionen för programvaruteknik, 2024. |
| Publication Year: | 2024 |
| Subject Terms: | Automated Testing, SQL Injection, Programvaruteknik, Testing, Automated GUI Testing, Software Engineering, Security Testing |
| Description: | The growing sophistication of SQL Injection (SQLi) attacks and the limitations of traditional security testing methods present a pressing need for innovative approaches, particularly in GUI-level security testing. Conventional tools often overlook vulnerabilities in user-facing elements such as input fields and login pages, focusing predominantly on backend systems. Automated GUI testing offers a solution by enabling the detection of these vulnerabilities directly at the user interface level. However, many existing tools require extensive technical knowledge or security testing expertise. Our approach leverages automated GUI testing, offering a more user-friendly and effective method for identifying SQLi vulnerabilities within graphical user interfaces (GUIs), specifically in login pages. This thesis introduces a proof-of-concept plugin developed for the Scout tool, which integrates the plugin into its augmented testing framework. Scout overlays a visual layer between the system under test (SUT) and the tester, facilitating intuitive interaction with the application. The primary goal of the plugin is to automate SQLi detection at the GUI level, combining security testing with Scout’s augmented testing paradigm, hence enabling non-security-trained testers. While augmented testing is established in GUI testing, its combination with security testing—particularly SQLi—has not been extensively studied. This research aims to fill that gap by evaluating the plugin's effectiveness in streamlining SQLi detection and improving the overall security testing process. The plugin was evaluated through a quasi-experiment, where its effectiveness in identifying SQLi vulnerabilities was measured across three open-source platforms: OWASP Juice Shop, bWAPP, and AltoroJ. A total of 906 test executions, spanning 302 SQLi test cases, were conducted. Results were analyzed using descriptive statistics, including bar graphs and box plots. The findings suggest that the plugin effectively detects SQLi vulnerabilities, particularly in login pages. The perception study further revealed that non-security-expert practitioners perceived the plugin to be useful and effective but recommended enhancements to further expand the plugin's capabilities. In conclusion, this study demonstrates the potential of combining augmented testing with automated GUI security testing to detect SQLi vulnerabilities. While the plugin shows promise in improving both test effectiveness and usability, a more formal study is required to fully validate its effectiveness in real-world environments. Future work should focus on expanding the plugin's functionality, incorporating more types of SQLi, and validating the approach in real-world environments. |
| Document Type: | Bachelor thesis |
| File Description: | application/pdf |
| Language: | English |
| Access URL: | http://urn.kb.se/resolve?urn=urn:nbn:se:bth-27034 |
| Accession Number: | edsair.od.......135..7ce9ca8c5d0ffa128e6bde17f1467193 |
| Database: | OpenAIRE |
| FullText | Text: Availability: 0 CustomLinks: – Url: https://explore.openaire.eu/search/publication?articleId=od_______135%3A%3A7ce9ca8c5d0ffa128e6bde17f1467193 Name: EDS - OpenAIRE (ns324271) Category: fullText Text: View record at OpenAIRE |
|---|---|
| Header | DbId: edsair DbLabel: OpenAIRE An: edsair.od.......135..7ce9ca8c5d0ffa128e6bde17f1467193 RelevancyScore: 836 AccessLevel: 3 PubType: Dissertation/ Thesis PubTypeId: dissertation PreciseRelevancyScore: 836.415405273438 |
| IllustrationInfo | |
| Items | – Name: Title Label: Title Group: Ti Data: Automated GUI Security Testing : SQL Injection Detection – Name: Author Label: Authors Group: Au Data: <searchLink fieldCode="AR" term="%22Nakka+Chandrasekhar%2C+Aryan%22">Nakka Chandrasekhar, Aryan</searchLink><br /><searchLink fieldCode="AR" term="%22Lekkala%2C+Sumanth+Chowdary%22">Lekkala, Sumanth Chowdary</searchLink> – Name: Publisher Label: Publisher Information Group: PubInfo Data: Blekinge Tekniska Högskola, Institutionen för programvaruteknik, 2024. – Name: DatePubCY Label: Publication Year Group: Date Data: 2024 – Name: Subject Label: Subject Terms Group: Su Data: <searchLink fieldCode="DE" term="%22Automated+Testing%22">Automated Testing</searchLink><br /><searchLink fieldCode="DE" term="%22SQL+Injection%22">SQL Injection</searchLink><br /><searchLink fieldCode="DE" term="%22Programvaruteknik%22">Programvaruteknik</searchLink><br /><searchLink fieldCode="DE" term="%22Testing%22">Testing</searchLink><br /><searchLink fieldCode="DE" term="%22Automated+GUI+Testing%22">Automated GUI Testing</searchLink><br /><searchLink fieldCode="DE" term="%22Software+Engineering%22">Software Engineering</searchLink><br /><searchLink fieldCode="DE" term="%22Security+Testing%22">Security Testing</searchLink> – Name: Abstract Label: Description Group: Ab Data: The growing sophistication of SQL Injection (SQLi) attacks and the limitations of traditional security testing methods present a pressing need for innovative approaches, particularly in GUI-level security testing. Conventional tools often overlook vulnerabilities in user-facing elements such as input fields and login pages, focusing predominantly on backend systems. Automated GUI testing offers a solution by enabling the detection of these vulnerabilities directly at the user interface level. However, many existing tools require extensive technical knowledge or security testing expertise. Our approach leverages automated GUI testing, offering a more user-friendly and effective method for identifying SQLi vulnerabilities within graphical user interfaces (GUIs), specifically in login pages. This thesis introduces a proof-of-concept plugin developed for the Scout tool, which integrates the plugin into its augmented testing framework. Scout overlays a visual layer between the system under test (SUT) and the tester, facilitating intuitive interaction with the application. The primary goal of the plugin is to automate SQLi detection at the GUI level, combining security testing with Scout’s augmented testing paradigm, hence enabling non-security-trained testers. While augmented testing is established in GUI testing, its combination with security testing—particularly SQLi—has not been extensively studied. This research aims to fill that gap by evaluating the plugin's effectiveness in streamlining SQLi detection and improving the overall security testing process. The plugin was evaluated through a quasi-experiment, where its effectiveness in identifying SQLi vulnerabilities was measured across three open-source platforms: OWASP Juice Shop, bWAPP, and AltoroJ. A total of 906 test executions, spanning 302 SQLi test cases, were conducted. Results were analyzed using descriptive statistics, including bar graphs and box plots. The findings suggest that the plugin effectively detects SQLi vulnerabilities, particularly in login pages. The perception study further revealed that non-security-expert practitioners perceived the plugin to be useful and effective but recommended enhancements to further expand the plugin's capabilities. In conclusion, this study demonstrates the potential of combining augmented testing with automated GUI security testing to detect SQLi vulnerabilities. While the plugin shows promise in improving both test effectiveness and usability, a more formal study is required to fully validate its effectiveness in real-world environments. Future work should focus on expanding the plugin's functionality, incorporating more types of SQLi, and validating the approach in real-world environments. – Name: TypeDocument Label: Document Type Group: TypDoc Data: Bachelor thesis – Name: Format Label: File Description Group: SrcInfo Data: application/pdf – Name: Language Label: Language Group: Lang Data: English – Name: URL Label: Access URL Group: URL Data: <link linkTarget="URL" linkTerm="http://urn.kb.se/resolve?urn=urn:nbn:se:bth-27034" linkWindow="_blank">http://urn.kb.se/resolve?urn=urn:nbn:se:bth-27034</link> – Name: AN Label: Accession Number Group: ID Data: edsair.od.......135..7ce9ca8c5d0ffa128e6bde17f1467193 |
| PLink | https://search.ebscohost.com/login.aspx?direct=true&site=eds-live&db=edsair&AN=edsair.od.......135..7ce9ca8c5d0ffa128e6bde17f1467193 |
| RecordInfo | BibRecord: BibEntity: Languages: – Text: English Subjects: – SubjectFull: Automated Testing Type: general – SubjectFull: SQL Injection Type: general – SubjectFull: Programvaruteknik Type: general – SubjectFull: Testing Type: general – SubjectFull: Automated GUI Testing Type: general – SubjectFull: Software Engineering Type: general – SubjectFull: Security Testing Type: general Titles: – TitleFull: Automated GUI Security Testing : SQL Injection Detection Type: main BibRelationships: HasContributorRelationships: – PersonEntity: Name: NameFull: Nakka Chandrasekhar, Aryan – PersonEntity: Name: NameFull: Lekkala, Sumanth Chowdary IsPartOfRelationships: – BibEntity: Dates: – D: 01 M: 01 Type: published Y: 2024 Identifiers: – Type: issn-locals Value: edsair – Type: issn-locals Value: edsairFT |
| ResultId | 1 |