Open AccessEvaluation of SQL Injection Vulnerability Detection Tools
Author(s) -
Najla’a Ateeq Mohammed Draib,
Abu Bakar Sultan,
Abdul Ghani,
Hazura Zulzalil
Publication year - 2019
Publication title -
international journal of engineering and advanced technology
Language(s) - English
Resource type - Journals
ISSN - 2249-8958
DOI - 10.35940/ijeat.a2648.109119
Subject(s) - sql injection , computer science , secure coding , web application , sql , vulnerability (computing) , source code , database , web application security , open source , software deployment , web page , world wide web , query by example , computer security , software engineering , software , operating system , web development , software security assurance , information security , search engine , security service , web search query
SQL injection vulnerabilities have been predominant on database-driven web applications since almost one decade. Exploiting such vulnerabilities enables attackers to gain unauthorized access to the back-end databases by altering the original SQL statements through manipulating user input. Testing web applications for identifying SQL injection vulnerabilities before deployment is essential to get rid of them. However, checking such vulnerabilities by hand is very tedious, difficult, and time-consuming. Web vulnerability static analysis tools are software tools for automatically identifying the root cause of SQL injection vulnerabilities in web applications source code. In this paper, we test and evaluate three free/open source static analysis tools using eight web applications with numerous known vulnerabilities, primarily for false negative rates. The evaluation results were compared and analysed, and they indicate a need to improve the tools.