透過您的圖書館登入 IP:3.133.83.123
透過您的圖書館登入
IP:3.133.83.123
  • 精確檢索 : 冠狀病毒
  • 模糊檢索 : 冠狀病毒
  • 冠狀病毒感染
    冠狀病毒疾病
  • 查詢出版品: 冠狀病毒
進階查詢
查詢歷史
主題瀏覽
  • 學位論文

SQL資料庫攻擊程式碼之產生自動化

Automated Exploit Generation for SQL Injection Attacks

巫格至(Ko-Chih Wu)
指導教授 : 李德財
國立臺灣大學/電機資訊學院/電子工程學研究所/碩士(2010年)
https://doi.org/10.6342/NTU.2010.01606
全文下載

摘要

近年來利用自動化靜態分析工具來偵測SQL資料庫攻擊日益普遍。然而這些工具可能會產生誤報,且弱點的可信度難以檢驗。檢驗弱點的方式,就是模擬駭客或者是黑箱工具的手法,實際送出攻擊程式碼來攻擊網站並觀察攻擊是否成功。在這篇論文中,我們提出一種方法來檢驗自動化分析工具所偵測到的弱點。我們產生實際的攻擊程式碼來攻擊網站,並且監控網站運作中所執行的SQL指令,藉此判斷弱點的可信度。我們以數個真實案例來進行實驗,結果證明此方法可有效檢驗弱點。

關鍵字

網站應用程式安全 SQL資料庫攻擊 弱點測試

並列摘要

Automated static analysis tools are widely used today for finding input manipulation vulnerabilities in web applications, such as SQL injection. However, these tools may produce many false positives and these reported vulnerabilities cannot be verified easily. To verify these reported vulnerabilities, concrete attack requests need to be constructed and to be submitted to the target application, just like what hackers or black-box tools will do. Our approach is to send concrete exploits and to inspect SQL queries that are executed at run-time. Thus, it is possible to declare the reported vulnerability valid (along with true exploitable SQL commands) or bogus (i.e., false positive). Our technique is proved to be effective after the evaluation against several real-world examples.

並列關鍵字

Web application security SQL injection attacks vulnerability testing

參考文獻

[2] D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Saner: Composing static and dynamic analysis to validate sanitization in web applications. In Proc. IEEE Symp. Security and Privacy SP 2008, pages 387–401, 2008.
[7] N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: a static analysis tool for detecting web application vulnerabilities. In Proc. IEEE Symp. Security and Privacy, 2006.
[9] A. Kieyzun, P. J. Guo, K. Jayaraman, and M. D. Ernst. Automatic creation of sql injection and cross-site scripting attacks. In ICSE ’09: Proceedings of the 31st International Conference on Software Engineering, pages 199–209, Wash- ington, DC, USA, 2009. IEEE Computer Society.
[13] Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In 15th USENIX Security Symposium, pages 179–192, 2006.
[1] ANTLR Parser Generator. http://www.antlr.org/.

延伸閱讀

全文下載