{"title":"消除SQL注入攻击——一个透明的防御机制","authors":"M. Muthuprasanna, Ke Wei, S. Kothari","doi":"10.1109/WSE.2006.9","DOIUrl":null,"url":null,"abstract":"The widespread adoption of Web services as an instant means of information dissemination and various other transactions, has essentially made them a key component of today's Internet infrastructure. Web-based systems comprise both of infrastructure components and of application-specific code. Various organizations have started extensively deploying intrusion detection/prevention systems and Firewalls as a means of securing their vital installations. However, very little emphasis is laid on securing the applications that run on these systems, apart from frequent updates and patching. SQL-injection attacks are a class of attacks that many of these systems are highly vulnerable to, and there is no known fool-proof defense against such attacks. In this paper, we propose a technique, which combines static application code analysis with runtime validation to detect the occurrence of such attacks. The deployment of this technique eliminates the need to modify source code of application scripts, additionally allowing seamless integration with currently-deployed systems. We provide various optimizations improving overall efficiency, and also preliminary evaluation of prototype developed","PeriodicalId":174396,"journal":{"name":"2006 Eighth IEEE International Symposium on Web Site Evolution (WSE'06)","volume":"37 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2006-09-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"53","resultStr":"{\"title\":\"Eliminating SQL Injection Attacks - A Transparent Defense Mechanism\",\"authors\":\"M. Muthuprasanna, Ke Wei, S. Kothari\",\"doi\":\"10.1109/WSE.2006.9\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The widespread adoption of Web services as an instant means of information dissemination and various other transactions, has essentially made them a key component of today's Internet infrastructure. Web-based systems comprise both of infrastructure components and of application-specific code. Various organizations have started extensively deploying intrusion detection/prevention systems and Firewalls as a means of securing their vital installations. However, very little emphasis is laid on securing the applications that run on these systems, apart from frequent updates and patching. SQL-injection attacks are a class of attacks that many of these systems are highly vulnerable to, and there is no known fool-proof defense against such attacks. In this paper, we propose a technique, which combines static application code analysis with runtime validation to detect the occurrence of such attacks. The deployment of this technique eliminates the need to modify source code of application scripts, additionally allowing seamless integration with currently-deployed systems. We provide various optimizations improving overall efficiency, and also preliminary evaluation of prototype developed\",\"PeriodicalId\":174396,\"journal\":{\"name\":\"2006 Eighth IEEE International Symposium on Web Site Evolution (WSE'06)\",\"volume\":\"37 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2006-09-23\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"53\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2006 Eighth IEEE International Symposium on Web Site Evolution (WSE'06)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/WSE.2006.9\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2006 Eighth IEEE International Symposium on Web Site Evolution (WSE'06)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/WSE.2006.9","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Eliminating SQL Injection Attacks - A Transparent Defense Mechanism
The widespread adoption of Web services as an instant means of information dissemination and various other transactions, has essentially made them a key component of today's Internet infrastructure. Web-based systems comprise both of infrastructure components and of application-specific code. Various organizations have started extensively deploying intrusion detection/prevention systems and Firewalls as a means of securing their vital installations. However, very little emphasis is laid on securing the applications that run on these systems, apart from frequent updates and patching. SQL-injection attacks are a class of attacks that many of these systems are highly vulnerable to, and there is no known fool-proof defense against such attacks. In this paper, we propose a technique, which combines static application code analysis with runtime validation to detect the occurrence of such attacks. The deployment of this technique eliminates the need to modify source code of application scripts, additionally allowing seamless integration with currently-deployed systems. We provide various optimizations improving overall efficiency, and also preliminary evaluation of prototype developed
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
