System and method for safety testing based on database injection testing

Abstract

The invention discloses a system and method for safety testing based on database injection testing. The system comprises a cloud side defended service system and multiple client sides, wherein the client sides are in network communication connection with the cloud side defended service system, and each client side comprises a responding and monitoring module, a message recognition module, an information collection module, an information construction module and an information sending module; the client side comprises a to-be-tested service system, the to-be-tested service system comprises a request message, and the request message comprises response data and data flow information; and the cloud side defended service system is used for the database injection testing. According to the invention, in the cloud side database injection testing, database injection construction methods with multiple types and encoding manners can be traversed quickly and automatically; manual judgment of a database filtering mechanism is omitted; and the safety testing becomes efficient, rapid and accurate.

Description

technical field [0001] The invention relates to the technical field of computer software information, in particular to a security testing system and method based on database injection testing. Background technique [0002] With the development of network and computer software information technology, network security has attracted more and more attention and attention, and related security testing has become more and more necessary. In security testing, database injection testing will be used as a frequently used security testing method. Testers can use this method to simulate hackers to attack and verify whether the tested URL directly puts the parameters submitted by the user into the SQL statement without filtering. As a result, the special characters in the parameters break the original logic of the SQL statement, and the hacker exploits this vulnerability to execute any SQL statement, thereby improving the security level of the website under test; however, many cloud bus...

AI Technical Summary

Problems solved by technology

In security testing, database injection testing will be used as a frequently used security testing method. Testers can use this method to simulate hackers to attack and verify whether the tested URL directly puts the parameters submitted by the user into the SQL statement without filtering. As a result, the special characters in the parameters break the original logic of the SQL statement, and the hacker exploits this vulnerability to execute any SQL statement, thereby improving the security level of the website under test; however, many cloud business systems have deployed WAF or are already in The code function of data verification is deployed on the cloud. Since the WAF or cloud business security code filters many common special characters, the special database construction statement based on database injection cannot be correctly parsed and the database statement is generated and submitted in the cloud business system. Go to the background database for legal execution, resulting in the failure of the database injection test; the current database injection test statement, either provides basic special characters, or only has a simple database construction statement, which can only be used for WAF or no database injection filtering mechanism Many of these statements are too simple and increase the time for security testing. Taking the popular database injection tools D and Ming Xiaozi as examples, the database injection test statements are just simple single quotes, and, or and other statements; due to the existence of WAF, these special words are usually escaped, and the database statement generated by the cloud business system cannot be legally executed after being submitted to the database; Test work brings a lot of inconvenience

Images