Detecting SQL Injection Vulnerabilities in Web Services



Web services are often deployed with critical software bugs that can be maliciously exploited. Web vulnerability scanners are regarded as an easy way to test Web applications against security vulnerabilities. However, previous research shows that the effectiveness of these tools in Web services environments is very poor. In fact, the high number of false-positives and the low coverage observed in practice highlight the strong limitations of these tools. The goal of this paper is to demonstrate that it is possible to develop a vulnerability scanner for Web services that performs much better than the commercial ones currently available. Thus, we propose an approach to detect SQL injection vulnerabilities, one of the most common and most critical types of vulnerabilities in web environments. Experimental evaluation shows that our approach performs much better than well-known commercial tools, achieving very high detection coverage while maintaining the false positives rate quite low.

Download from IEEE Xplore


Security, Vulnerabilities, SQL Injection, Penetration Testing, Web Services


Web Services Security


Fourth Latin-American Symposium on Dependable Computing (LADC 2009), September 2009

Cited by

Year 2015 : 5 citations

 A. Masood and J. Java, “Static analysis for web service security-Tools & techniques for a secure development life cycle,” in 2015 IEEE International Symposium on Technologies for Homeland Security (HST), 2015, pp. 1–6.

 N. A. Allen, “Detecting penetration attempts using log-sensitive fuzzing,” United States Patent 9104877, 11-Aug-2015.

 A. Davies, “Securing Legacy Web Services,” BSc Thesis, Bournemouth University, Dorset, UK, 2015.

 T. Aghariya, “Security Testing on Web Application,” MSc Thesis, Charles Darwin University, Darwin, 2015.

 M. H. A. N. and C. Miao, “Structured Query Language Injection Penetration Test Case Generation Based on Formal Description,” Journal of Donghua University(English Edition), vol. 32, no. 3, pp. 446–452, 2015.

Year 2014 : 7 citations

 D. Appelt, C. D. Nguyen, L. C. Briand, and N. Alshahwan, “Automated testing for SQL injection vulnerabilities: An input mutation approach,” in Proceedings of the 2014 International Symposium on Software Testing and Analysis, 2014, pp. 259–269.

 V. Sunkari and C. V. Guru Rao, “Preventing input type validation vulnerabilities using network based intrusion detection systems,” in 2014 International Conference on Contemporary Computing and Informatics (IC3I), 2014, pp. 702–706.

 M. K. N. Durai and K. Priyadharsini, “A Survey on Security Properties and Web Application Scanner,” International Journal of Computer Science and Mobile Computing, vol. 3, no. 10, pp. 517–527, 2014.

 D. Appelt, N. Alshahwan, and L. Briand, “Assessing the Impact of Firewalls and Database Proxies on SQL Injection Testing,” in Future Internet Testing, T. E. J. Vos, K. Lakhotia, and S. Bauersfeld, Eds. Springer International Publishing, 2014, pp. 32–47.

 M. Mirjalili, A. Nowroozi, and M. Alidoosti, “A survey on web penetration test,” Advances in Computer Science: an International Journal (ACSIJ), vol. 3, no. 6, 2014.

 Zhuo Ying gun and Pan Renyi, “Design and implementation of website information disclosure assessment system,” Ph.D. Thesis, National Chung Cheng University, 2014.

 D. Appelt, N. Alshahwan, D. C. Nguyen, and L. Briand, “Black-box SQL Injection Testing,” University of Luxembourg, TR-SnT-2014-1, 2014.

Year 2013 : 6 citations

 R. M. Jnena, “Modern Approach for WEB Applications Vulnerability Analysis,” MSc Thesis, The Islamic University of Gaza, 2013.

 P. Zech, M. Felderer, M. Farwick, and R. Breu, “A Concept for Language-Oriented Security Testing,” in 2013 IEEE 7th International Conference on Software Security and Reliability-Companion (SERE-C), 2013, pp. 53–62.

 Luo Qi-Han, Zhang Yu-Qing, and Liu Qi-Xu, “Design and implementation of a SQL injection vulnerability detection tool on RESTful API,” Journal of Graduate University of Chinese Academy of Sciences, vol. 30, no. 3, pp. 417–424, 2013.

 Y.-C. Cho and J.-Y. Pan, “Vulnerability Assessment of IPv6 Websites to SQL Injection and other Application Level Attacks,” The Scientific World Journal, vol. 2013, 2013.

 L. Lei, X. Jing, L. Minglei, and Y. Jufeng, “A Dynamic SQL Injection Vulnerability Test Case Generation Model Based on the Multiple Phases Detection Approach,” in Computer Software and Applications Conference (COMPSAC), 2013 IEEE 37th Annual, 2013, pp. 256–261.

 O. Vikholm and M. Flodström, “SQL-Injections: A wake-up call for developer: A study about a major threat and issue for companies and organizations worldwide,” Bachelor Thesis, Uppsala University, Uppsala, 2013.

Year 2012 : 9 citations

 G. Vaughan, “Understanding SQL Injection Attacks Inside and Out,” 2012.

 Y. C. Zhu and H. L. Liang, “The SQL Injection Vulnerability Detection of the Web Application,” Applied Mechanics and Materials, vol. 198, pp. 1457–1461, 2012.

 M. P. Salas and E. Martins, “Emulation of Malformed XML Using WSInject for Security Testing Against WS-Security,” presented at the IEEE Latin-American Conference on Communications (LATINCOM), Cuenca, Ecuador, 2012.

 M. P. Salas and E. Martins, “Emulação de Ataques do Tipo XPath Injection para Testes de Web Services usando Injeção de Falhas,” in XIII Workshop de Testes e Tolerância a Falhas, Ouro Preto - MG, Brasil, 2012.

 D. Rocha, D. Kreutz, and R. Turchetti, “A free and extensible tool to detect vulnerabilities in Web systems,” in 2012 7th Iberian Conference on Information Systems and Technologies (CISTI), 2012, pp. 1 –6.

 T. Huynh and J. Miller, “AIWAS: The Automatic Identification of Web Attacks System,” International Journal of Systems and Service-Oriented Engineering (IJSSOE), vol. 3, no. 1, pp. 73–91, 2012.

 H.-T. Tseng, “Design and Implementation of Automatic Web-Pages Penetration Testing System,” MSc Thesis, National Taiwan University of Science and Technology, Taiwan, 2012.

 M. I. P. Salas, “Metodologia de Testes de Segurança para Análise de Robustez de Web Services pela Injeção de Ataques,” MSc Thesis, IC-UNICAMP, Campinas, Brasil, 2012.

 D. Rocha, D. Kreutz, and R. Turchetti, “Uma Ferramenta Livre e ExtensíVel Para Detecção de Vulnerabilidades em Sistemas Web,” Computer Science and Engineering, 2012.

Year 2011 : 3 citations

 1. A.R. Pais, D.J. Deepak, and B.R. Chandavarkar, “Protection against Denial of Service and Input Manipulation Vulnerabilities in Service Oriented Architecture”, Advances in Network Security and Applications, Vol. 196, ISBN: 978-3-642-22539-0, 2011.

 2. F. van der Loo, “Comparison of penetration testing tools for web applications,” MSc Thesis, University of Radboud, Netherlands, 2011.

 Geoffrey Vaughan, "Understanding SQL Injection Attacks Inside and Out", Faculty of Business and IT, University of Ontario Institute of Technology, Canada, 2011.

Year 2010 : 6 citations

 1. Hsin-Chung Chen, "Multi-Layer Real-time Protection Applications Against SQLIV Attacks", MSc Thesis, Department of Computer Science and Information Engineering, National Taiwan University of Science and technology, July 2010.

 2. Peng Geng, Fan Ming-yu, "SQL Injection Detection based on Improved Web Crawler", Application research of Computes, Vol. 27 no 7, July 2010.

 3. HU Ju-ning, BI Hong-jun, LIU Yun, JIA Fan, "Key management scheme based on polynomial and chaos for wireless sensor networks", Application research of Computes, Vol. 27 no 7, July 2010.

 4. D.A. Shelly, “Using a Web Server Test Bed to Analyze the Limitations of Web Application Vulnerability Scanners”, MSc Thesis, Virginia Polytechnic Institute and State University, July 2010.

 5. N. Lambert, Kang Song Lin, "Use of Query tokenization to detect and prevent SQL injection attacks", 3rd IEEE International Conference on Computer Science and Information Technology, ICCSIT 2010, Chengdu, China, September 2010.

 6. Toan Nguyen Duc Huynh, “Empirically Driven Investigation of Dependability and Security Issues in Internet-Centric Systems”, PhD Thesis, University of Alberta, Canada, 2010.