基于Fuzzing的SQL注入漏洞检测系统研究与实现

发布时间：2018-04-05 08:00

本文选题：Fuzzing　切入点：漏洞检测　出处：《大连海事大学》2017年硕士论文

【摘要】：随着网络技术的迅速发展,Web技术被广泛应用到了各个领域,比如网上购物、缴费充值、网上银行以及各种社交网站。这些Web应用给我们带来便利的同时也存在一定的安全隐患。因为开发系统的程序员技术水平不同,导致其开发的Web应用难免会存在漏洞,SQL注入漏洞是最常见的漏洞之一。黑客往往会利用这些漏洞通过SQL注入的方式挖掘用户信息,盗取敏感数据以谋取巨大利益。所以,对于检测SQL注入漏洞问题的研究有非常重要的现实意义。本文首先介绍Web应用在安全问题上的严峻形势,研究和学习国内外在检测Web应用SQL注入漏洞方面所使用方法的优点并分析它们的不足,了解SQL注入漏洞产生的原因、SQL注入攻击原理以及常用的SQL注入漏洞检测方法。针对目前存在的SQL注入漏洞检测系统存在漏报、误报率高的问题,采用多线程的爬虫技术,并使用MD5算法对爬取的链接进行过滤和去重;提出一种基于Fuzzing技术的生成测试用例方法。首先,根据用例特征的不同建立不同的特征模板。然后,随机组合这些测试用例特征模板,动态生成许多的测试用例。最后,根据Web应用过滤规则生成变形规则对测试用例进行变形处理。这样,测试用例就可以绕过Web应用的过滤机制,提高检测出漏洞的准确率;采用基于DOM树序列值比对的页面对比算法检测是否存在漏洞;通过使用漏洞量化评估方法,对Web应用的安全状况进行量化评估,判断该Web应用的安全等级。在此基础上,设计并实现基于Fuzzing的SQL注入漏洞检测系统。将本文设计实现的系统与其他检测工具进行对比实验,并通过检出量、漏报率以及误报率三个评价指标进行对比分析。实验结果表明本文实现的SQL注入漏洞检测系统能够较准确地检测出漏洞,能够有效降低漏洞的漏报率和误报率。
[Abstract]:With the rapid development of network technology, Web technology has been widely used in various fields, such as online shopping, charging, online banking and various social networking sites.These Web applications bring us convenience, but also there are certain security risks.Because of the different technical level of the programmers in the development system, it is inevitable that there will be vulnerabilities in the Web applications developed by them. SQL injection vulnerability is one of the most common vulnerabilities.Hackers often exploit these vulnerabilities to mine user information through SQL injection and steal sensitive data for huge profits.Therefore, the research on detecting SQL injection vulnerability has very important practical significance.This paper first introduces the severe situation of Web application in security issues, studies and studies the advantages and disadvantages of the methods used in detecting SQL injection vulnerabilities in Web applications, and analyzes their shortcomings.Understand the cause of SQL injection vulnerability and the principle of SQL injection vulnerability detection.Aiming at the problem of high false alarm rate and false alarm rate in the existing SQL injection vulnerability detection system, the crawler technique of multi-thread is adopted, and the MD5 algorithm is used to filter and remove the crawling link.A test case generation method based on Fuzzing technology is proposed.Firstly, different feature templates are established according to the features of use cases.Then, these test case feature templates are randomly combined to generate many test cases dynamically.Finally, the test cases are deformed according to the deformation rules generated by the filter rules applied by Web.In this way, test cases can bypass the filtering mechanism of Web application, improve the accuracy of detecting vulnerabilities; use page comparison algorithm based on DOM tree sequence value alignment to detect whether there are vulnerabilities;The security status of Web application is evaluated quantitatively and the security grade of the Web application is judged.On this basis, SQL injection vulnerability detection system based on Fuzzing is designed and implemented.The system designed and implemented in this paper is compared with other detection tools, and compared with three evaluation indexes: detection quantity, false alarm rate and false alarm rate.The experimental results show that the proposed SQL injection vulnerability detection system can detect the vulnerabilities accurately and reduce the false alarm rate and false alarm rate effectively.
【学位授予单位】：大连海事大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP393.08

【相似文献】