Fault-based testing for discovering SQL injection vulnerabilities in web applications

Izzat Alsmadi, Ahmed AlEroud, Ahmad A. Saifan

Research output: Contribution to journalArticlepeer-review

Abstract

In this paper we proposed a model to investigate the behaviour of websites when dealing with invalid inputs. Many vulnerabilities rise from invalid inputs. An invalid input is considered as a form of a successful attack if it is processed by the website code or back-end database. Based on this assumption, we proposed a list of indicators that tested and processed invalid inputs. A tool is developed to implement this model. We tested the model through evaluating several websites selected randomly. Our tool has no special credentials or access to any of the tested websites. We found many SQL injection vulnerabilities based on our proposed model. Upon the manual investigation of the web pages that showed such vulnerabilities, we found few instances of false positives. We believe that this can provide a systematic and automated approach to test websites for vulnerabilities related to improper input validation.

Original languageEnglish (US)
Pages (from-to)51-62
Number of pages12
JournalInternational Journal of Information and Computer Security
Volume16
Issue number1-2
DOIs
StatePublished - 2021
Externally publishedYes

Keywords

  • Security
  • Software testing
  • SQL-injection attacks
  • Web applications

ASJC Scopus subject areas

  • Software
  • Safety, Risk, Reliability and Quality
  • Hardware and Architecture
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'Fault-based testing for discovering SQL injection vulnerabilities in web applications'. Together they form a unique fingerprint.

Cite this