二阶SQL注入攻击防御模型  被引量：8

作　　者：田玉杰[1] 赵泽茂[1] 张海川[1] 李学双[1] 

机构地区：[1]杭州电子科技大学通信工程学院,浙江杭州310008

出　　处：《信息网络安全》2014年第11期70-73,共4页Netinfo Security

基　　金：浙江省自然科学基金杰青团队项目[R109000138]

摘　　要：随着互联网技术的快速发展,Web应用程序的使用也日趋广泛,其中基于数据库的Web应用程序己经广泛用于企业的各种业务系统中。然而由于开发人员水平和经验参差不齐,使得Web应用程序存在大量安全隐患。影响Web应用程序安全的因素有很多,其中SQL注入攻击是最常见且最易于实施的攻击,且SQL注入攻击被认为是危害最广的。因此,做好SQL注入攻击的防范工作对于保证Web应用程序的安全十分关键,如何更有效地防御SQL注入攻击成为重要的研究课题。SQL注入攻击利用结构化查询语言的语法进行攻击。传统的SQL注入攻击防御模型是从用户输入过滤和SQL语句语法比较的角度进行防御,当数据库中的恶意数据被拼接到动态SQL语句时,就会导致二阶SQL注入攻击。文章在前人研究的基础上提出了一种基于改进参数化的二阶SQL注入攻击防御模型。该模型主要包括输入过滤模块、索引替换模块、语法比较模块和参数化替换模块。实验表明,该模型对于二阶SQL注入攻击具有很好的防御能力。With the rapid development of Internet technology, Web applications are becoming widespread, Web applications based on database have been widely used in a variety of enterprise business systems. However, due to the uneven experience of developers, there are a lot of security risks in Web applications. There are many factors that affect the security of Web applications. SQL injection attack is the most common and easiest to implement, and is considered to be the most destructive. Therefore, to prevent SQL injection attack is critical to Web applications, and how to prevent SQL injection attck effectively becomes an important research. The SQL injection attack uses the syntax of structured query language to attack. The traditional SQL injection attack defense model defenses SQL injection attacks by filtering user inputs and implementing syntax comparison, when malicious data in the database is added to the dynamic SQL statement, second-order SQL injection attack could occur. This paper proposes a second-order SQL injection attack defense model based on improved parameterized on the basis of previous studies. The proposed model consists of an input filter module, an index replacement module, a syntax comparison module and a parameterized replacement module. Experiments show that the proposed model can effectively prevent the second-order SQL injection attacks .

关 键 词：结构化查询语言 二阶SQL注入攻击 防御模型 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]