By Topic

An Analysis of Black-Box Web Application Security Scanners against Stored SQL Injection

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$33 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

4 Author(s)
Nidal Khoury ; Concordia Univ. Coll. of Alberta, Edmonton, AB, Canada ; Pavol Zavarsky ; Dale Lindskog ; Ron Ruhl

Web application security scanners are a compilation of various automated tools put together and used to detect security vulnerabilities in web applications. Recent research has shown that detecting stored SQL injection, one of the most critical web application vulnerabilities, is a major challenge for black-box scanners. In this paper, we evaluate three state of art black-box scanners that support detecting stored SQL injection vulnerabilities. We developed our custom test bed that challenges the scanners capability regarding stored SQL injections. The results show that existing vulnerabilities are not detected even when these automated scanners are taught to exploit the vulnerability. The weaknesses of black-box scanners identified reside in many areas: crawling, input values and attack code selection, user login, analysis of server replies, miss-categorization of findings, and the automated process functionality. Because of the poor detection rate, we discuss the different phases of black-box scanners' scanning cycle and propose a set of recommendations that could enhance the detection rate of stored SQL injection vulnerabilities.

Published in:

Privacy, Security, Risk and Trust (PASSAT) and 2011 IEEE Third Inernational Conference on Social Computing (SocialCom), 2011 IEEE Third International Conference on

Date of Conference:

9-11 Oct. 2011