How Code Coverage Helped Me Find 3 SQL Injections

How Code Coverage Helped Me Find 3 SQL Injections

In this tutorial, Jan Schrewe demonstrates how he managed to find three vulnerabilities with the help of code coverage using cifuzz (

For web applications with a login, it is kind of obvious that you cannot achieve a high coverage without logging in. Any experienced tester would be able to recognize this immediately. And even for blackbox scans, most developers would use a login to improve their code coverage.

However, as you proceed in the testing process, it becomes more difficult to optimize your testing results, without really measuring the code coverage. For example, a low code coverage may also indicate missing permissions. Maybe there are various user groups that have different access levels, which might stay unnoticed and lead to low coverage if the coverage is not measured.

Even experienced pentesters might miss those road blockers, as they are often working under immense time pressure, and have no direct feedback on the code coverage. Continuously measuring code coverage could help you detect those kinds of issues much faster. Thus, by applying minor modifications to your tests, you can improve the reliability and security of your code strongly.

If you are interested in an enterprise solution for automated security testing, check out