A SQL injection vulnerability detection method and device for rest API

Abstract

This application discloses a SQL injection vulnerability detection method and device for a REST API. The method includes: first injecting a detection vector that is easy to trigger SQL syntax errors into the API list to be detected to form a first API attack request, and then using SQL error information to regularize Match the expression to detect whether there is an SQL syntax error in the first API attack response; if no SQL syntax error is detected, according to the API parameter type, inject the vector of two API response content comparison detections, and obtain the second API attack response, After the third API attack response and API normal response, compare the three to detect whether the relationship between the three meets the preset SQL injection vulnerability conditions, and obtain the detection result. It can be seen that this application achieves effective detection of SQL injection vulnerabilities in RESTful APIs by injecting detection vectors that are likely to trigger SQL syntax errors and API response content comparison detection vectors into the RESTful API to be detected, and then detecting the corresponding API responses. .

Description

technical field [0001] The present application relates to the field of computer technology, in particular to a SQL injection vulnerability detection method and device for a REST API. Background technique [0002] With the opening of APIs (Web services) by major Internet companies, the functions of Web applications have become more scalable; at the same time, a complex Web ecosystem in which multiple Web services are coordinated to complete transactions has gradually formed, such as e-commerce third-party payment services, etc. Web API has thus become a key link between Web applications. The original SOAP-based Web API had the disadvantages of cumbersome calls and low opening efficiency. In recent years, the lightweight REST API has become popular rapidly, and it has gradually replaced SOAP API as the most important API type. [0003] However, there are various security vulnerabilities in Web API, such as SQL injection vulnerability, which is a serious web security vulnerabi...

AI Technical Summary

Problems solved by technology

The original SOAP-based Web API had the disadvantages of cumbersome calls and low opening efficiency. In recent years, the lightweight REST API has become popular rapidly, and it has gradually replaced SOAP API as the most important API type.

[0003] However, there are various security vulnerabilities in Web API, such as SQL injection vulnerability, which is a serious web security vulnerability. Malicious attackers can inject SQL commands into parameters, causing the server to execute these SQL commands

Generally speaking, SQL injection vulnerabilities will lead to database data leakage and data tampering. If the database allows the execution of operating system commands, it may cause the entire database server to be invaded. Therefore, for Web API, SQL injection vulnerabilities are security issues that must be prevented.

[0004] However, most of the current SQL injection vulnerability detection methods for Web APIs are for SOAP API detection. There is no SQL injection vulnerability detection method and corresponding tools for REST APIs, and the REST APIs in the real Internet environment are unknown. Its code implementation details, at the same time, the RESTful API has new features when calling, and adopts a new authentication and authorization protocol

As a result, none of the existing detection algorithms can effectively detect SQL injection vulnerabilities for REST APIs

Images