基于Chopping的Web应用SQL注入漏洞检测方法

随着Web应用的不断普及，其安全问题越来越显突出，特别是SQL注入漏洞攻击，给用户的安全体验造成了巨大的威胁. 针对二阶SQL注入漏洞，本文提出了一种基于chopping技术的二阶SQL注入漏洞检测方法. 首先通过对待测应用程序进行chopping，获取到一阶SQL注入疑似路径；然后对一阶SQL注入疑似路径中的SQL语句进行分析，确定二阶SQL注入操作对，进而得到二阶SQL注入疑似路径；最后通过构造攻击向量并运行，确认二阶SQL注入疑似路径中漏洞是否实际存在. 实验结果表明，本方法能够有效地检测出二阶SQL注入漏洞.

Web Application SQL Injection Detection Method Based on Chopping

With the wide use of Web application in recent years, its security has seriously affected the experience of relevant users. In particular, the SQL injection vulnerability attack is the most commonly used technique in attacking Web applications. In this study, a chopping-based method is proposed to detect the second-order SQL injection. Firstly, the static analysis based on chopping had been used to find the suspected first-order SQL injection paths. Secondly, the SQL statements in those suspected paths should be used to get the second-order operation pairs, which had been used to get the suspected second-order SQL injection paths. Finally, the attack vector is constructed to confirm the existence of the vulnerabilities which are hiding in Web applications. The experimental results show that the method we propose in this study can effectively detect the second-order SQL injection vulnerabilities thus prevent Web applications from SQL injection attack.