A novel method for SQL injection attack detection based on removing SQL query attribute values

被引：66

作者：

Lee, Inyong ^{[2
]}

Jeong, Soonki ^{[3
]}

Yeo, Sangsoo ^{[4
]}

Moon, Jongsub ^{[1
]}

机构：

[1] Korea Univ, Dept Elect & Informat Engn, Yeonkigun 339700, Choongnam, South Korea

[2] Korea Univ, Ctr Informat Secur Technol, Seoul 136713, South Korea

[3] Korea Univ, Grad Sch Informat Secur, Seoul 136713, South Korea

[4] Mokwon Univ, Div Comp Engn, Taejon 302729, South Korea

来源：

MATHEMATICAL AND COMPUTER MODELLING | 2012年 / 55卷 / 1-2期

关键词：

SQL injection attack; SQL query; A combined dynamic and static method; DBMS; Web application;

D O I：

10.1016/j.mcm.2011.01.050

中图分类号：

TP39 [计算机的应用];

学科分类号：

081203 ; 0835 ;

摘要：

SQL injection or SQL insertion attack is a code injection technique that exploits a security vulnerability occurring in the database layer of an application and a service. This is most often found within web pages with dynamic content. This paper proposes a very simple and effective detection method for SQL injection attacks. The method removes the value of an SQL query attribute of web pages when parameters are submitted and then compares it with a predetermined one. This method uses combined static and dynamic analysis. The experiments show that the proposed method is very effective and simple than any other methods. (C) 2011 Elsevier Ltd. All rights reserved.

引用

页码：58 / 68

页数：11

共 28 条

[1]

[Anonymous], Php magic quotes

[2]

[Anonymous], P IEEE INT S SEC SOF

[3]

Boyd SW, 2004, LECT NOTES COMPUT SC, V3089, P292

[4]

Buehere G., 2005, P 5 INT WORKSH SOFTW, P105

[5]

BUEHRER G, 2005, P 5 INT WORKSH SOFTW, P106, DOI DOI 10.1145/1108473.1108496

[6]

Cook WR, 2005, PROC INT CONF SOFTW, P97

[7]

GIBELLO PY, ZQL JAVA SQL PARSER

[8] JDBC checker: A static analysis tool for SQL/JDBC applications [J].

Gould, C ;

Su, ZD ;

Devanbu, P .

ICSE 2004: 26TH INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING, PROCEEDINGS, 2004, :697-698

[9]

Haldar V., 2005, P 21 ANN COMPUTER SE, P303

[10]

Halfond WilliamG. J., 2005, P 20 IEEEACM INT C A, P174, DOI DOI 10.1145/1101908

← 1 2 3 →