Abstract
SQL Injection Attack (SQLIA) is one of the most severe attack that can be used against web database-driven applications. Attackers use SQLIA to obtain unauthorized access and perform unauthorized data modifications due to initial improper input validation by the web application developer. Various studies have shown that, on average, 64% of web applications worldwide are vulnerable to SQLIA due to improper input. To mitigate the devastating problem of SQLIA, this research proposes an automatic black box testing for SQL Injection Vulnerability (SQLIV). This acts to automate an SQLIV assessment in SQLIA. In addition, recent studies have shown that there is a need for improving the effectiveness of existing SQLIVS in order to reduce the cost of manual inspection of vulnerabilities and the risk of being attacked due to inaccurate false negative and false positive results. This research focuses on improving the effectiveness of SQLIVS by proposing an object-oriented approach in its development in order to help and minimize the incidence of false positive and false negative results, as well as to provide room for improving a proposed scanner by potential researchers. To test and validate the accuracy of research work, three vulnerable web applications were developed. Each possesses a different type of vulnerabilities and an experimental evaluation was used to validate the proposed scanner. In addition, an analytical evaluation is used to compare the proposed scanner with the existing academic scanners. The result of the experimental analysis shows significant improvement by achieving high accuracy compared to existing studies. Similarly, the analytical evaluations showed that the proposed scanner is capable of analyzing attacked page response using four different techniques.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Acunetix (2013) Accunetix vulnerability scanner
Agosta G, Barenghi A, Parata A, Pelosi G (2012) Automated security analysis of dynamic web applications through symbolic code execution. In: Information Technology: new generations (ITNG), 2012 ninth international conference on, IEEE
Aliero MS, Ghani I, Zainudden S, Khan MM, Bello M (2015) Review on SQL injection protection methods and tools. Jurnal Teknologi 77(13):49–66
AlShahwan F, Faisal M, Ansa G (2016) Security framework for RESTful mobile cloud computing Web services. J Ambient Intell Hum Comput 7(5):649–659
Antunes N, Vieira M (2009) Detecting SQL injection vulnerabilities in web services. In: Dependable computing, 2009. LADC’09. Fourth Latin-American symposium on, IEEE
Antunes N, Vieira M (2010) Benchmarking vulnerability detection tools for web services. In: Web services (ICWS), 2010 IEEE international conference on, IEEE
Antunes N, Vieira M (2011) Enhancing penetration testing with attack signatures and interface monitoring for the detection of injection vulnerabilities in web services. In: Services computing (SCC), 2011 IEEE international conference on, IEEE
Antunes N, Vieira M (2012) Evaluating and improving penetration testing in web services. In: Software reliability engineering (ISSRE), 2012 IEEE 23rd international symposium on, IEEE
Antunes N, Vieira M (2015) Assessing and comparing vulnerability detection tools for web services: Benchmarking approach and examples. IEEE Trans Serv Comput 8(2):269–283
Appelt D, Nguyen CD, Briand LC, Alshahwan N (2014) Automated testing for SQL injection vulnerabilities: an input mutation approach. In: Proceedings of the 2014 international symposium on software testing and analysis, ACM
Bau J, Bursztein E, Gupta D, Mitchell J (2010) State of the art: automated black-box web application vulnerability testing. In: Security and privacy (SP), 2010 IEEE symposium on, IEEE
Chen J-M, Wu C-L (2010) An automated vulnerability scanner for injection attack based on injection point. In: Computer symposium (ICS), 2010 international, IEEE
Cheon EH, Huang Z, Lee YS (2013) Preventing SQL injection attack based on machine learning. Int J Adv Comput Technol 5(9):967–974
Cho Y-C, Pan J-Y (2015) Design and implementation of website information disclosure assessment system. PloS One 10(3):e0117180
Ciampa A, Visaggio CA, Di Penta M (2010) A heuristic-based approach for detecting SQL-injection vulnerabilities in Web applications. In: Proceedings of the 2010 ICSE workshop on software engineering for secure systems, ACM
Djuric Z (2013) A black-box testing tool for detecting SQL injection vulnerabilities. In: Informatics and applications (ICIA), 2013 second international conference on, IEEE
Hassan M, Sarker K, Biswas S, Sharif M (2017) Detection of Wordpress content injection vulnerability. arXiv:1711.02447
Huang Y-W, Yu F, Hang C, Tsai C-H, Lee D-T, Kuo S-Y (2004) Securing web application code by static analysis and runtime protection. In: Proceedings of the 13th international conference on World Wide Web, ACM
Huang Y-W, Tsai C-H, Lin T-P, Huang S-K, Lee D, Kuo S-Y (2005) A testing framework for Web application security assessment. Comput Netw 48(5):739–761
IBM (2013) IBM web application scanner
Imperva (2014) Web application attack report #5
Kals S, Kirda E, Kruegel C, Jovanovic N (2006) Secubat: a web vulnerability scanner. In: Proceedings of the 15th international conference on World Wide Web, ACM
Kiraz MS (2016) A comprehensive meta-analysis of cryptographic security mechanisms for cloud computing. J Ambient Intell Hum Comput 7(5):731–760
Kumar P, Pateriya R (2013) DWVP: detection of web application vulnerabilities using parameters of web form. In; Proceedings of joint international conferences on CIIT
Langin C, Rahimi S (2010) Soft computing in intrusion detection: the state of the art. J Ambient Intell Hum Comput 1(2):133–145
Liban A, Hilles SM (2014) Enhancing Mysql Injector vulnerability checker tool (Mysql Injector) using inference binary search algorithm for blind timing-based attack. In: Control and system graduate research Colloquium (ICSGRC), 2014 IEEE 5th, IEEE
Liu A, Yuan Y, Wijesekera D, Stavrou A (2009) SQLProb: a proxy-based architecture towards preventing SQL injection attacks. In: Proceedings of the 2009 ACM symposium on applied computing, ACM
Livshits VB, Lam MS (2005) Finding security vulnerabilities in java applications with static analysis. In: USENIX security symposium
Michael C (2005) Black box security testing tools
Nikto (2019) Nikto. https://sectools.org/tool/nikto/. Accessed 2019
Ouchani S, Lenzini G (2015) Generating attacks in SysML activity diagrams by detecting attack surfaces. J Ambient Intell Hum Comput 6(3):361–373
Plantevin V, Bouzouane A, Bouchard B, Gaboury S (2018) Towards a more reliable and scalable architecture for smart home environments. J Ambient Intell Hum Comput 2018:1–12
Qureshi KN, Abdullah AH (2014) Localization-based system challenges in vehicular ad hoc networks: survey. SmartCR 4(6):515–528
Qureshi KN, Bashir F, Abdullah AH (2017a) Real time traffic density aware road based forwarding method for vehicular ad hoc networks. In: Wireless and mobile networking conference (WMNC), 2017 10th IFIP, IEEE
Qureshi KN, Abdullah AH, Kaiwartya O, Iqbal S, Butt RA, Bashir F (2017b) A dynamic congestion control scheme for safety applications in vehicular ad hoc networks. Comput Electr Eng 72:774–788
Scott D, Sharp R (2002) Abstracting application-level web security. In: Proceedings of the 11th international conference on World Wide Web, ACM
Shakhatreh AYI (2010) SQL-injection vulnerability scanner using automatic creation of SQL-injection attacks (MySqlinjector). Universiti Utara Malaysia, Changlun
Shar LK, Tan HBK (2012) Predicting common web application vulnerabilities from input validation and sanitization code patterns. In: Automated software engineering (ASE), 2012 proceedings of the 27th IEEE/ACM international conference on, IEEE
Shin Y, Williams L, Xie T (2006) Sqlunitgen: Sql injection testing using static and dynamic analysis. In: Supplemental proc. 17th IEEE international conference on software reliability engineering
Singh AK, Roy S (2012) A network based vulnerability scanner for detecting sqli attacks in web applications. In: Recent advances in information technology (RAIT), 2012 1st international conference on, IEEE
Tillmann N, De Halleux J (2008) Pex–white box test generation for. net. International conference on tests and proofs. Springer, Berlin
Van Rijsbergen C (1979) Information retrieval. Dept. of computer science, University of Glasgow. citeseer.ist.psu.edu/vanrijsbergen79information.html. Accessed 2019
Vega Subgraph (2019) https://subgraph.com/vega/. Accessed 2019
Wapiti (2019) http://wapiti.sourceforge.net/. Accessed 2019
Web Application Security Consortium (2019) http://www.webappsec.org. Accessed 2019
Yang Q, Li JJ, Weiss DM (2009) A survey of coverage-based testing tools. Comput J 52(5):589–597
Zap by Open web application security project(OWASP) (2019) https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project. Accessed 2019
Zhang X-h, Wang Z-j (2010) Notice of retraction a static analysis tool for detecting web application injection vulnerabilities for asp program. In: e-Business and information system security (EBISS), 2010 2nd international conference on, IEEE
Zhang L, Gu Q, Peng S, Chen X, Zhao H, Chen D (2010) D-WAV: a web application vulnerabilities detection tool using Characteristics of Web Forms. In: Software engineering advances (ICSEA), 2010 fifth international conference on, IEEE
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
The authors whose names are in paper, certify that they have NO affiliations with or involvement in any organization or entity with any financial interest (such as participation in speakers’ bureaus; membership, employment, consultancies, stock ownership, or other equity interest; and expert testimony or patent-licensing arrangements), or non-financial interest (such as personal or professional relationships, affiliations, knowledge or beliefs) in the subject matter or materials discussed in this manuscript.
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Aliero, M.S., Ghani, I., Qureshi, K.N. et al. An algorithm for detecting SQL injection vulnerability using black-box testing. J Ambient Intell Human Comput 11, 249–266 (2020). https://doi.org/10.1007/s12652-019-01235-z
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12652-019-01235-z