演示MySQL中防止注入攻击的工具

2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) Pub Date : 2017-06-01 DOI:10.1109/DSN.2017.38

Ibéria Medeiros, Miguel Beatriz, N. Neves, M. Correia

{"title":"演示MySQL中防止注入攻击的工具","authors":"Ibéria Medeiros, Miguel Beatriz, N. Neves, M. Correia","doi":"10.1109/DSN.2017.38","DOIUrl":null,"url":null,"abstract":"Despite the significant efforts put in building more secure web applications, cases of high impact breaches continue to appear. Vulnerabilities in web applications are often created due to inconsistencies in the way SQL queries are believed to be run and the way they are actually executed by a Database Management System (DBMS). This paper presents a demonstration of SEPTIC, a mechanism that detects and blocks injection attacks inside the DBMS. The demonstration considers a scenario of a non-trivial PHP web application, backed by a MySQL DBMS, which was modified to include SEPTIC. It presents how SEPTIC blocks injection attacks without compromising the application correctness and performance. In addition, SEPTIC is compared to alternative approaches, such as sanitizations carried out with standard functions provided language and a web application firewall.","PeriodicalId":426928,"journal":{"name":"2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)","volume":"112 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":"{\"title\":\"Demonstrating a Tool for Injection Attack Prevention in MySQL\",\"authors\":\"Ibéria Medeiros, Miguel Beatriz, N. Neves, M. Correia\",\"doi\":\"10.1109/DSN.2017.38\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Despite the significant efforts put in building more secure web applications, cases of high impact breaches continue to appear. Vulnerabilities in web applications are often created due to inconsistencies in the way SQL queries are believed to be run and the way they are actually executed by a Database Management System (DBMS). This paper presents a demonstration of SEPTIC, a mechanism that detects and blocks injection attacks inside the DBMS. The demonstration considers a scenario of a non-trivial PHP web application, backed by a MySQL DBMS, which was modified to include SEPTIC. It presents how SEPTIC blocks injection attacks without compromising the application correctness and performance. In addition, SEPTIC is compared to alternative approaches, such as sanitizations carried out with standard functions provided language and a web application firewall.\",\"PeriodicalId\":426928,\"journal\":{\"name\":\"2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)\",\"volume\":\"112 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2017-06-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"3\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/DSN.2017.38\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/DSN.2017.38","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 3

摘要

尽管在构建更安全的web应用程序方面付出了巨大的努力，但高影响的违规事件仍在继续出现。web应用程序中的漏洞通常是由于SQL查询的运行方式与数据库管理系统(DBMS)实际执行方式的不一致而产生的。本文展示了一种检测和阻止DBMS内部注入攻击的机制。该演示考虑了一个重要的PHP web应用程序的场景，该应用程序由MySQL DBMS支持，该应用程序被修改为包含了SEPTIC。它介绍了如何在不影响应用程序正确性和性能的情况下阻止注入攻击。此外，还将与其他方法进行比较，例如使用提供的语言和web应用程序防火墙的标准函数执行的检查。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Demonstrating a Tool for Injection Attack Prevention in MySQL

Despite the significant efforts put in building more secure web applications, cases of high impact breaches continue to appear. Vulnerabilities in web applications are often created due to inconsistencies in the way SQL queries are believed to be run and the way they are actually executed by a Database Management System (DBMS). This paper presents a demonstration of SEPTIC, a mechanism that detects and blocks injection attacks inside the DBMS. The demonstration considers a scenario of a non-trivial PHP web application, backed by a MySQL DBMS, which was modified to include SEPTIC. It presents how SEPTIC blocks injection attacks without compromising the application correctness and performance. In addition, SEPTIC is compared to alternative approaches, such as sanitizations carried out with standard functions provided language and a web application firewall.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)

自引率

0.00%

发文量