The invention discloses an
injection point extracting method in
SQL (Structured
Query Language) injection
vulnerability detection, which is used for solving the technical problem of poor accuracy of the traditional method in the
SQL injection
vulnerability detection under a
Web environment. According to the technical scheme, the
injection point extracting method comprises the steps of: firstly, preprocessing a downloaded webpage, dividing the webpage into a simple webpage and a complex webpage, extracting a data
injection point of the simple webpage, extracting a data injection point of the complex webpage, extracting a
test case through constructing the
test case, analyzing service response, and establishing a
decision rule of an
SQL injection
vulnerability. According to the invention, starting from obtaining the data injection points of a
Web application system, through constructing the targeted
test case, the used test case is used for carrying out character string, numerical value,
annotation and
delay testing according to the types and the parameter compositions of the data injection points, thus the test of the injection vulnerability caused by simple
filtration of URL (
Uniform Resource Locator) parameters and table submitted data is effectively dealt; and through analysis response, the established
decision rule of the
SQL injection vulnerability is improved in testing accuracy.