J4 ›› 2013, Vol. 35 ›› Issue (2): 68-73.
• 论文 • 上一篇 下一篇
秦广赞,郭帆,徐芳,余敏
收稿日期:
修回日期:
出版日期:
发布日期:
基金资助:
科技部国际合作项目(2010DFA70990)
QIN Guangzan,GUO Fan,XU Fang,YU Min
Received:
Revised:
Online:
Published:
摘要:
提出了一种基于静态分析的SQL注入攻击的检测方法。静态分析Web应用程序的源文件,提取污染源到执行参数的构造路径,形成检测规则。动态执行时替换规则中的输入参数为用户输入值,比较得到的SQL语句和原SQL语句在语义和结构上的异同,判断是否存在SQL注入攻击。实验结果表明,该方法有效可行,增加了过滤模块后对系统的性能影响不大。
关键词: SQL注入, 静态分析, 构造路径, 检测规则, Web应用程序
Abstract:
This paper proposes a detection method of SQL injection attack based on static analysis. It statically analyzes the source pages of Web application, extracts taint to execution parameters’ constructed path and forms detection rules. The input parameters in rules are replaced by user input values during dynamic enforcement. By comparing the resulting SQL statements with the original SQL statements in the semantic and structural similarities and discrepancies, the method will determine whether SQL injection attack exists in the Web application. Experiments results show its effectiveness and feasibility since it has little effect on system performance after increasing the filtering module.
Key words: SQL injection;static analysis;construct path;detection rule;Web application
秦广赞,郭帆,徐芳,余敏. 一种防SQL注入的静态分析方法[J]. J4, 2013, 35(2): 68-73.
QIN Guangzan,GUO Fan,XU Fang,YU Min. A static analysis method of antiSQL injection attack[J]. J4, 2013, 35(2): 68-73.
0 / / 推荐
导出引用管理器 EndNote|Ris|BibTeX
链接本文: http://joces.nudt.edu.cn/CN/
http://joces.nudt.edu.cn/CN/Y2013/V35/I2/68
