Fault-based testing for discovering SQL injection vulnerabilities in web applications
by Izzat Alsmadi; Ahmed AlEroud; Ahmad A. Saifan
International Journal of Information and Computer Security (IJICS), Vol. 16, No. 1/2, 2021

Abstract: In this paper we proposed a model to investigate the behaviour of websites when dealing with invalid inputs. Many vulnerabilities rise from invalid inputs. An invalid input is considered as a form of a successful attack if it is processed by the website code or back-end database. Based on this assumption, we proposed a list of indicators that tested and processed invalid inputs. A tool is developed to implement this model. We tested the model through evaluating several websites selected randomly. Our tool has no special credentials or access to any of the tested websites. We found many SQL injection vulnerabilities based on our proposed model. Upon the manual investigation of the web pages that showed such vulnerabilities, we found few instances of false positives. We believe that this can provide a systematic and automated approach to test websites for vulnerabilities related to improper input validation.

Online publication date: Mon, 06-Sep-2021

The full text of this article is only available to individual subscribers or to users at subscribing institutions.

 
Existing subscribers:
Go to Inderscience Online Journals to access the Full Text of this article.

Pay per view:
If you are not a subscriber and you just want to read the full contents of this article, buy online access here.

Complimentary Subscribers, Editors or Members of the Editorial Board of the International Journal of Information and Computer Security (IJICS):
Login with your Inderscience username and password:

    Username:        Password:         

Forgotten your password?


Want to subscribe?
A subscription gives you complete access to all articles in the current issue, as well as to all articles in the previous three years (where applicable). See our Orders page to subscribe.

If you still need assistance, please email subs@inderscience.com