Behind an Application Firewall, Are We Safe from SQL Injection Attacks?

Author(s): Dennis Appelts, Cu D. Nguyen, Lionel Briand
Venue: International Conference on Software Testing
Date: 2015

Type of Experiement: Controlled Experiment
Class/Experience Level: Professional
Data Collection Method: Observation


The purpose of this paper is to explain research done on web applications firewalls and SQL injection attacks. The research determines which inputs of a web-based applications can be submitted to the system protected by a firewall. The results of this research suggest the performance and efficiency in detecting holes of firewalls that potentially let SQL injection attacks go through undetected.

The experiment used WAFs (Web Application Firewalls) and machine learning testing to see the vulnerabilities of firewalls. The authors discuss SQL, SQL injection and WAF in detail, as well as alternative testing that has been done previously. The approach the researchers used, called ML-Driven, is inspired by genetic programming and search-based test generation. Using three different testing techniques combined they were able to get results from two separate experiments. The authors concluded that there is a definite threat to firewalls without the correct configuration. WAFs can all SQL injection attacks to execute and there are necessary improvements that need to be made to the firewalls to prevent these attacks.