Injection point extracting method in SQL (Structured Query Language) injection vulnerability detection

A technology of vulnerability detection and extraction method, applied in software testing/debugging, instrumentation, electrical digital data processing, etc., can solve problems such as poor accuracy, and achieve the effect of improving accuracy, improving coverage, and solving false negatives.

Inactive Publication Date: 2012-12-19
NORTHWESTERN POLYTECHNICAL UNIV
View PDF3 Cites 39 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0007] In order to overcome the deficiency of the poor accuracy of the SQL injection vulnerability detection method in the existing Web environment, the present invention provides a method for extracting the injection point in the SQL injection vulnerability detection
Due to the addition of the parsing and processing process for web page scripts, accurate extraction of URLs in complex web pages can solve the problem of false negatives in tradi

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Injection point extracting method in SQL (Structured Query Language) injection vulnerability detection
  • Injection point extracting method in SQL (Structured Query Language) injection vulnerability detection
  • Injection point extracting method in SQL (Structured Query Language) injection vulnerability detection

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0026] The specific steps of the injection point extraction method in the SQL injection vulnerability detection of the present invention are as follows:

[0027] 1. Pretreatment.

[0028] Download web pages according to the starting URL of the tested website, and preprocess the downloaded web pages. The purpose of preprocessing is to reduce the complexity of subsequent steps, while providing data needed for subsequent processing. The preprocessing work includes two parts: analyzing the Frame page and obtaining Cookies. If the web page contains a frame set, the pages in the frame set are downloaded together. At the same time, the cookies set by the web application system are saved, and the saved cookies are used as materials for constructing HTTP data packets in subsequent tests.

[0029] 2. Distinguish the types of web pages.

[0030] In order to simplify processing, this method is based on whether the HTML source code of the web page contains " when processing web pages. "Tag pa...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses an injection point extracting method in SQL (Structured Query Language) injection vulnerability detection, which is used for solving the technical problem of poor accuracy of the traditional method in the SQL injection vulnerability detection under a Web environment. According to the technical scheme, the injection point extracting method comprises the steps of: firstly, preprocessing a downloaded webpage, dividing the webpage into a simple webpage and a complex webpage, extracting a data injection point of the simple webpage, extracting a data injection point of the complex webpage, extracting a test case through constructing the test case, analyzing service response, and establishing a decision rule of an SQL injection vulnerability. According to the invention, starting from obtaining the data injection points of a Web application system, through constructing the targeted test case, the used test case is used for carrying out character string, numerical value, annotation and delay testing according to the types and the parameter compositions of the data injection points, thus the test of the injection vulnerability caused by simple filtration of URL (Uniform Resource Locator) parameters and table submitted data is effectively dealt; and through analysis response, the established decision rule of the SQL injection vulnerability is improved in testing accuracy.

Description

Technical field [0001] The invention belongs to the field of Web application system security vulnerability detection, and particularly relates to an injection point extraction method in SQL injection vulnerability detection. Background technique [0002] Structured query language (hereinafter referred to as SQL) injection attack is a widely used and highly threatening Web attack technology, and it is listed as the top ten Web application system security threats of OWASP (Open Web Application Security Project). The basic idea is to construct an attack payload that can deceive the interpreter by guessing and verifying the SQL execution logic of the target system, executing offensive commands or accessing unauthorized data. This attack method is highly concealed, and the attacked Web application system may leak or destroy sensitive information, causing a very serious impact on normal business. [0003] The traditional SQL injection detection technology mainly adopts the analysis met...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): G06F21/00G06F11/36
Inventor 蔡皖东马凯姚烨
Owner NORTHWESTERN POLYTECHNICAL UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap