An Inferential Metamorphic Testing Approach to Reduce False Positives in SQLIV Penetration Test

SQL Injection Vulnerability (SQLIV) has been the top-ranked threat to the Web security consistently for many years. Penetration tests, which are a most widely adopted technique to detect SQLIV, are usually affected by testing inaccuracy. This problem is even worse in inference-based, blind penetration tests for online Web sites, where Web page variations (such as those caused by inbuilt dynamic modules or user interactions) may lead to a large number of False Positives (FP). We present a novel approach called Inferential Metamorphic Testing (IMT) to reduce FP in SQLIV penetration tests. First, we define the notion of Inferential Metamorphic Relations (IMR), which is inherited from Mutational Metamorphic Testing (MMT). Second, we present a set of logic operators and mutation operators for generating IMR and deducting the background testing context. Finally, we present an iterative IMT process, which is based on the heuristic IMR generation and the background testing context deduction. Our empirical study demonstrates the effectiveness of our approach by a comparison to three famous SQLIV penetration test tools.