Machine Learning is Paving The Way In Finding SQLi Vulnerabilities

Researchers at the University of Oslo are working on a new vulnerability search method that allows SQL injection in web applications that use machine learning technologies. More specifically, the method is to use reinforcement learning to automate the exploitation of known SQL injection (SQLi) vulnerabilities.

Reinforcement learning is a form of machine learning that exposes an artificial intelligence (AI) model to the possible actions and rewards of an environment and is tasked with finding the best uses for those actions to maximize rewards.

Although the researchers' proposed method for finding SQLi vulnerabilities using reinforcement learning is not ideal and has some disadvantages, it paves the way for the development of machine learning models for penetration testing and security assessment.

To demonstrate their method in action, the researchers ran something akin to the Capture the Flag game. The agent trained with reinforcement had to obtain information from the attacked site by exploiting a SQLi vulnerability. The agent's possible actions were the requests sent to the system, and the reward was the flag token that he should have received.

At first, the researchers sent out many random requests and analyzed the rewards. Gradually, they created a model that allowed them to successfully carry out the attack, sending an average of 4-5 requests.

Existing automated SQL injection tools rely on static, predefined rules, which makes their use very limited. The advantage of reinforcement learning is that the attack logic is not predefined and static. The agent has only a set of actions, and he learns the optimal strategy by examples. At first, the agent must learn the simplest things, but as he learns, he can learn the non-trivial or hidden characteristics of the exploitation of SQL injection or take into account additional characteristics for exploitation, such as manipulating the content of the site.

Although the research presented by the University of Oslo is truly impressive, it is still in its early stages, and in order for the reinforcement learning agent to solve the problem, the researchers had to simplify it. For example, the task assumed a static environment that remained unchanged when an attacker sent requests. The agent also knew the SQL vulnerability and the schema of the attacked database in advance, and all he had to do was find the correct query to exploit the vulnerability.

Previous Post Next Post