| With the rapid development of Internet technology, Web system has been widely used. The Web site which is often visited by people in the life is showing explosive growth. Moreover, Web-based enterprise management system is being constantly used, providing the convenience of online office and effectively improving the enterprise management efficiency. However, due to the openness of B/S structure and the stateless of HTTP protocol, the Web system faces great security threats. More and more Web sites have been attacked by hackers, so the security research of Web system is particularly important now. Access Control and Anti SQL-Injection occupy a very important position in the security research of Web system, and they have become the two main directions in the security research of Web system. This paper studies the security of Web system, and the study is focused on the design and implementation of Access Control and Anti SQL-Injection.In the study of access control, this paper introduces the concept of access control, basic principles, common access control technologies and their advantages and disadvantages, and then focuses on the RBAC96 model to analyze the characteristics of the model, the range of model application. For the limitations of traditional RBAC model, this paper, based on the research of the RBAC96 model, proposes an improved RBAC model which is the Proxy RBAC model, which allows the appropriate transfer of roles between users. Finally, combined with the security needs of the specific Web system, this paper proposes a three-tier access control scheme based on Proxy RBAC model, and achieve this access control scheme on the ASP.NET development platform, with the use of SQL Server database.In the study of Anti SQL-Injection, this paper first introduces the basic concept of SQL-Injection attacks, and then analyzes the features of SQL-Injection attacks, the main way to attack and common processes to attack. On the basis of in-depth understanding of SQL-Injection attacks principle, this paper focuses on the Anti SQL-Injection method based on ISAPI technology. This paper compares the ISAPI program with the traditional CGI program, to analyze the features and advantages of ISAPI technology and to clear the problems which ISAPI technology can sovle. Finally, combined with the security needs of the specific Web system, this paper proposes a scheme which uses the firewall that is based on ISAPI Filter technology to prevent SQL-Injection attacks, and achieves this scheme with the use of VC++ development tools. The firewall is loaded onto the web server IIS in the form of a dynamic link library. |
PDF Full Text Request