Abstract
Structured query language injection vulnerability (SQLIV) is one of the most prevalent and serious web application vulnerabilities that can be exploited by SQL injection attack (SQLIA) to gain unauthorized access to restricted data, bypass authentication mechanism, and execute unauthorized data manipulation language. Hence, testing web applications for detecting such vulnerabilities is very imperative. Recently, several security testing approaches have been proposed to detect SQL injection vulnerabilities. However, there is no up-to-date comparative study of these approaches that could be used to help security practitioners and researchers in selecting an appropriate approach for their needs.In this paper, six criteria's are identified to compare and analyze security testing approaches; vulnerability covered, testing approach, tool automation, false positive mitigation, vulnerability fixing, and test case/data generation. Using these criteria, a comparison was carried out to contrast the most prominent security testing approaches available in the literature. These criteria will aid both practitioners and researchers to select appropriate approaches according to their needs. Additionally, it will provide researchers with guidance that could help them make a preliminary decision prior to their proposal of new security testing approaches.
Highlights
Owing to their convenience and being accessible, web applications have become very popular and widely accepted in various fields of human endeavor
SQL injection attack (SQLIA) basically takes advantage of the vulnerabilities found in the input validation and the improper handling of submitted requests in the server side program which interacts with the database server
As we focus on Structured query language injection vulnerability (SQLIV), we test the tools based on which input injection mechanism that it covers either first-order SQL injection (SQLI), second-order SQLI, or both
Summary
Owing to their convenience and being accessible, web applications have become very popular and widely accepted in various fields of human endeavor. Web applications are designed with hard time restrictions, and are often deployed with varied degrees of unexpected security vulnerabilities that are exploitable by hackers through different types of attacks. These hacking attempts ordinarily result in unauthorized and, often, harmful transactions with the application, as well as its’ underlying database[1, 2]. SQLIA basically takes advantage of the vulnerabilities found in the input validation and the improper handling of submitted requests in the server side program which interacts with the database server In such attacks, the attacker usually injects SQL code fragments into vulnerable input parameters (HTTP requests) generating malicious SQL query which enables the attacker to gain an unauthorized access to the back-end database [6, 7].
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
