Evaluation of Web Application Vulnerability Scanners using SQL Injection Attacks

• Published in: 8th International Conference on Recent Advances and Innovations in Engineering: Empowering Computing, Analytics, and Engineering Through Digital Innovation, ICRAIE 2023
• Main Author: Ibrahim R.Y.; Rosli M.M.
• Format: Conference paper
• Language: English
• Published: Institute of Electrical and Electronics Engineers Inc. 2023
• Online Access: https://www.scopus.com/inward/record.uri?eid=2-s2.0-85189931131&doi=10.1109%2fICRAIE59459.2023.10468295&partnerID=40&md5=d8f51b0881c397c1863a4dd0369293a7

With the evolution of web technologies, many businesses have decided to attract more clients through the online market, also called e-commerce. While numerous web applications exist, a significant portion remains susceptible to cyberattacks. Of these, Structured Query Language (SQL) injection attacks are the most popular techniques used by cybercriminals to steal information from inside a database and take full control of the web application. It is imperative to assess the vulnerability of a web application before its online deployment, as this practice enables developers to identify and address potential flaws comprehensively. Yet, manually checking for vulnerabilities is nearly impractical due to the intricate nature of the process and the significant time it consumes. In this study, three automated web application vulnerability scanners and penetration testing tools: SQLMap, Open Web Application Security Project (OWASP) Zed Attack Proxy (ZAP) and Skipfish) were evaluated. These are open source and, according to OWASP, the most efficient vulnerability scanners. The scanners are compared based on their accuracy and response time in detecting most SQL injection vulnerabilities on pre-defined web applications available for Damn Vulnerable Web App (DVWA) testing. The results indicate that OWASP ZAP outperforms SQLMap and Skipfish in terms of accuracy and performance. The findings provide insights to continuously improve web application security scanners and protect web applications from potential vulnerabilities and cyber threats. © 2023 IEEE.