Search Icon
Register

SynthDB: Synthesizing Database via Program Analysis for Security Testing of Web Applications

An Chen (University of Georgia), Jiho Lee (University of Virginia), Basanta Chaulagain (University of Georgia), Yonghwi Kwon (University of Virginia), Kyu Hyung Lee (University of Georgia)

Testing database-backed web applications is challenging because their behaviors (e.g., control flow) are highly dependent on data returned from SQL queries. Without a database containing sufficient and realistic data, it is challenging to reach potentially vulnerable code snippets, limiting various existing dynamic-based security testing approaches. However, obtaining such a database for testing is difficult in practice as it often contains sensitive information. Sharing it can lead to data leaks and privacy issues.

In this paper, we present SYNTHDB, a program analysis-based database generation technique for database-backed PHP applications. SYNTHDB leverages a concolic execution engine to identify interactions between PHP codebase and the SQL queries. It then collects and solves various constraints to reconstruct a database that can enable exploring uncovered program paths without violating database integrity. Our evaluation results show that the database generated by SYNTHDB outperforms state-of-the-arts database generation techniques in terms of code and query coverage in 17 real-world PHP applications. Specifically, SYNTHDB generated databases achieve 62.9% code and 77.1% query coverages, which are 14.0% and 24.2% more in code and query coverages than the state-of-the-art techniques. Furthermore, our security analysis results show that SYNTHDB effectively aids existing security testing tools: Burp Suite, Wfuzz, and webFuzz. Burp Suite aided by SYNTHDB detects 76.8% of vulnerabilities while other existing techniques cover 55.7% or fewer. Impressively, with SYNTHDB, Burp Suite discovers 33 previously unknown vulnerabilities from 5 real-world applications.

Paper
Slides
Video

View More Papers

ProbFlow : Using Probabilistic Programming in Anonymous Communication Networks

Hussein Darir (University of Illinois Urbana-Champaign), Geir Dullerud (University of Illinois Urbana-Champaign), Nikita Borisov (University of Illinois Urbana-Champaign)

Read More

Sometimes, You Aren’t What You Do: Mimicry Attacks against...

Akul Goyal (University of Illinois at Urbana-Champaign), Xueyuan Han (Wake Forest University), Gang Wang (University of Illinois at Urbana-Champaign), Adam Bates (University of Illinois at Urbana-Champaign)

Read More

Death By A Thousand COTS: Disrupting Satellite Communications using...

Frederick Rawlins, Richard Baker and Ivan Martinovic (University of Oxford) Presenter: Frederick Rawlins

Read More

Attacks as Defenses: Designing Robust Audio CAPTCHAs Using Attacks...

Hadi Abdullah (Visa Research), Aditya Karlekar (University of Florida), Saurabh Prasad (University of Florida), Muhammad Sajidur Rahman (University of Florida), Logan Blue (University of Florida), Luke A. Bauer (University of Florida), Vincent Bindschaedler (University of Florida), Patrick Traynor (University of Florida)

Read More