本文已被:浏览 1900次 下载 1877次
Received:March 28, 2017 Revised:April 20, 2017
Received:March 28, 2017 Revised:April 20, 2017
中文摘要: 随着Web应用的不断普及,其安全问题越来越显突出,特别是SQL注入漏洞攻击,给用户的安全体验造成了巨大的威胁. 针对二阶SQL注入漏洞,本文提出了一种基于chopping技术的二阶SQL注入漏洞检测方法. 首先通过对待测应用程序进行chopping,获取到一阶SQL注入疑似路径;然后对一阶SQL注入疑似路径中的SQL语句进行分析,确定二阶SQL注入操作对,进而得到二阶SQL注入疑似路径;最后通过构造攻击向量并运行,确认二阶SQL注入疑似路径中漏洞是否实际存在. 实验结果表明,本方法能够有效地检测出二阶SQL注入漏洞.
Abstract:With the wide use of Web application in recent years, its security has seriously affected the experience of relevant users. In particular, the SQL injection vulnerability attack is the most commonly used technique in attacking Web applications. In this study, a chopping-based method is proposed to detect the second-order SQL injection. Firstly, the static analysis based on chopping had been used to find the suspected first-order SQL injection paths. Secondly, the SQL statements in those suspected paths should be used to get the second-order operation pairs, which had been used to get the suspected second-order SQL injection paths. Finally, the attack vector is constructed to confirm the existence of the vulnerabilities which are hiding in Web applications. The experimental results show that the method we propose in this study can effectively detect the second-order SQL injection vulnerabilities thus prevent Web applications from SQL injection attack.
keywords: second-order SQL injection taint analysis Web application vulnerability detection chopping program slicing
文章编号: 中图分类号: 文献标志码:
基金项目:国家自然科学基金(61672085,61472025)
引用文本:
尤枫,马金慧,张雅峰.基于Chopping的Web应用SQL注入漏洞检测方法.计算机系统应用,2018,27(1):86-91
YOU Feng,MA Jin-Hui,ZHANG Ya-Feng.Web Application SQL Injection Detection Method Based on Chopping.COMPUTER SYSTEMS APPLICATIONS,2018,27(1):86-91
尤枫,马金慧,张雅峰.基于Chopping的Web应用SQL注入漏洞检测方法.计算机系统应用,2018,27(1):86-91
YOU Feng,MA Jin-Hui,ZHANG Ya-Feng.Web Application SQL Injection Detection Method Based on Chopping.COMPUTER SYSTEMS APPLICATIONS,2018,27(1):86-91
