Now a days the use of the world wide web (www) is increasing rapidly and leading to security breaches of a system so testing the software system has been made iterative. Testing requires effort, time and skilful person. Hacking mostly occur in banking sector and business organizations because they maintain all the confidential information. One of the hacking technique is commonly occur in banking sector is sql injection. Security testing can be done by two ways i.e static analysis which is otherwise known as white box testing and by dynamic analysis which is known as black box testing.In this paper we have shown the penetration testing of web application to detect the sql injection vulnerability. This paper describes the penetration testing processes and mainly focuses on vulnerability discovery, attack generation and obtain the test cases and maintaining a pentester database which store all the attack responses. We have taken an internet banking transaction case study. This paper has the main motivation is to detect the sql injection by the attack generation. In sql injection system the attacker might insert a malicious code in the user input field and trying to gain access the confidential and sensitive information from the database and making the database insecure. Penetration testing is widely used to simulate an attack of the web application and then analysis the attack pattern and give better solution to the system. This paper has given an overview of the penetration testing process and sql injection attack and a pentester database.

Testing, Security Testing , Penetration Testing, Sql Injection

[1] Halfond WGJ, Orso , Improving penetration testing through static and dynamic analysis, Software Testing, Verification, And Reliability(2011).
[2] Pulei Xiong, Liam Peyton, A Model-Driven Penetration Test Framework for Web Applications, 2010 Eighth Annual International Conference on Privacy, Security and Trust.
[3] Lashanda Dukes,Xiaohong yuan, A case study on web application security testing with tools and manual testing, 2013.
[4] Halfond WGJ, Orso A. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks, Proceedings of the International Conference on Automated Software Engineering, Long Beach, CA, U.S.A., November 2005;174183.
[5] T. Pietraszek and C. V. Berghe , Defending Against Injection Attacks through Context-Sensitive String Evaluation, In Proceedings of Recent Advances in Intrusion Detection (RAID2005), 2005
[6] Bernard Stepien, Liam Peyton, Pulei Xiong , Using TTCN-3 as a Modeling Language for Web Penetration
[7] www.owasp.org
[8] A. Kie zun, P. J. Guo, K. Jayaraman, and M. D. Ernst, Automatic creationof SQL injection and cross site scripting attacks, in Proc. of ICSE, 2009.
[9] Lei Xu, Baowen, A frame work for web application testing, International Conference on Cyberworlds, 2004.
[10] Nuno Antunes, Marco Vieira, Evaluating and Improving Penetration Testing in Web Services, IEEE,2012.
[11] Halfond WGJ, Viegas J, Orso A, A classification of SQL-injection attacks and counter measures, Proceedings of the International Symposium on Secure Software Engineering, Washington, DC, U.S.A., March 2006.
[12] Halfond WGJ, Orso A, Manolios P. WASP: Protecting web applications using positive tainting and syntax-aware evaluation, Transactions on Software Engineering 2008; 34(1):6581.
[13] G . Buehrer, B. W. Weide, and P. A. Sivilotti, Using parse tree validation to prevent SQL injection attacks, in Proceedings of the 5th international workshop on Software engineering and middleware, 2005, p. 113.
[14] Sutton M, Greene A, Amini P. Fuzzing, Brute Force Vulnerability Discovery, Addison-Wesley: Reading, MA,2007.
[15] Arkin B, Stender S. McGraw G, Software penetration testing. IEEE Security and Privacy 2005; 3(1):8487.