基于模型的Web应用二阶SQL注入测试用例集生成  被引量:2

Model Based Web Application Second-Order SQL Injection Test Suite Generation

在线阅读下载全文

作  者:尤枫[1] 王维扬 尚颖[1] YOU Feng;WANG Wei-Yang;SHANG Ying(College of Information Science and Technology,Beijing University of Chemical Technology,Beijing 100029,China)

机构地区:[1]北京化工大学信息科学与技术学院,北京100029

出  处:《计算机系统应用》2020年第8期144-151,共8页Computer Systems & Applications

基  金:国家自然科学基金(61672085)。

摘  要:SQL注入漏洞一直以来都是威胁Web应用安全的主要问题之一,其中二阶SQL注入漏洞相较于一阶SQL注入更加隐蔽且威胁更大,对其检测通常依赖于测试人员的先验知识与经验.目前,在缺乏源码信息的黑盒测试场景下,还没有针对该漏洞的有效检测手段.利用基于模型的测试用例生成思想,提出了一种基于客户端行为模型的测试用例集生成方法(CBMTG),用于生成检测Web应用二阶SQL注入漏洞的测试用例集.首先通过初始测试用例集的执行建立迁移与SQL语句的映射关系;然后通过SQL语句的字段分析建立迁移之间的拓扑关系;最后通过拓扑关系来指导最终的测试用例集生成.实验结果表明,本文方法优于当前主流的二阶SQL注入漏洞检测方法.SQL injection vulnerability has been the one of the most problems that threaten Web application security.Among them,second-order SQL injection vulnerabilities are more subtle and destructive than the first-order one,and the detection usually depends on the tester’s prior knowledge and experience.At present,in the Black-Box Testing scenario,there is no effective detection method for the second-order vulnerability yet.Utilizing the idea of model-based test case generation,in this study,a Test suite Generation method based on a Client Behavior Model(CBMTG)is proposed to get a test suite capable of detecting second-order SQL injection vulnerabilities in Web applications.In the CBMTG,firstly,the mapping relationship between transitions and SQL statements is established through the execution of the initial test suite.Then,the topological relationship between transitions is established through the field analysis of the SQL statements.Finally,the final test suite is generated under the guidance of the topological relationship.The experimental results show that the method in this study performs better in most Web application than the state-of-the-art second-order SQL injection vulnerability detection methods.

关 键 词:WEB应用测试 模型 基于模型的测试 二阶SQL注入 测试用例集生成 

分 类 号:TP393.08[自动化与计算机技术—计算机应用技术]

 

参考文献:

正在载入数据...

 

二级参考文献:

正在载入数据...

 

耦合文献:

正在载入数据...

 

引证文献:

正在载入数据...

 

二级引证文献:

正在载入数据...

 

同被引文献:

正在载入数据...

 

相关期刊文献:

正在载入数据...

相关的主题
相关的作者对象
相关的机构对象