The Design Of SQL Injection Detection Algorithm And Source Code Based Static Analysis Detection System

Posted on:2017-01-16

Degree:Master

Type:Thesis

Country:China

Candidate:B Q Zhang

Full Text:PDF

GTID:2428330503495585

Subject:Software engineering

Abstract/Summary:

PDF Full Text Request

SQL injection attacks have been proposed for more than 10 years,however,SQL injection attack was still rated the number one attack on the Open Web Application Security Project(OWASP)in 2013,and it's also one of the topmost threats for database security.The attackers can access database of a Web application,or obtain confidential data,take control and corrupt the system that hosts the Web application through embedding elaborated SQL statements,which will present a serious threat to organizations that have deployed the Web application,and also to users who trust those systems to store confidential data.With the rapid development of dynamic web applications,PHP becomes popular because it's fast,reliable and can be merged with many different types of RDBMS,and it's also a cheap option for developing and hosting applications on the web.PHP is a powerful language which can access files,execute commands and open network connections on the server.However,these properties also make anything run on a web server insecure by default.As there are several ways of utilizing PHP,there are many configuration options controlling its behavior.A large selection of options guarantees that PHP can be used for a lot of purposes.With proper runtime configuration options and coding practices,PHP can provide exactly the combination of freedom and security.This paper considers the security risks related to PHP programming language,and describes different situations which will lead to website vulnerabilities,with reference to a lot of recent related articles.It also proposes a static syntactic analysis framework for detecting SQL injections based on the matching rules,and implements the PHP source-code SQL injection attack detection algorithm.During the research,I published my article named “A PHP Source-code SQL Injection Attack Detection Algorithm Based on Taint Tracking” on Journal of Information Security Research hosted by State Information Center.The experiments show that the algorithm is effective,and it can also be extended to detect other “taint-style” web vulnerabilities.

Keywords/Search Tags:

SQL Injection, Lexical Analysis, Static Analysis, Taint Analysis, Matching Rules

PDF Full Text Request

Related items

1	Research On Detection Method Of Intent Injection Based On Taint Analysis
2	Research And Implemention Of Source Code Defect Scan Rules Based On Taint Analysis
3	Research On The Attack Detection Of SQL Injection Based On Dynamic Analysis
4	Research On Static Detection Method Of Android Security Information Flow Based On Taint Analysis
5	Research And Implementation Of Java Application Defect Positioning Technology
6	Research And Implementation Of Static Taint Analysis And Dynamic Verification On Web SQLIA Vulnerabilities
7	Research On Dynamic And Static Analysis Of Second-order SQL Injection
8	Research And Implementation On Detecting Privacy Leakage Of Android Apps Based On Static Taint Analysis
9	Verification Of The Correctness Of Static Taint Analysis For Privacy Leakage Of Android Application
10	Research Of Taint Propagation Summary For Android Programs