| With the popularity of the Internet and the rapid development of computer network, thenetwork application based on three-tier web architecture has been widely used. More andmore B/S structure of network applications appears, symbolizing based on browser/serverapplication system gradually replace the application system based on client/server architectureto become the mainstream, is widely used in small-scale network application software andenterprise management system. Because network attack technology development speed ismuch higher than the renewal speed of network defense technology and the networkprogrammers working on the details of program control is insufficient, more and morenetwork attack behaviors and network application program bugs appears. The property of theuser’s security is threatened all the time.In response to the increasingly rampant cyber attacks, network security engineers use aperspective-taking way to penetrate the system as a attacker to evaluate the networkapplication and architecture. The method is the penetration test. It can comprehensively detectthe weakness of the target, provide detailed penetration testing report for network managers,evaluate the current condition of the network, and provide the detailed upgrade reinforcementmeasures to improve the security level of target network system. Commonly, SQL injectionattack as a kind of attack that the hackers attack the network applications of the databaseserver to damage the network resources and steal some precious data, is a important methodof penetrating test.This article describes the concepts and principles of penetrating test, designing threeinjection experiments based on Access, MySQL, MsSQL databases to analyze the SQL injection methods in details. After analyzing attack methods, the paper introduces SQLinjection Code Layer defensive methods and one kind of Application Layer defensiveequipment: Web application firewall (referred WAF). Finally, based on the traditionaldefensive SQL injection module of WAF, adding Database Selection module allows WAF todefense the application based on different databases. |
PDF Full Text Request