Integrating CVSS, OWASP, and APPI for a Comprehensive Risk Analysis of SQL Injection Vulnerabilities in E-Commerce

Abstract

Purpose: By integrating the technical severity evaluation provided by the Common Vulnerability Scoring System (CVSS), the business risk assessment framework of the OWASP Risk Rating Methodology, and the legal compliance standards outlined in Japan’s Act on the Protection of Personal Information (APPI), this study aims to conduct a holistic risk analysis of SQL injection vulnerabilities within e-commerce platforms. The primary objective is to offer stakeholders a robust and actionable model for enhancing the security of online shopping environments.

Methods/Study design/approach: This study employed a mixed-methods experimental case study approach. A custom-built, intentionally vulnerable e-commerce web application was subjected to a simulated SQL injection attack to extract fictitious user and transaction data. The technical severity of the vulnerability was quantified using CVSS v3.1, while the OWASP Risk Rating Methodology was applied to assess the associated business risks. Additionally, the legal implications were evaluated in accordance with Japan’s Act on the Protection of Personal Information (APPI).

Result/Findings: The simulation confirmed that a SQL injection attack could extract sensitive personal and transactional data. The vulnerability was rated “Critical” with a CVSS v3.1 score of 9.1, and the OWASP assessment indicated a “High” business risk due to financial impact, APPI non-compliance, and privacy violations. The leaked purchase history was classified under APPI as “Personal Information Requiring Special Attention.”

Novelty/Originality/Value: This study’s main contribution is its integrated methodology that links CVSS, OWASP, and APPI frameworks to assess cyber threats. It offers a multidimensional view, showing how a technical vulnerability can lead to serious legal and business consequences under specific data protection laws.