| 基于状态的SQL注入漏洞检测技术研究 |
| |
| 引用本文: | 李常顺,胡勇. 基于状态的SQL注入漏洞检测技术研究[J]. 信息安全与通信保密, 2012, 0(5): 72-74 |
| |
| 作者姓名: | 李常顺 胡勇 |
| |
| 作者单位: | 四川大学信息安全研究所,四川成都,610065 |
| |
| 摘 要: | SQL注入攻击是当前Web应用程序的主要安全威胁之一。传统的漏洞检测技术误报率普遍较高,文中分析了SQL注入的原理、特点,提出一种基于状态的漏洞检测模型。与传统针对错误反馈判断漏洞的方式不同,这种检测机制在一个链接输入不同的参数,通过对网站反馈的结果建立状态模型进行漏洞检测,以确定是否为注入点。这种模型不依赖于特定的数据库或者开发语言,定位注入点的准确率也更高。
|
| 关 键 词: | SQL注入 漏洞检测 状态机 向量比较 网络安全 |
Study on State-based Remote Detection Technology for SQL Injection Vulnerability |
| |
| LI Chang-shun,HU Yong. Study on State-based Remote Detection Technology for SQL Injection Vulnerability[J]. China Information Security, 2012, 0(5): 72-74 |
| |
| Authors: | LI Chang-shun HU Yong |
| |
| Affiliation: | (Institute of Information Security, Sichuan University, Chengdu Sichuan 610065, China) |
| |
| Abstract: | The SQL injection attacks now become a severe threat to the Web application. The traditional vulnerability detection technique usually generates high false alarm rate. This paper analyzes the principles and characteristics of SQL injection attack, and then proposes a state-based vulnerability detection model. Different from the traditional detection, the detection model judges vulnerability according to the feedback error message. This mechanism inputs different parameters into a link, thus establishing a state model to test whether an injection point exists in the site. This model does not rely on any database or program language, and has more accurate rate in locating the injection point. |
| |
| Keywords: | SQL injection vulnerability detection state machine vector comparison network security |
| 本文献已被 CNKI 维普 万方数据 等数据库收录! |
|
