Comparing the Effectiveness of Penetration Testing and Static Code Analysis on the Detection of SQL Injection Vulnerabilities in Web Services



Web services are becoming business-critical components that must provide a non-vulnerable interface to the client applications. However, previous research and practice show that many web services are deployed with critical vulnerabilities. SQL injection vulnerabilities are particularly relevant, as Web services frequently access a relational database using SQL commands. Penetration testing and static code analysis are two well-know techniques often used for the detection of security vulnerabilities. In this work we compare how effective these two techniques are on the detection of SQL injection vulnerabilities in Web services code. To understand the strengths and limitations of these techniques, we used several commercial and open source tools to detect vulnerabilities in a set of vulnerable services. Results suggest that, in general, static code analyzers are able to detect more SQL injection vulnerabilities than penetration testing tools. Another key observation is that tools implementing the same detection approach frequently detect different vulnerabilities. Finally, many tools provide a low coverage and a high false positives rate, making them a bad option for programmers.

Download from IEEE Xplore


Security, Vulnerabilities, SQL Injection, Penetration Testing, Static Code Analysis, Web Services


Web Services Security


IEEE 15th Pacific Rim International Symposium on Dependable Computing (PRDC'09), November 2009

Cited by

Year 2015 : 7 citations

 S. Jan, C. D. Nguyen, and L. Briand, “Known XML Vulnerabilities Are Still a Threat to Popular Parsers and Open Source Systems,” in 2015 IEEE International Conference on Software Quality, Reliability and Security (QRS), 2015, pp. 233–241.

 K. Goseva-Popstojanova and A. Perhinschi, “On the capability of static code analysis to detect security vulnerabilities,” Information and Software Technology, vol. 68, pp. 18–33, 2015.

 S. Khani, C. Gacek, and P. Popov, “Security-aware selection of Web Services for Reliable Composition,” in 11th European Dependable Computing Conference (EDCC 2015) - Student Forum, Paris, France, 2015.

 A. Davies, “Securing Legacy Web Services,” BSc Thesis, Bournemouth University, Dorset, UK, 2015.

 Y.-C. Cho, “Implementation and analysis of website security mining system, applied to universities’ academic networks,” Tehnicki vjesnik - Technical Gazette, vol. 22, no. 2, pp. 279–287, 2015.

 M.-A. Laverdiere, B. J. Berger, and E. Merloz, “Taint analysis of manual service compositions using Cross-Application Call Graphs,” in 2015 IEEE 22nd International Conference on Software Analysis, Evolution and Reengineering (SANER), 2015, pp. 585–589.

 M. I. Palma Salas and E. Martins, “A Black-Box Approach to Detect Vulnerabilities in Web Services Using Penetration Testing,” Latin America Transactions, IEEE (Revista IEEE America Latina), vol. 13, no. 3, pp. 707–712, 2015.

Year 2014 : 8 citations

 V. Shanmuga Neethi, “Prevention of code injection vulnerabilities in web applications through web services,” Ph.D. Thesis, Anna University, Chennai, India, 2014.

 R.M.Dilip Charaan, R. Ramesh, E. Uma, and C. Yaashuwanth, “Design Of Three Layer Security Architecture To Prevent Dos Attacks In Web Service,” International Journal of Applied Engineering Research, vol. 9, no. 24, 2014.

 C. T. Phong and W. Q. Yan, “An Overview of Penetration Testing,” International Journal of Digital Crime and Forensics (IJDCF), vol. 6, no. 4, pp. 50–74, 2014.

 V. Sunkari and C. V. Guru Rao, “Preventing input type validation vulnerabilities using network based intrusion detection systems,” in 2014 International Conference on Contemporary Computing and Informatics (IC3I), 2014, pp. 702–706.

 S. Chimmanee, T. Veeraprasit, and C. Srisa-An, “A Performance Evaluation of Vulnerability Detection: NetClarity Audito, Nessus, and Retina.,” International Journal of Computer Science & Network Security, vol. 14, no. 3, 2014.

 T. P. Chiem, “A study of penetration testing tools and approaches,” MSc Thesis, Auckland University of Technology, Auckland, New Zealand, 2014.

 Zhuo Ying gun and Pan Renyi, “Design and implementation of website information disclosure assessment system,” Ph.D. Thesis, National Chung Cheng University, 2014.

 M. I. P. Salas and E. Martins, “Security Testing Methodology for Vulnerabilities Detection of XSS in Web Services and WS-Security,” in Electronic Notes in Theoretical Computer Science, 2014, vol. 302, pp. 133–154.

Year 2013 : 7 citations

 A. Austin, C. Holmgreen, and L. Williams, “A Comparison of the Efficiency and Effectiveness of Vulnerability Discovery Techniques,” Information and Software Technology, 2013.

 G. Nilson, K. Wills, J. Stuckman, and J. Purtilo, “BugBox: A Vulnerability Corpus for PHP Web Applications,” presented at the 6th Workshop on Cyber Security Experimentation and Test (CSET ’13), Washington, D.C., 2013.

 M. Muralidharan and M. Surya, “A Network Based Vulnerability Scanner for Detecting and Preventing SQLI Attacks in Web Applications,” International Journal of Advanced and Innovative Research (IJAIR), vol. 2, no. 3, Mar. 2013.

 N. Meghanathan, “Automated Source Code Analysis to Identify and Remove Software Security Vulnerabilities: Case Studies on Java Programs,” International Journal of Software Engineering, vol. 6, no. 1, pp. 3–32, Jan. 2013.

 N. Awang and A. Manaf, “Detecting Vulnerabilities in Web Applications Using Automated Black Box and Manual Penetration Testing,” in Advances in Security of Information and Communication Networks, vol. 381, A. Awad, A. Hassanien, and K. Baba, Eds. Springer Berlin Heidelberg, 2013.

 R. Thenmozhi, M. Priyadharshini, and K. Abirami, “Vulnerability Management in Web Applications,” Data Mining and Knowledge Engineering, vol. 5, no. 4, pp. 162–167, 2013.

 R. Scandariato, J. Walden, and W. Joosen, “Static analysis versus penetration testing: A controlled experiment,” in 2013 IEEE 24th International Symposium on Software Reliability Engineering (ISSRE), 2013, pp. 451–460.

Year 2012 : 8 citations

 S. Chimmanee, T. Veeraprasit, K. Sriphaew, and A. Hemanidhi, “A Performance Comparison of Vulnerability Detection between Netclarity Auditor and Open Source Nessus,” Recent Advances in Communications, Circuits and Technological Innovation, pp. 280–285, 2012.

 S. Roy, A. K. Singh, and A. S. Sairam, “A Novel Approach to Prevent SQL Injection Attack Using URL Filter,” International Journal of Innovation, Management and Technology, vol. 3, no. 5, pp. 499–502, Oct. 2012.

 V. Shanmughaneethi, R. Y. Praveen, and S. Swamynathan, “CIVD: detection of command injection vulnerabilities in web services through aspect–oriented programming,” International Journal of Computer Applications in Technology, vol. 44, no. 4, pp. 312–320, Jan. 2012.

 N. Meghanathan and A. R. Geoghegan, “A Case Study on Testing for Software Security: Static Code Analysis of a File Reader Program Developed in Java,” in Advanced Automated Software Testing: Frameworks for Refined Practice, I. Alsmadi, Ed. IGI Global, 2012, pp. 89–112.

 A. K. Singh and S. Roy, “A Network Based Vulnerability Scanner for Detecting SQLI Attacks in Web Applications,” in 1st International Conference on Recent Advances in Information Technology (RAIT), 2012, 2012, pp. 585 –590.

 M. I. P. Salas, “Metodologia de Testes de Segurança para Análise de Robustez de Web Services pela Injeção de Ataques,” MSc Thesis, IC-UNICAMP, Campinas, Brasil, 2012

 G. Nilson, K. Wills, J. Stuckman, and J. Purtilo, “BugBox: A Vulnerability Corpus for PHP Web Applications,” presented at the 6th Workshop on Cyber Security Experimentation and Test (CSET ’13), Washington, D.C., 2013.

 A. Austin, C. Holmgreen, and L. Williams, “A Comparison of the Efficiency and Effectiveness of Vulnerability Discovery Techniques,” Information and Software Technology, Dec. 2012.

Year 2011 : 6 citations

 1. E. Uma, A. Kannan, R. Ramesh, “Design of New Architecture for Providing Secure Web Services”, Proceedings of the World Congress on Engineering and Computer Science, San Francisco, USA: Newswood Limited, October 19-21, 2011.

 2. Sangita Roy, Avinash Kumar Singh, Ashok Singh Sairam, "Detecting and Defeating SQL Injection Attacks", International Journal of Information and Electronics Engineering, Vol. 1 , No. 1, July 2011.

 3. A.R. Pais, D.J. Deepak, and B.R. Chandavarkar, “Protection against Denial of Service and Input Manipulation Vulnerabilities in Service Oriented Architecture”, Advances in Network Security and Applications, Vol. 196, ISBN: 978-3-642-22539-0, 2011.

 4. S. Roy, A. K. Singh, and A. S. Sairam, “Analyzing SQL Meta Characters and Preventing SQL Injection Attacks Using Meta Filter”, International Conference on Information and Electronics Engineering, Singapore, 2011.

 5. A. Austin and L. Williams, “One Technique is Not Enough: A Comparison of Vulnerability Discovery Techniques,” presented at the ACM/IEEE 5th International Symposium on Empirical Software Engineering and Measurement (ESEM), Banff, Alberta, Canada, 2011.

 6. A. Austin, “Improving the Security of Electronic Health Record Systems,” Master of Science, North Carolina State University, Raleigh, North Carolina, 2011.

Year 2010 : 2 citations

 1. Pramote Kuacharoen, “A Practical Customer Privacy Protection on Shared Servers”, 2010 International Conference on Information Theory and Information Security, ICITIS2010, Beijing, China, December 2010.

 2. Deepak D. J., “Protection Against Input Manipulation Vulnerabilities in Service Oriented Architecture”, MSc Thesis – Master of Technology in Computer Science & Engineering – Information Security, Department of Computer Engineering - National Institute of Technology Karnataka, Mangalore, India, July 2010.