Effective Detection of SQL/XPath Injection Vulnerabilities in Web Services



This paper proposes a new automatic approach for the detection of SQL Injection and XPath Injection vulnerabilities, two of the most common and most critical types of vulnerabilities in Web services. Although there are tools that allow testing Web applications against security vulnerabilities, previous research shows that the effectiveness of those tools in Web services environments is very poor. In our approach a representative workload is used to exercise the Web service and a large set of SQL/XPath injection attacks are applied to disclose vulnerabilities. Vulnerabilities are detected by comparing the structure of the SQL/XPath commands issued in the presence of attacks to the ones previously learned when running the workload in the absence of attacks. Experimental evaluation shows that our approach performs much better than known tools (including commercial ones), achieving extremely high detection coverage while maintaining the false positives rate very low.

Download from IEEE Xplore


Security, Vulnerabilities, SQL Injection, Penetration Testing, Static Code Analysis, Web Services, Runtime Anomaly Detection


Web Services Security


IEEE International Conference on Services Computing (SCC 2009), September 2009

Cited by

Year 2015 : 6 citations

 D. Appelt, C. D. Nguyen, and L. Briand, “Behind an Application Firewall, Are We Safe from SQL Injection Attacks?,” in 2015 IEEE 8th International Conference on Software Testing, Verification and Validation (ICST), 2015, pp. 1–10.

 M. H. A. N. and C. Miao, “Structured Query Language Injection Penetration Test Case Generation Based on Formal Description,” Journal of Donghua University(English Edition), vol. 32, no. 3, pp. 446–452, 2015.

 P. Mehta, J. Sharda, and M. L. Das, “SQLshield: Preventing SQL Injection Attacks by Modifying User Input Data,” in Information Systems Security, S. Jajodia and C. Mazumdar, Eds. Springer International Publishing, 2015, pp. 192–206

 P. Shirani, M. A. Azgomi, and S. Alrabaee, “A method for intrusion detection in web services based on time series,” in 2015 IEEE 28th Canadian Conference on Electrical and Computer Engineering (CCECE), 2015, pp. 836–841.

 T. Aghariya, “Security Testing on Web Application,” MSc Thesis, Charles Darwin University, Darwin, 2015 [Online]. Available: [Accessed: 22-Aug-2015]

 A. Mahadkar and N. Singh, “A review on approaches for web application vulnerabilities detection,” International journal of Advance Engineering and Research Development (IJAERD), vol. 2, no. 1, pp. 293–295, 2015.

Year 2014 : 10 citations

 T. K. Saha and A. S. Ali, “Web Application Security Attacks and Countermeasures,” Case Studies in Secure Computing: Achievements and Trends, p. 343, 2014.

 V. Shanmuga Neethi, “Prevention of code injection vulnerabilities in web applications through web services,” Ph.D. Thesis, Anna University, Chennai, India, 2014.

 D. Appelt, C. D. Nguyen, L. C. Briand, and N. Alshahwan, “Automated testing for SQL injection vulnerabilities: An input mutation approach,” in Proceedings of the 2014 International Symposium on Software Testing and Analysis, 2014, pp. 259–269 [Online]. Available: [Accessed: 20-Jan-2016]

 P. D. Buck, Q. Shi, and B. Zhou, “Monitoring and Testing Web Services,” in The 15th Annual PostGraduate Symposium on The Convergence of Telecommunications, Networking and Broadcasting (PGNET 2014), Liverpool, UK, 2014 [Online]. Available: [Accessed: 09-Sep-2014]

 M. Mirjalili, A. Nowroozi, and M. Alidoosti, “A survey on web penetration test,” Advances in Computer Science: an International Journal (ACSIJ), vol. 3, no. 6, 2014.

 Zhuo Ying gun and Pan Renyi, “Design and implementation of website information disclosure assessment system,” Ph.D. Thesis, National Chung Cheng University, 2014.

 D. Appelt, N. Alshahwan, D. C. Nguyen, and L. Briand, “Black-box SQL Injection Testing,” University of Luxembourg, TR-SnT-2014-1, 2014 [Online]. Available: [Accessed: 18-Sep-2014]

 B. Mohamed Ibrahim and A. R. Mohamed Shanavas, “Severe SOA Security Threats on SOAP Web Services–A Critical Analysis,” IOSR Journal of Computer Engineering (IOSR-JCE), vol. 16, no. 2, pp. 135–141, 2014.

 R. J. Manoj, A. Chandrasekhar, and M. A. Praveena, “An Approach to Detect and Prevent Tautology Type SQL Injection in Web Service Based on XSchema validation,” International Journal Of Engineering And Computer Science, vol. 3, no. 1, pp. 3695–3699, Jan. 2014.

 E. Shafie, “Runtime Detection and Prevention for Structure Query Language Injection Attacks,” Ph.D. Thesis, De Montfort University, England, 2013 [Online]. Available: [Accessed: 18-Sep-2014]

Year 2013 : 11 citations

 P. Zech, M. Felderer, M. Farwick, and R. Breu, “A Concept for Language-Oriented Security Testing,” in 2013 IEEE 7th International Conference on Software Security and Reliability-Companion (SERE-C), 2013, pp. 53–62.

 J. Lakhani, “Blind XPath Injection Attack: A Case Study,” International Journal of System & Software Engineering, vol. 1, no. 1, pp. 30–34, Jun. 2013.

 Luo Qi-Han, Zhang Yu-Qing, and Liu Qi-Xu, “Design and implementation of a SQL injection vulnerability detection tool on RESTful API,” Journal of Graduate University of Chinese Academy of Sciences, vol. 30, no. 3, pp. 417–424, 2013.

 L. Stage, “Entwurf einer Methodik zum Testen der Sicherheit von Web-Service-basierten Systemen,” University of Stuttgart, 2013 [Online]. Available: [Accessed: 13-Jan-2014]

 A. Asmawi, L. S. Affendey, N. I. Udzir, and R. Mahmod, “XIPS: A Model-based Prevention Mechanism for Preventing Blind XPath Injection in Database-Centric Web Services Environment,” International Journal of Advancements in Computing Technology (IJACT), vol. 5, no. 10, 2013 [Online]. Available: [Accessed: 11-Jun-2014]

 L. Lei, X. Jing, L. Minglei, and Y. Jufeng, “A Dynamic SQL Injection Vulnerability Test Case Generation Model Based on the Multiple Phases Detection Approach,” in Computer Software and Applications Conference (COMPSAC), 2013 IEEE 37th Annual, 2013, pp. 256–261.

 A. N. Gupta and P. S. Thilagam, “Attacks on Web Services Need To Secure XML on Web,” Computer Science & Engineering: An International Journal, vol. 3, no. 5, 2013 [Online]. Available: [Accessed: 16-Dec-2013]

 N. Arora and S. Tanwani, “Emerging Web Services Trends and Challenges,” International Journal of Systems, Algorithms & Applications (IJSAA), vol. 3, no. ICRAET13, pp. 6–11, Mar. 2013.

 A. Ghourabi, T. Abbes, and A. Bouhoula, “Characterization of attacks collected from the deployment of Web service honeypot,” Security and Communication Networks, 2013 [Online]. Available: [Accessed: 04-Mar-2013]

 Z. Z. Zhang, Q. Y. Wen, and Z. Zhang, “An Improved Approach for SQL Injection Vulnerabilities Detection,” Applied Mechanics and Materials, vol. 263, pp. 3017–3020, 2013.

 W. Phocharoen and T. Senivongse, “A Security Attack Risk Assessment for Web Services Based on Data Schemas and Semantics,” in Proceedings of the 2012 International Conference on Information Technology and Software Engineering, W. Lu, G. Cai, W. Liu, and W. Xing, Eds. Springer Berlin Heidelberg, 2013, pp. 135–143

Year 2012 : 6 citations

 I. Lundgren, “Securing public APIs using OAuth and OAuthLib,” BSc Thesis, Department of Computer Science, Electrical and Space Engineering, Luleå University of Technology, 2012.

 A. Asmawi, L. S. Affendey, N. I. Udzir, and R. Mahmod, “Model-based system architecture for preventing XPath injection in database-centric web services environment,” in 7th International Conference on Computing and Convergence Technology (ICCCT 2012), Seoul, South Korea, 2012, pp. 621–625.

 Xu Jing, Tian Wei, Liu Lei, Zhang Ying, and Yang Jufeng, “Model-driven web Application SQL Injection penetration testing,” High Technology Letters, vol. 22, no. 11, pp. 1161–1168, 2012.

 K. Liu, H. B. K. Tan, and L. K. Shar, “Semi-Automated Verification of Defense against SQL Injection in Web Applications,” in 2012 19th Asia-Pacific Software Engineering Conference (APSEC), 2012, vol. 1, pp. 91 –96.

 T. Wei, Y. Ju-Feng, X. Jing, and S. Guan-Nan, “Attack Model Based Penetration Test for SQL Injection Vulnerability,” in 2012 IEEE 36th Annual Computer Software and Applications Conference Workshops (COMPSACW), Izmir, Turkey, 2012, pp. 589 –594.

 V. Shanmughaneethi, R. Y. Praveen, and S. Swamynathan, “CIVD: detection of command injection vulnerabilities in web services through aspect–oriented programming,” International Journal of Computer Applications in Technology, vol. 44, no. 4, pp. 312–320, Jan. 2012.

Year 2011 : 4 citations

 F. van der Loo, “Comparison of penetration testing tools for web applications,” MSc Thesis, University of Radboud, Netherlands, 2011.

 V. Shanmughaneethi, R. Ravichandran, and S. Swamynathan, “PXpathV: Preventing XPath Injection Vulnerabilities in Web Applications,” International Journal on Web Service Computing, vol. 2, no. 3, pp. 192–201, Sep. 2011.

 A. R. Pais, D. J. Deepak, and B. R. Chandavarkar, “Protection against Denial of Service and Input Manipulation Vulnerabilities in Service Oriented Architecture,” in Advances in Network Security and Applications, vol. 196, D. C. Wyld, M. Wozniak, N. Chaki, N. Meghanathan, and D. Nagamalai, Eds. Springer Berlin Heidelberg, 2011, pp. 331–343.

 V. Shanmughaneethi, R. Y. Pravin, and S. Swamynathan, “XIVD: Runtime Detection of XPath Injection Vulnerabilities in XML Databases through Aspect Oriented Programming,” Advances in Computing and Information Technology, pp. 192–201, 2011.

Year 2010 : 5 citations

 A. S. Khader, “Preventing MS SQL Injection in Web Application,” MSc Thesis, University Utara Malaysia, 2010.

 P. R. Yadav, “Protection Against Denial of Service Attack in Service Oriented Architecture,” MSc Thesis – Master of Technology in Computer Science & Engineering – Information Security, Department of Computer Enginering, National Institute of Technology Karnataka (NITK), Surathkal, Mangalore, 2010.

 D. J. Deepak, “Protection Against Input Manipulation vulnerabilities in Service Oriented Architecture,” MSc Thesis – Master of Technology in Computer Science & Engineering – Information Security, Department of Computer Engineering - National Institute of Technology Karnataka, Mangalore, India, 2010.

 A. Anchlia and S. Jain, “A Novel Injection Aware Approach for the Testing of Database Applications,” in 2010 International Conference on Recent Trends in Information, Telecommunication and Computing, 2010, pp. 311–313.

 S. Madan and S. Madan, “Security Standards Perspective to Fortify Web Database Applications from Code Injection Attacks,” in 2010 International Conference on Intelligent Systems, Modelling and Simulation, 2010, pp. 226–230.