Open AccessComparison of Security Testing Approaches for Detection of SQL Injection Vulnerabilities
Author(s) -
Najla’a Ateeq Mohammed Draib,
Abu Bakar Sultan,
Abdul Ghani,
Hazura Zulzalil
Publication year - 2018
Publication title -
international journal of engineering and technology
Language(s) - English
Resource type - Journals
ISSN - 2227-524X
DOI - 10.14419/ijet.v7i4.1.19483
Subject(s) - sql injection , computer science , security testing , computer security , vulnerability (computing) , application security , secure coding , web application , sql , vulnerability management , authentication (law) , web application security , vulnerability assessment , security information and event management , information security , software security assurance , cloud computing security , database , security service , query by example , world wide web , the internet , web search query , cloud computing , web development , psychological resilience , psychotherapist , operating system , search engine , psychology
Structured query language injection vulnerability (SQLIV) is one of the most prevalent and serious web application vulnerabilities that can be exploited by SQL injection attack (SQLIA) to gain unauthorized access to restricted data, bypass authentication mechanism, and execute unauthorized data manipulation language. Hence, testing web applications for detecting such vulnerabilities is very imperative. Recently, several security testing approaches have been proposed to detect SQL injection vulnerabilities. However, there is no up-to-date comparative study of these approaches that could be used to help security practitioners and researchers in selecting an appropriate approach for their needs.In this paper, six criteria's are identified to compare and analyze security testing approaches; vulnerability covered, testing approach, tool automation, false positive mitigation, vulnerability fixing, and test case/data generation. Using these criteria, a comparison was carried out to contrast the most prominent security testing approaches available in the literature. These criteria will aid both practitioners and researchers to select appropriate approaches according to their needs. Additionally, it will provide researchers with guidance that could help them make a preliminary decision prior to their proposal of new security testing approaches.