Web application security scanners are automated tools used to detect security vulnerabilities in web applications. Recent research has shown that detecting persistent SQL injection vulnerabilities, one of the most critical web application vulnerabilities, is a major challenge for black-box scanners. In this paper, we evaluate three state of art black-box scanners that support detecting persistent SQL injection vulnerabilities. We developed our custom testbed "MatchIt" that tests the scanners capability in detecting persistent SQL injections. The results show that existing vulnerabilities are not detected even when these automated scanners are explicitly configured to exploit the vulnerability. The weaknesses of blackbox scanners identified reside in many areas: crawling web pages, input values and attack code selection, user registration and login, analysis of server replies and classification of findings. Because of the poor detection rate, we analyze the scanner's behavior and present a set of recommendations that could enhance the discovery of persistent SQL injection vulnerabilities.
[1]
John C. Mitchell,et al.
State of the Art: Automated Black-Box Web Application Vulnerability Testing
,
2010,
2010 IEEE Symposium on Security and Privacy.
[2]
Giovanni Vigna,et al.
Why Johnny Can't Pentest: An Analysis of Black-Box Web Vulnerability Scanners
,
2010,
DIMVA.
[3]
Marco Vieira,et al.
Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks
,
2007
.
[4]
Christopher Krügel,et al.
Leveraging User Interactions for In-Depth Testing of Web Applications
,
2008,
RAID.
[5]
D. T. Lee,et al.
A testing framework for Web application security assessment
,
2005,
Comput. Networks.
[6]
Vadim Okun,et al.
Web Application Scanners: Definitions and Functions
,
2007,
2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).