CMM: A Combination-Based Mutation Method for SQL Injection

With the rapid development of Web applications, SQL injection (SQLi) has been a serious security threat for years. Many systems use superimposed rules to prevent SQLi like backlists filtering rules and filter functions. However, these methods can not completely eliminate SQLi vulnerabilities. Many researchers and security experts hope to find a way to find SQLi vulnerabilities efficiently. Among them, mutation-based fuzzing plays an important role in Web security testing, especially for SQLi. Although this approach expands the space for test cases and improves vulnerability coverage to some extent, there are still some problems such as mutation operators cannot be fully covered, test cases space explosions, etc. In this paper, we present a new technique Combinatorial Mutation Method (CMM) to generate test set for SQLi. The test set applies t-way and variable strength Combinatorial Testing. It makes the mutation progress more aggressive and automated and generates test cases with better F-measure Metric and Efficiency Metric. We apply our approach to three open source benchmarks and compare it with sqlmap, FuzzDB and ART4SQLi. The experiment results demonstrate that the approach is effective in finding SQLi vulnerabilities with multiple filtering rules.