Title :
Detecting SQL Injection Vulnerabilities in Web Services
Author :
Antunes, Nuno ; Vieira, Marco
Author_Institution :
Dept. of Inf. Eng., Univ. of Coimbra, Coimbra, Portugal
Abstract :
Web services are often deployed with critical software bugs that can be maliciously exploited. Web vulnerability scanners are regarded as an easy way to test Web applications against security vulnerabilities. However, previous research shows that the effectiveness of these tools in Web services environments is very poor. In fact, the high number of false-positives and the low coverage observed in practice highlight the strong limitations of these tools. The goal of this paper is to demonstrate that it is possible to develop a vulnerability scanner for Web services that performs much better than the commercial ones currently available. Thus, we propose an approach to detect SQL injection vulnerabilities, one of the most common and most critical types of vulnerabilities in web environments. Experimental evaluation shows that our approach performs much better than well-known commercial tools, achieving very high detection coverage while maintaining the false positives rate quite low.
Keywords :
SQL; Web services; security of data; SQL injection vulnerabilities detection; Web services; Web vulnerability scanner; critical software bugs; security vulnerabilities; Application software; Computer bugs; Data security; Databases; Informatics; Performance evaluation; Simple object access protocol; Testing; Time to market; Web services;
Conference_Titel :
Dependable Computing, 2009. LADC '09. Fourth Latin-American Symposium on
Conference_Location :
Joao Pessoa
Print_ISBN :
978-1-4244-4678-0
Electronic_ISBN :
978-0-7695-3760-3
DOI :
10.1109/LADC.2009.21
