摘要
为了有效检测应用中的二阶结构化查询语言(SQL)注入漏洞,提出一种动静结合的检测方法.通过静态分析获取持久存储信息,解决动态分析无法处理的Web应用多阶段间逻辑联系问题.通过动态分析获取元数据,解决静态分析无法定位污点信息持久存储位置的问题.通过模糊测试验证疑似漏洞,降低误报率.实验结果表明:该检测方法能够有效检测应用程序中存在的二阶SQL注入漏洞;相比于传统静态分析,检测精度高、误报率低;相比于传统动态分析,实现对多阶漏洞的检测,优于已有二阶SQL注入漏洞检测技术.
In order to detect the vulnerability of the second-order structured query language(SQL)injection in the Web application,a detection method based on static and dynamic analysis is proposed in this paper.By analyzing persistent data stores during static analysis,we track tainted information flow in different orders,which solves the problem that traditional dynamic detection can′t relate different orders.By dynamic analysis to obtain mate data,solving the problem that traditional static analysiscan′t find persistent data stores.Furthermore,we dynamically verify the suspected vulnerabilities to reduce the false positive by fuzzing.The experimental results show that our approach can effectively detect the second-order SQL injection vulnerability in application.Compared with the traditional static analysis,our approach can find more vulnerabilities with lower false positive and high detection accuracy.Compared with the traditional dynamic analysis,our approach can detect multiple order vulnerabilities.Our detection method is better than the existing methods for the detection of the second-order SQL injection vulnerability.
作者
李鑫
张维纬
郑力新
LI Xin;ZHANG Weiwei;ZHENG Lixin(College of Engineering,IIuaqiao University,Quanzhou 362021,China;Universities Engineering Research Center of Fujian Province Industrial Intelligent Technology and Systems Huaqiao University,Quanzhou 362021,China)
出处
《华侨大学学报(自然科学版)》
CAS
北大核心
2018年第4期600-605,共6页
Journal of Huaqiao University(Natural Science)
基金
福建省自然科学基金资助项目(2015J05125)
福建省科技厅专项资助项目(2013H2002)
泉州市科技计划项目(2014Z112)
华侨大学研究生科研创新能力培育计划资助项目(1400422005)
华侨大学科研基金资助项目(13BS415)
关键词
漏洞检测
二阶结构化查询语言
静态分析
动态分析
污点分析
vulnerability detection
second-order structured query language
static analysis
dynamic analysis
taint analysis
