An Automated Vulnerability Scanner for Injection Attack Based on Injection Point

Abstract

As the popularity of the web increases and web applications become tools of everyday use, the role of web security has been gaining importance as well. The last years have shown a significant increase in the number of web-based attacks. Too many nouns web application security vulnerabilities result from generic input validation problems. Examples of such vulnerabilities are SQL injection and Cross- Site Scripting (XSS). Although the majority of web vulnerabilities are easy to understand and to avoid, many web developers are, unfortunately, not security-aware. As a result, there exist many web sites on the Internet that are vulnerable. This paper implemented an automated vulnerability scanner that for the injection attacks. To this end, we implemented a system that automated scanned the injection attack vulnerabilities. Our system was automatically analyses web sites with the aim of finding exploitable SQL injection and XSS vulnerabilities. It was able to find many potentially vulnerable web sites. We picked 7 identified web sites with vulnerabilities from National Vulnerability Database [13] to verify our system.