Abstract
In this paper we proposed a model to investigate the behaviour of websites when dealing with invalid inputs. Many vulnerabilities rise from invalid inputs. An invalid input is considered as a form of a successful attack if it is processed by the website code or back-end database. Based on this assumption, we proposed a list of indicators that tested and processed invalid inputs. A tool is developed to implement this model. We tested the model through evaluating several websites selected randomly. Our tool has no special credentials or access to any of the tested websites. We found many SQL injection vulnerabilities based on our proposed model. Upon the manual investigation of the web pages that showed such vulnerabilities, we found few instances of false positives. We believe that this can provide a systematic and automated approach to test websites for vulnerabilities related to improper input validation.
Original language | English (US) |
---|---|
Pages (from-to) | 51-62 |
Number of pages | 12 |
Journal | International Journal of Information and Computer Security |
Volume | 16 |
Issue number | 1-2 |
DOIs | |
State | Published - 2021 |
Externally published | Yes |
Keywords
- SQL-injection attacks
- Security
- Software testing
- Web applications
ASJC Scopus subject areas
- Software
- Safety, Risk, Reliability and Quality
- Hardware and Architecture
- Computer Networks and Communications