Abstract:This work presents a gray‐box combinatorial security testing methodology for detecting SQL injection vulnerabilities in web applications. New attack grammars modelling SQL injections are proposed. This combinatorial security testing approach performs equally well or better when compared to existing state‐of‐the‐art SQL injection security testing tools. Summary This work presents an extended and enhanced gray‐box combinatorial security testing methodology for SQL injection vulnerabilities in web applications. We propose multiple new attack grammars modelling SQLi attacks against MySQL‐compatible databases, each one targeting a different injection context. Additionally, these grammars are also dynamically refined at the beginning of each attack against an endpoint of a web application, as a further optimization of the used attack model by taking into account the specifics of the generated query of that endpoint. Our goal is to enhance existing combinatorial approaches for detecting SQL injection vulnerabilities. The newly developed methodology is implemented in a prototype security testing tool called SQLInjector+, which is an extension of an earlier prototype developed by us in prior work. This improved tool can attack (i.e. test) any web application that uses a MySQL‐compatible database management system. We evaluate our revised approach and improved prototype tool in a case study comprising of different kinds of web applications to which SQLi is a potential security threat. The case study contains the well‐known verification framework WAVSEP among other five real‐world web applications and one web application firewall. Our generated attack vectors, constructed via combinatorial methods applied to our improved and dynamically optimized attack grammars, are capable of injecting every known vulnerable endpoint in WAVSEP and also of finding new vulnerable parameters in some of the real‐world applications investigated in this paper. Our approach performs equally well or better when compared with existing state‐of‐art of SQL injection security testing tools (sqlmap, w3af, wapiti and fuzzdb) across all tested web applications in the case study.

Combinatorial methods for dynamic gray‐box SQL injection testing

Exploring Defense of SQL Injection Attack in Penetration Testing

An algorithm for detecting SQL injection vulnerability using black-box testing

Research on Mock Attack Testing for SQL Injection Vulnerability in Multi-Defense Level Web Applications

ART4SQLi: The ART of SQL Injection Vulnerability Discovery

CMM: A Combination-Based Mutation Method for SQL Injection

Framework of SQL Injection Attack

DeepSQLi: deep semantic learning for testing SQL injection

An Effective Penetration Test Approach Based on Feature Matrix for Exposing SQL Injection Vulnerability

Test Sql Injection Vulnerabilities In Web Applications Based On Structure Matching

Research on SQL Injection Vulnerability Multi-level Detection Method

sqlFuzz: Directed Fuzzing for SQL Injection Vulnerability

SQLUnitGen: Test Case Generation for SQL Injection Detection

Formal Analysis of Vulnerabilities of Web Applications Based on SQL Injection (Extended Version)

A Dynamic SQL Injection Vulnerability Test Case Generation Model Based on the Multiple Phases Detection Approach

SQLUnitGen: SQL Injection Testing Using Static and Dynamic Analysis

Injection Point Extraction Approach in SQL Injection Vulnerability under Web2.0 Environment

SQL Injection Detection via Program Tracing and Machine Learning.

SQL Injection Attacks Detection in Adversarial Environments by K-Centers.

Detection of structure query language injection vulnerability in web driven database application

LLMSQLi: A Black-Box Web SQLi Detection Tool Based on Large Language Model