[1]李鑫,张维纬,郑力新.动静结合的二阶SQL注入漏洞检测技术[J].华侨大学学报(自然科学版),2018,39(4):600-605.[doi:10.11830/ISSN.1000-5013.201606110]
 LI Xin,ZHANG Weiwei,ZHENG Lixin.Vulnerability Detection Using Second-Order SQL Injection Combining Dynamic and Static Analysis[J].Journal of Huaqiao University(Natural Science),2018,39(4):600-605.[doi:10.11830/ISSN.1000-5013.201606110]
点击复制

动静结合的二阶SQL注入漏洞检测技术()
分享到:

《华侨大学学报(自然科学版)》[ISSN:1000-5013/CN:35-1079/N]

卷:
第39卷
期数:
2018年第4期
页码:
600-605
栏目:
出版日期:
2018-07-18

文章信息/Info

Title:
Vulnerability Detection Using Second-Order SQL Injection Combining Dynamic and Static Analysis
文章编号:
1000-5013(2018)04-0600-06
作者:
李鑫12 张维纬12 郑力新12
1. 华侨大学 工学院, 福建 泉州 362021;2. 华侨大学 工业智能化技术与系统福建省高校工程研究中心, 福建 泉州 362021
Author(s):
LI Xin12 ZHANG Weiwei12 ZHENG Lixin12
1. College of Engineering, Huaqiao University, Quanzhou 362021, China; 2. Universities Engineering Research Center of Fujian Province Industrial Intelligent Technology and Systems, Huaqiao University, Quanzhou 362021, China
关键词:
漏洞检测 二阶结构化查询语言 静态分析 动态分析 污点分析
Keywords:
vulnerability detection second-order structured query language static analysis dynamic analysis taint analysis
分类号:
TP393
DOI:
10.11830/ISSN.1000-5013.201606110
文献标志码:
A
摘要:
为了有效检测应用中的二阶结构化查询语言(SQL)注入漏洞,提出一种动静结合的检测方法.通过静态分析获取持久存储信息,解决动态分析无法处理的Web应用多阶段间逻辑联系问题.通过动态分析获取元数据,解决静态分析无法定位污点信息持久存储位置的问题.通过模糊测试验证疑似漏洞,降低误报率.实验结果表明:该检测方法能够有效检测应用程序中存在的二阶SQL注入漏洞;相比于传统静态分析,检测精度高、误报率低;相比于传统动态分析,实现对多阶漏洞的检测,优于已有二阶SQL注入漏洞检测技术.
Abstract:
In order to detect the vulnerability of the second-order structured query language(SQL)injection in the Web application, a detection method based on static and dynamic analysis is proposed in this paper. By analyzing persistent data stores during static analysis, we track tainted information flow in different orders, which solves the problem that traditional dynamic detection can’t relate different orders. By dynamic analysis to obtain mate data, solving the problem that traditional static analysiscan’t find persistent data stores. Furthermore, we dynamically verify the suspected vulnerabilities to reduce the false positive by fuzzing. The experimental results show that our approach can effectively detect the second-order SQL injection vulnerability in application.Compared with the traditional static analysis, our approach can find more vulnerabilities with lower false positive and high detection accuracy. Compared with the traditional dynamic analysis, our approach can detect multiple order vulnerabilities.Our detection method is better than the existing methods for the detection of the second-order SQL injection vulnerability.

参考文献/References:

[1] OWASP F.OWASP top ten project[EB/OL].[2016-05-23] .https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project.
[2] 乐德广,李鑫,龚声蓉,等.新型二阶 SQL 注入技术研究[J].通信学报,2015,36(增刊1):85-93.DOI:10.11959/j.issn.1000-436x.2015285.
[3] AMIT Y,BESKROVNY E,TRIPP O.Detection of second order vulnerabilities in web services: US, 20130167237A1[P].2013-06-27.
[4] DAHSE J,HOLZ T.Static detection of second-order vulnerabilities in web applications[C]//23rd USENIX Security Symposium.San Diego:USENIX,2014:989-1003.
[5] 闫璐.Web 应用二阶 SQL 注入漏洞检测方法研究[D].天津:天津大学,2014:1-39.
[6] SWARUP S,KAPOOR R K.Web vulnerability scanner(WVS): A tool for detecting web application vulnerabilities[J].International Journal of Engineering Research,2014,3(2):126-131.DOI:10.17950/ijer/v3s2/219.
[7] VIEGA J,BLOCH J T,KOHNO Y,et al.ITS4: A static vulnerability scanner for C and C++ code[C]//16th Annual Conference of Computer Security Applications.New York:IEEE Press,2000:257-267.
[8] 克拉克.SQL注入攻击与防御[M].北京:清华大学出版社,2013:100-101.
[9] JOVANOVIC N,KRYEGEL C,KIRDA E.Pixy: A static analysis tool for detecting web application vulnerabilities[C]//IEEE Symposium on Security and Privacy.New York:IEEE Press,2006:258-263.DOI:10.1109/SP.2006.29.
[10] 潘古兵,周彦晖.基于静态分析和动态检测的 XSS 漏洞发现[J].计算机科学,2012,39(B6):51-53.
[11] BRAVENBOER M,SMARAGDAKIS Y.Strictly declarative specification of sophisticated points-to analyses[J].ACM SIGPLAN Notices,2009,44(10):243-262.DOI:10.1145/1640089.1640108.
[12] 吴世忠,郭涛,董国伟,等.软件漏洞分析技术[M].北京:科学出版社,2014:79-115.
[13] KILDALL G A.A unified approach to global program optimization[C]//Proceedings of the 1st Annual ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages.New York:ACM,1973:194-206.DOI:10.1145/512927.512945.
[14] 林姗,郑朝霞.基于格的数据流分析研究与应用[J].武汉理工大学学报(信息与管理工程版),2011,33(6):932-935.DOI:10.3963/j.issn.1007-144X.2011.06.021

备注/Memo

备注/Memo:
收稿日期: 2016-06-02
通信作者: 张维纬(1982-),男,讲师,博士,主要从事信息安全、云计算的研究.E-mail:weiweizh@hqu.edu.cn.
基金项目: 福建省自然科学基金资助项目(2015J05125); 福建省科技厅专项资助项目(2013H2002); 泉州市科技计划项目(2014Z112); 华侨大学研究生科研创新能力培育计划资助项目(1400422005); 华侨大学科研基金资助项目(13BS415)
更新日期/Last Update: 2018-07-20