A Lightweight Automated SQL Injection Testing Tool with Integrated Discovery and Structured Reporting

Abstract

SQL injection (SQLi) remains one of the most persistent and high-impact vulnerabilities in web applications, consistently ranked among the OWASP Top 10 threats. Although mature tools such as SQLMap provide extensive detection and exploitation capabilities, their steep learning curve, complex configuration requirements, and command-line-driven interfaces limit accessibility for beginners, students, and small organizations with constrained technical resources. This paper presents the design, implementation, and evaluation of a lightweight, automated SQL injection testing tool that emphasizes usability, efficient detection, comprehensive endpoint discovery, and structured reporting. The proposed system integrates four classical SQLi detection techniques—error-based, union-based, boolean-blind, and time-based—within a modular scanning engine accessible through an intuitive graphical user interface. To improve assessment coverage, an automated discovery module identifies hidden and unlinked endpoints via robots.txt inspection, sitemap.xml parsing, and hyperlink crawling. A multi-format reporting framework generates human-readable and machine-processable outputs, including executive summaries, vulnerability evidence, and mitigation recommendations. Experimental evaluation was conducted using Damn Vulnerable Web Application (DVWA) and OWASP Juice Shop, representing standard testbeds for ethical and repeatable SQLi assessment. Results demonstrate detection success rates ranging from 79% to 93% across the implemented techniques, while integrated discovery increased endpoint coverage by more than 100%. Comparative benchmarking against SQLMap indicates that although SQLMap offers deeper exploitation capabilities, the proposed tool delivers superior accessibility, reduced configuration complexity, faster deployment, and structured reporting suitable for educational, developmental, and small-scale security testing environments. The findings validate that lightweight design can achieve effective vulnerability detection without sacrificing fundamental security capabilities, providing a practical entry point for SQL injection assessment.