Abstract:

This paper proposes a detection method of SQL injection attack based on static analysis. It statically analyzes the source pages of Web application, extracts taint to execution parameters’ constructed path and forms detection rules. The input parameters in rules are replaced by user input values during dynamic enforcement. By comparing the resulting SQL statements with the original SQL statements in the semantic and structural similarities and discrepancies, the method will determine whether SQL injection attack exists in the Web application. Experiments results show its effectiveness and feasibility since it has little effect on system performance after increasing the filtering module.

Key words: SQL injection;static analysis;construct path;detection rule;Web application