An Analysis of Black-Box Web Application Security Scanners against Stored SQL Injection

Web application security scanners are a compilation of various automated tools put together and used to detect security vulnerabilities in web applications. Recent research has shown that detecting stored SQL injection, one of the most critical web application vulnerabilities, is a major challenge for black-box scanners. In this paper, we evaluate three state of art black-box scanners that support detecting stored SQL injection vulnerabilities. We developed our custom test bed that challenges the scanners capability regarding stored SQL injections. The results show that existing vulnerabilities are not detected even when these automated scanners are taught to exploit the vulnerability. The weaknesses of black-box scanners identified reside in many areas: crawling, input values and attack code selection, user login, analysis of server replies, miss-categorization of findings, and the automated process functionality. Because of the poor detection rate, we discuss the different phases of black-box scanners´ scanning cycle and propose a set of recommendations that could enhance the detection rate of stored SQL injection vulnerabilities.