一种针对SQL注入攻击的web应用加固安全分析工具

2013 10th International ISC Conference on Information Security and Cryptology (ISCISC) Pub Date : 2013-08-01 DOI:10.1109/ISCISC.2013.6767326

Z. Lashkaripour, A. G. Bafghi

{"title":"一种针对SQL注入攻击的web应用加固安全分析工具","authors":"Z. Lashkaripour, A. G. Bafghi","doi":"10.1109/ISCISC.2013.6767326","DOIUrl":null,"url":null,"abstract":"In SQLIA, attacker injects an input in the query in order to change the structure of the query intended by the programmer and therefore, gain access to the data in the underlying database. Due to the significance of the stored data, web application's security against SQLIA is vital. In this paper we propose a tool that is capable of reporting the transformations needed to reinforce the security of a Java-based web application and its database against SQLIAs. This tool which is based on static analysis and runtime validation uses our new technique for detection and prevention of SQLIAs. In our technique user inputs in SQL queries are removed and some information is gathered in order to make the detection easier and faster at runtime. According to these information the tool reports the transformations needed and the location of the transformations in source code and therefore after applying the transformations the result would be a reinforced web application against SQLIAs.","PeriodicalId":265985,"journal":{"name":"2013 10th International ISC Conference on Information Security and Cryptology (ISCISC)","volume":"86 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":"{\"title\":\"A security analysis tool for web application reinforcement against SQL injection attacks (SQLIAs)\",\"authors\":\"Z. Lashkaripour, A. G. Bafghi\",\"doi\":\"10.1109/ISCISC.2013.6767326\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"In SQLIA, attacker injects an input in the query in order to change the structure of the query intended by the programmer and therefore, gain access to the data in the underlying database. Due to the significance of the stored data, web application's security against SQLIA is vital. In this paper we propose a tool that is capable of reporting the transformations needed to reinforce the security of a Java-based web application and its database against SQLIAs. This tool which is based on static analysis and runtime validation uses our new technique for detection and prevention of SQLIAs. In our technique user inputs in SQL queries are removed and some information is gathered in order to make the detection easier and faster at runtime. According to these information the tool reports the transformations needed and the location of the transformations in source code and therefore after applying the transformations the result would be a reinforced web application against SQLIAs.\",\"PeriodicalId\":265985,\"journal\":{\"name\":\"2013 10th International ISC Conference on Information Security and Cryptology (ISCISC)\",\"volume\":\"86 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2013-08-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"5\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2013 10th International ISC Conference on Information Security and Cryptology (ISCISC)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ISCISC.2013.6767326\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2013 10th International ISC Conference on Information Security and Cryptology (ISCISC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISCISC.2013.6767326","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 5

摘要

在SQLIA中，攻击者在查询中注入一个输入，以便更改程序员想要查询的结构，从而获得对底层数据库中数据的访问权。由于所存储数据的重要性，web应用程序对SQLIA的安全性至关重要。在本文中，我们提出了一个工具，它能够报告需要的转换，以加强基于java的web应用程序及其数据库对sqlia的安全性。该工具基于静态分析和运行时验证，使用我们的新技术来检测和预防sqlia。在我们的技术中，删除SQL查询中的用户输入，并收集一些信息，以便在运行时更容易、更快地进行检测。根据这些信息，工具报告所需的转换和转换在源代码中的位置，因此在应用转换之后，结果将是针对sqlia的增强web应用程序。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

A security analysis tool for web application reinforcement against SQL injection attacks (SQLIAs)

In SQLIA, attacker injects an input in the query in order to change the structure of the query intended by the programmer and therefore, gain access to the data in the underlying database. Due to the significance of the stored data, web application's security against SQLIA is vital. In this paper we propose a tool that is capable of reporting the transformations needed to reinforce the security of a Java-based web application and its database against SQLIAs. This tool which is based on static analysis and runtime validation uses our new technique for detection and prevention of SQLIAs. In our technique user inputs in SQL queries are removed and some information is gathered in order to make the detection easier and faster at runtime. According to these information the tool reports the transformations needed and the location of the transformations in source code and therefore after applying the transformations the result would be a reinforced web application against SQLIAs.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2013 10th International ISC Conference on Information Security and Cryptology (ISCISC)

自引率

0.00%

发文量