SQLiFuzz: Uncovering SQL Injection in Any Web Applications
I Putu Arya Dharmaadi, Van-Thuan Pham, Fadi Mohsen, Fatih TurkmenSQL injection (SQLi) is one of the most critical and prevalent security vulnerabilities, as it enables attackers to manipulate backend databases, bypass authentication, and even gain complete control of the underlying system. Since web applications are the primary targets of SQLi, they must be thoroughly tested to ensure they are free of this vulnerability. Recently, several fuzz testing solutions tailored to SQLi vulnerabilities have been developed; however, our preliminary analysis reveals key limitations that hinder their effectiveness: they primarily focus on GUI-based inputs while neglecting API endpoints, rely on less effective request selection and generation strategies, and require complex configurations to be deployed in practice.
To address these gaps, we propose SQLiFuzz, a universal and simple-to-deploy SQL injection fuzzer that operates across both GUI (web pages) and API entry points. SQLiFuzz introduces three key distinguishing features: (i) a reverse proxy that unifies request collection and fuzzing, and allows seamless integration with existing crawlers and API scanners, (ii) a database proxy that enables request–query matching and serves as a reliable oracle, and (iii) a feedback-driven fuzzer that prioritizes potentially effective requests and parameters, and validates exploitability through database responses. We evaluated SQLiFuzz on six security benchmarks and ten real-world applications. SQLiFuzz successfully detects the majority of known SQLi cases in benchmarks and uncovered nine new vulnerabilities that had been overlooked by state-of-the-art tools in real-world applications. These results highlight SQLiFuzz’s ability to detect SQL injection across diverse web application frameworks and architectures while maintaining practicality and ease of deployment.