Title: Fault-based testing for discovering SQL injection vulnerabilities in web applications

Authors: Izzat Alsmadi; Ahmed AlEroud; Ahmad A. Saifan

Addresses: Texas A&M, San Antonio, San Antonio, Texas, 78224, USA ' Department of Computer Information Systems, Yarmouk University, Irbid, Jordan ' Department of Computer Information Systems, Yarmouk University, Irbid, Jordan

Abstract: In this paper we proposed a model to investigate the behaviour of websites when dealing with invalid inputs. Many vulnerabilities rise from invalid inputs. An invalid input is considered as a form of a successful attack if it is processed by the website code or back-end database. Based on this assumption, we proposed a list of indicators that tested and processed invalid inputs. A tool is developed to implement this model. We tested the model through evaluating several websites selected randomly. Our tool has no special credentials or access to any of the tested websites. We found many SQL injection vulnerabilities based on our proposed model. Upon the manual investigation of the web pages that showed such vulnerabilities, we found few instances of false positives. We believe that this can provide a systematic and automated approach to test websites for vulnerabilities related to improper input validation.

Keywords: SQL-injection attacks; security; web applications; software testing.

DOI: 10.1504/IJICS.2021.117394

International Journal of Information and Computer Security, 2021 Vol.16 No.1/2, pp.51 - 62

Received: 23 Feb 2018
Accepted: 17 Sep 2018

Published online: 27 Aug 2021 *

Full-text access for editors Access for subscribers Purchase this article Comment on this article