SQL injection vulnerability detection method and device for REST API

Abstract

The invention discloses an SQL injection vulnerability detection method and device for a REST API, and the method comprises the steps: injecting a detection vector that is easy to trigger a SQL syntaxerror into a to-be-detected API list to form a first API attack request, and then using a SQL error information regular matching expression to detect whether a first API attack response has a SQL syntax error or not; injecting two API response content comparison detection vectors according to the type of an API parameter if no SQL syntax error is detected, obtaining a second API attack response,a third API attack response and an API normal response to perform the comparison therebetween, detecting whether the relationship between the second API attack response, the third API attack responseand the API normal response meets a default SQL injection vulnerability condition and obtaining a detection result. Therefore, the detection vector that is easy to trigger the SQL syntax error and a vector for the API response content comparison detection are injected into the to-be-detected RESTful API, thereby detecting the mode of the corresponding API response, and achieving the effective detection of the SQL injection vulnerability of the RESTful API.

Description

technical field [0001] The present application relates to the field of computer technology, in particular to a SQL injection vulnerability detection method and device for a REST API. Background technique [0002] With the opening of APIs (Web services) by major Internet companies, the functions of Web applications have become more scalable; at the same time, a complex Web ecosystem in which multiple Web services are coordinated to complete transactions has gradually formed, such as e-commerce third-party payment services, etc. Web API has thus become a key link between Web applications. The original SOAP-based Web API had the disadvantages of cumbersome calls and low opening efficiency. In recent years, the lightweight REST API has become popular rapidly, and it has gradually replaced SOAP API as the most important API type. [0003] However, there are various security vulnerabilities in Web API, such as SQL injection vulnerability, which is a serious web security vulnerabi...

AI Technical Summary

Problems solved by technology

The original SOAP-based Web API had the disadvantages of cumbersome calls and low opening efficiency. In recent years, the lightweight REST API has become popular rapidly, and it has gradually replaced SOAP API as the most important API type.

[0003] However, there are various security vulnerabilities in Web API, such as SQL injection vulnerability, which is a serious web security vulnerability. Malicious attackers can inject SQL commands into parameters, causing the server to execute these SQL commands

Generally speaking, SQL injection vulnerabilities will lead to database data leakage and data tampering. If the database allows the execution of operating system commands, it may cause the entire database server to be invaded. Therefore, for Web API, SQL injection vulnerabilities are security issues that must be prevented.

[0004] However, most of the current SQL injection vulnerability detection methods for Web APIs are for SOAP API detection. There is no SQL injection vulnerability detection method and corresponding tools for REST APIs, and the REST APIs in the real Internet environment are unknown. Its code implementation details, at the same time, the RESTful API has new features when calling, and adopts a new authentication and authorization protocol

As a result, none of the existing detection algorithms can effectively detect SQL injection vulnerabilities for REST APIs

Images