CAJ | 학술논문

SQL注入攻击是当前Web应用程序的主要安全威胁之一。传统的漏洞检测技术误报率普遍较高,文中分析了SQL注入的原理、特点,提出一种基于状态的漏洞检测模型。与传统针对错误反馈判断漏洞的方式不同,这种检测机制在一个链接输入不同的参数,通过对网站反馈的结果建立状态模型进行漏洞检测,以确定是否为注入点。这种模型不依赖于特定的数据库或者开发语言,定位注入点的准确率也更高。
SQL주입공격시당전Web응용정서적주요안전위협지일。전통적루동검측기술오보솔보편교고,문중분석료SQL주입적원리、특점,제출일충기우상태적루동검측모형。여전통침대착오반궤판단루동적방식불동,저충검측궤제재일개련접수입불동적삼수,통과대망참반궤적결과건립상태모형진행루동검측,이학정시부위주입점。저충모형불의뢰우특정적수거고혹자개발어언,정위주입점적준학솔야경고。
The SQL injection attacks now become a severe threat to the Web application. The traditional vulnerability detection technique usually generates high false alarm rate. This paper analyzes the principles and characteristics of SQL injection attack, and then proposes a state-based vulnerability detection model. Different from the traditional detection, the detection model judges vulnerability according to the feedback error message. This mechanism inputs different parameters into a link, thus establishing a state model to test whether an injection point exists in the site. This model does not rely on any database or program language, and has more accurate rate in locating the injection point.