| 一种防SQL注入的静态分析方法 |
| |
| 引用本文: | 秦广赞,郭帆,徐芳,余敏.一种防SQL注入的静态分析方法[J].计算机工程与科学,2013,35(2):68-73. |
| |
| 作者姓名: | 秦广赞 郭帆 徐芳 余敏 |
| |
| 作者单位: | 江西师范大学计算机信息工程学院,江西南昌,330022 |
| |
| 摘 要: | 提出了一种基于静态分析的SQL注入攻击的检测方法。静态分析Web应用程序的源文件,提取污染源到执行参数的构造路径,形成检测规则。动态执行时替换规则中的输入参数为用户输入值,比较得到的SQL语句和原SQL语句在语义和结构上的异同,判断是否存在SQL注入攻击。实验结果表明,该方法有效可行,增加了过滤模块后对系统的性能影响不大。
|
| 关 键 词: | SQL注入 静态分析 构造路径 检测规则 Web应用程序 |
| 收稿时间: | 2011-12-23 |
| 修稿时间: | 2012-04-17 |
A static analysis method of anti-SQL injection attack |
| |
| QIN Guang-zan
,
GUO Fan
,
XU Fang
,
YU Min.A static analysis method of anti-SQL injection attack[J].Computer Engineering & Science,2013,35(2):68-73. |
| |
| Authors: | QIN Guang-zan GUO Fan XU Fang YU Min |
| |
| Affiliation: | (School of Computer Information and Engineering,Jiangxi Normal University,Nanchang 330022,China) |
| |
| Abstract: | This paper proposes a detection method of SQL injection attack based on static analysis. It statically analyzes the source pages of Web application, extracts taint to execution parameters’ constructed path and forms detection rules. The input parameters in rules are replaced by user input values during dynamic enforcement. By comparing the resulting SQL statements with the original SQL statements in the semantic and structural similarities and discrepancies, the method will determine whether SQL injection attack exists in the Web application. Experiments results show its effectiveness and feasibility since it has little effect on system performance after increasing the filtering module. |
| |
| Keywords: | SQL injection static analysis construct path detection rule Web application |
| 本文献已被 万方数据 等数据库收录! |
| 点击此处可从《计算机工程与科学》浏览原始摘要信息 |
|
点击此处可从《计算机工程与科学》下载全文 |
|
