Abstract
As web applications become increasingly popular for offering data and services among businesses and organizations they also become more susceptible to security risks. Many organizations rely today on Web Vulnerability Scanners (WVSs) to identify vulnerabilities in their web applications. However, one of the most prevalent types of web application vulnerabilities, SQL Injections (SQLi), can often go undetected by WVSs. OWASP ZAP is an open-source web vulnerability scanner that allows security professionals to develop rules to improve vulnerability detection capability. In this paper, a new method is proposed to improve the detection capability of OWASP ZAP for SQLi. We aim to accurately detect the four major types of SQLi: Error-based, Union-based, Time-based blind, and Authentication Bypass. We implemented this new method using OWASP ZAP detection policies. The method was tested against two benchmark vulnerable web applications, Mutillidae and WebGoat, and was shown to significantly improve the detection of SQL injection attacks.