Three Researchers -- MIT's Adam Kiezun, Stanford's Philip Guo, and Syracuse University's Karthick Jayaraman -- has developed a new tool 'Ardilla' that automatically finds and exploits SQL injection and cross-site scripting vulnerabilities in Web applications.
It creates inputs that pinpoint bugs in Web applications and then generates SQL injection and XSS attacks. But for now Ardilla is for PHP-based Web app only.
The researchers say Ardilla found 68 never-before found vulnerabilities in five different PHP applications using the tool -- 23 SQL injection and 45 XSS flaws.
More information is awaited.
For their attack generation techniques refer to their document at: