Mimicry-Based Testing of Runtime SQLi Prevention Approaches (Presentation Slides)

There are many techniques to prevent SQL injections at runtime. Runtime-based approaches, in general, provide finer-grain protection than web application firewalls (WAFs). Most of the runtime techniques identify malicious queries based on their structure. In essence, they disallow queries that are structurally different to what has been classified as benign. In this paper we present our technique, called MimiFuzz, to test such protection mechanisms. We focus on testing protections related to confidentiality and thus try to exfiltrate data stored in databases. MimiFuzz generates data exfiltration queries that mimic the queries that are permitted by the runtime SQLi protection mechanisms. Our experiments, using the benchbase benchmark suite, show that MimiFuzz enhances Sqlmap, which is the state-of-the-art SQLi test generator.