SQLi-ScanEval: A Framework for Design and Evaluation of SQLi Detection Using Vulnerability and Penetration Testing Scanners

The exponential growth of the Internet has led to a dramatic rise in the use of web applications, making them integral to businesses, industries, education, financial institutions, and daily life. However, this widespread rise has introduced significant security issues, exposing web applications to various vulnerabilities capable of compromising the confidentiality, integrity, and availability of sensitive data. Therefore, mitigating these vulnerabilities has become vital to ensuring robust information security. Among the myriad of vulnerabilities, Structured Query Language injection (SQLi) is one of the foremost prevalent types of vulnerabilities affecting web‐based apps, essential to detect Structured Query Language (SQL) injection vulnerabilities. In practice, penetration testers utilize tools for automated vulnerability assessment with varying strengths and limitations to evaluate the security of web applications. However, these security scanners have certain flaws, such as failing to scan entire web apps and producing inaccurate test results. Furthermore, significant research has been conducted to quantitatively list the outcomes of web application security scanners to examine their limitations and efficacy. Yet, a standardized methodology or criteria for assessing their performance remains elusive. To overcome these challenges, this paper proposes the SQLi‐ScanEval Framework, a standardized SQLi detection system that integrates vulnerability and penetration testing scanners into a standardized framework. The proposed framework provides a standardized evaluation environment, thereby overcoming the drawbacks of individual scanners, including insufficient coverage and erroneous data. The proposed SQLi‐ScanEval Framework tested seven prominent SQLi vulnerability scanners including OWASP ZAP, Wapiti, Vega, Acunetix, Invicti, Burp Suite and Arachni, on two prominent vulnerable testing applications i.e., Test PHP and Bricks from OWASP Broken Web Applications (BWA). The framework successfully evaluated the performance of each scanner on the basis of recall, accuracy, and precision. The results showed that Acunetix exhibits the highest accuracy i.e., 90.48% on Bricks and 86.96% on Test PHP, with the lowest false positive rates and a recall of 88.89%. The results also reveal notable variations in scanner performance, with scan times varying from 00:02:13 (OWASP ZAP) to 00:43:33 (Invicti) with the Bricks application. The SQLi‐ScanEval results also provide valuable insights with the strengths and shortcomings for each scanner, giving penetration testers a practical roadmap for selecting the best tools. As cyber‐attacks keep evolving, this study not only enhances decision‐making but also extends SQLi techniques for detection, unlocking the way to more secure web applications.