基于渗透测试的SQL注入漏洞检测与防范
发布时间:2018-08-27 10:48
【摘要】:随着Internet的进一步普及和计算机网络技术的快速发展, Web技术得到了广泛的应用。基于Web技术和数据库架构的应用系 统已经逐渐成为主流,广泛应用于企业内部和外部的业务系统中。 然而,随之而来的则是Web应用系统面临的安全风险与日剧增。Web安全渗透测试技术是一种针对Web应用的积极防范技术。 该技术在应用遭受攻击前,模拟黑客攻击Web应用的方式对目标系 统进行探测。而在众多Web应用攻击手段中,SQL注入攻击是最常 用的也是最易于实施的方法。因此,做好针对SQL注入攻击的入侵 检测和防范工作以保证整个信息基础设施的安全,是Web应用系统 得以安全应用的关键,同时也是网络安全方面所研究的重要课题。基于以上原因,本文有针对性地研究了SQL注入漏洞的相关防 范技术和检测工具,并通过实验比较了典型工具的检测情况,总结 了常见检测工具使用的检测字符,最后对现有的SQL注入漏洞检测 字符进行一定的改进和汇总。同时,本文利用SQL注入攻击使用的 常见字符,在自动化测试工具Selenium的基础上,提出了SQL注入 漏洞的自动化检测技术,通过实验证明,利用该技术编写的测试用 例可以在一定程度上识别出SQL注入攻击,对Web应用系统中可能 出现的未知SQL注入点有一定的识别效果。这为研究SQL注入漏洞 的自动化测试提供了一定的思考方向和参考价值。
[Abstract]:With the further popularization of Internet and the rapid development of computer network technology, Web technology has been widely used. Application system based on Web technology and database architecture has gradually become the mainstream and is widely used in internal and external business systems. However, the security risk faced by Web application system and the daily increasing of Web security penetration testing technology is an active prevention technology for Web application. Before the application is attacked, the target system is detected by simulating hacker attack on Web application. SQL injection attack is the most common and easy to implement in many Web application attack methods. Therefore, it is the key to secure the application of SQL application system to do the intrusion detection and prevention against SQL injection attack to ensure the security of the whole information infrastructure. At the same time, it is also an important research topic in network security. Based on the above reasons, this paper studies the relevant anti-norm technology and detection tools of SQL injection vulnerability, and compares the detection situation of typical tools through experiments. The detection characters used in common detection tools are summarized. Finally, the existing SQL injection vulnerability detection characters are improved and summarized. At the same time, using the common characters used in SQL injection attack, based on the automated testing tool Selenium, this paper puts forward the automatic detection technology of SQL injection vulnerability, which is proved by experiments. The test cases written by this technique can identify the SQL injection attack to a certain extent and can identify the unknown SQL injection points that may appear in the Web application system. This provides a certain thinking direction and reference value for the research of automated testing of SQL injection vulnerability.
【学位授予单位】:东华大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP311.13;TP393.08
本文编号:2207043
[Abstract]:With the further popularization of Internet and the rapid development of computer network technology, Web technology has been widely used. Application system based on Web technology and database architecture has gradually become the mainstream and is widely used in internal and external business systems. However, the security risk faced by Web application system and the daily increasing of Web security penetration testing technology is an active prevention technology for Web application. Before the application is attacked, the target system is detected by simulating hacker attack on Web application. SQL injection attack is the most common and easy to implement in many Web application attack methods. Therefore, it is the key to secure the application of SQL application system to do the intrusion detection and prevention against SQL injection attack to ensure the security of the whole information infrastructure. At the same time, it is also an important research topic in network security. Based on the above reasons, this paper studies the relevant anti-norm technology and detection tools of SQL injection vulnerability, and compares the detection situation of typical tools through experiments. The detection characters used in common detection tools are summarized. Finally, the existing SQL injection vulnerability detection characters are improved and summarized. At the same time, using the common characters used in SQL injection attack, based on the automated testing tool Selenium, this paper puts forward the automatic detection technology of SQL injection vulnerability, which is proved by experiments. The test cases written by this technique can identify the SQL injection attack to a certain extent and can identify the unknown SQL injection points that may appear in the Web application system. This provides a certain thinking direction and reference value for the research of automated testing of SQL injection vulnerability.
【学位授予单位】:东华大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP311.13;TP393.08
【参考文献】
中国期刊全文数据库 前10条
1 徐嘉铭;;SQL注入攻击原理及在数据库安全中的应用[J];电脑编程技巧与维护;2009年18期
2 刘帅;;SQL注入攻击及其防范检测技术的研究[J];电脑知识与技术;2009年28期
3 吴海燕;苗春雨;刘启新;孙方成;;Web应用系统安全评测研究[J];计算机安全;2008年04期
4 俞小怡;常艳;许捍卫;;Web应用中的攻击防御技术的研究与实现[J];计算机安全;2008年06期
5 苏伟斌,周惠民,顾大权;网页代码漏洞剖析[J];计算机时代;2003年02期
6 杨波,朱秋萍;Web安全技术综述[J];计算机应用研究;2002年10期
7 练坤梅;许静;田伟;张莹;;SQL注入漏洞多等级检测方法研究[J];计算机科学与探索;2011年05期
8 赵文龙;朱俊虎;王清贤;;SQL Injection分析与防范[J];计算机工程与设计;2006年02期
9 余静;高丰;徐良华;朱鲁华;;基于SQL注入的渗透性测试技术研究[J];计算机工程与设计;2007年15期
10 李建华;信息安全技术发展及若干关键技术[J];信息安全与通信保密;2002年10期
,本文编号:2207043
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2207043.html
