| 一种新的反SQL注入策略的研究与实现 |
| |
| 引用本文: | 周敬利,王晓锋,余胜生,夏洪涛.一种新的反SQL注入策略的研究与实现[J].计算机科学,2006,33(11):64-68. |
| |
| 作者姓名: | 周敬利 王晓锋 余胜生 夏洪涛 |
| |
| 作者单位: | 华中科技大学计算机科学与技术学院,武汉,430074 |
| |
| 基金项目: | 国家自然科学基金;国防预研基金 |
| |
| 摘 要: | SQL注入是一种常用的且易于实施的攻击手段,对网络应用程序的安全构成严重威胁。本文提出并实现了一种新的反SQL注入策略:SQL语法预分析策略。该策略首先将SQL注入分类,并抽象出各类注入的语法结构;然后将用户输入预先组装成完整的SQL语句,对该语句进行语法分析,如果发现具有SQL注入特征的语法结构,则判定为SQL注入攻击。策略的实现不需要修改已有的应用程序代码,也不需要修改任何服务器平台软件。实验表明,新的策略具有极好的SQL注入识别能力,并成功地避免了传统的特征字符串匹配策略固有的高识别率和低误判率之间的矛盾。
|
| 关 键 词: | 应用层安全 SQL注入 入侵预防 |
A New Policy to Defend against SQL Injection Attacks |
| |
| ZHOU Jing-Li,WANG Xiao-Feng,YU Sheng-Sheng,XIA Hong-Tao.A New Policy to Defend against SQL Injection Attacks[J].Computer Science,2006,33(11):64-68. |
| |
| Authors: | ZHOU Jing-Li WANG Xiao-Feng YU Sheng-Sheng XIA Hong-Tao |
| |
| Affiliation: | College of Computer Science and Technology, Huazhong University of Science and Technology, Wuhan 430074 |
| |
| Abstract: | SQL injection, which is a popular and easy to carry out method of remote attacks, poses a major thread to application level security. In this paper, we introduce Pre-analysis of SQL syntax, a fire-new policy to detect and prevent SQL injection attacks. First, all SQL injection attacks are categorized into some classes and for each class a specified syntagma is abstracted and recorded. Then, the user input is picked up and embedded into prepared SQL sentences. Finally, these embedded SQL sentences are syntactically checked. Any find of underlying syntagma recorded as SQL injection tells a SQL injection attack. The implementation of new policy needs neither modification to Web program codes nor any patch to software of server platform. Experiments prove that new policy provides close to perfect detection rate and avoids the conflict between low false positive rate and low false negative rate. |
| |
| Keywords: | Application level security SQL injection attacks Intrusion prevention |
| 本文献已被 CNKI 维普 万方数据 等数据库收录! |
| 点击此处可从《计算机科学》浏览原始摘要信息 |
|
点击此处可从《计算机科学》下载全文 |
|
