An analysis of black-box web application vulnerability scanners in SQLi detection

Abstract

Web application vulnerabilities enable attackers to perform malicious activities that can cause huge losses to the users. Web application vulnerability scanners are automated Black-Box testing tools that identify the vulnerabilities prevailing in a web application. The scanners have gained popularity with time due to its ability to detect the application architecture weaknesses without accessing the source codes of the target web applications. However, a scanner has its own limitations as well. This paper focuses on analyzing the web application vulnerability scanners’ ability to detect SQL injection and therefore we test a set of three open-source scanners against a set of custom-built test samples with various categories of SQL injection.