SQL injection vulnerability automatic detection platform and method based on adaptive random test

Abstract

The invention relates to an SQL (Structured Query Language) injection vulnerability automatic detection platform and method based on self-adaptive random test. The detection platform runs on a Ubuntu 14.10 operating system. According to the detection platform, test cases are initialized; feature vectors of the test cases are analyzed and extracted; the test cases are subjected to vectorization representation; the test cases are sent to a test target by using an HTTP (Hyper Text Transport Protocol) request; a response of the test target is recorded; according to the response, whether an SQL injection vulnerability is found is determined; distances between the test cases are calculated; test cases for carrying out test next time are adaptively selected. The detection platform creatively proposes to use a self-adaptive random test method, and supports to rapidly and automatically detect the target in a customized mode; on the basis of arranging the rich test cases in the platform, users can add test cases according to use demands of the users, and the platform can automatically complete initialization, variation, feature extraction and calculation on the test cases, so that the optimal test effect is achieved.

Description

technical field [0001] The invention relates to a Sql injection vulnerability automatic detection platform and method based on self-adaptive random testing, belonging to the technical field of information security. Background technique [0002] Sql (database) injection vulnerability is a common vulnerability in web applications. Due to the incomplete verification of user input by the application, malicious statements illegally entered by users are correctly executed in the database, exposing database information. According to the survey report of the Open Web Application Project, injection vulnerabilities have been ranked among the top 10 most harmful web security vulnerabilities for many years. Due to the harmfulness and pervasiveness of Sql injection vulnerabilities, many researchers have proposed various models and methods for detection and prevention of such security vulnerabilities. Currently commonly used methods are mainly through static analysis, user input filterin...

AI Technical Summary

Problems solved by technology

[0003] Although this method can effectively find the loopholes in the application, this method has some relatively large challenges in practical application: (1) the test case space is huge, (2) the effective test cases are sparse, (3) Test cases are expensive to run

Since there are many types of Sql injection vulnerabilities, user input cannot be expected. During the testing process, in order to find software vulnerabilities more effectively and comprehensively, it is usually necessary to generate a large number of test cases. Among these test cases, the test cases that can effectively trigger vulnerabilities are very Therefore, it will take a lot of time to detect whether there are vulnerabilities in the application by executing the test cases one by one with the ordinary fuzzing method.

Images