【摘要】：隨著Internet的進(jìn)一步普及和計(jì)算機(jī)網(wǎng)絡(luò)技術(shù)的快速發(fā)展, Web技術(shù)得到了廣泛的應(yīng)用�；赪eb技術(shù)和數(shù)據(jù)庫(kù)架構(gòu)的應(yīng)用系 統(tǒng)已經(jīng)逐漸成為主流,廣泛應(yīng)用于企業(yè)內(nèi)部和外部的業(yè)務(wù)系統(tǒng)中。 然而,隨之而來(lái)的則是Web應(yīng)用系統(tǒng)面臨的安全風(fēng)險(xiǎn)與日劇增。Web安全滲透測(cè)試技術(shù)是一種針對(duì)Web應(yīng)用的積極防范技術(shù)。 該技術(shù)在應(yīng)用遭受攻擊前,模擬黑客攻擊Web應(yīng)用的方式對(duì)目標(biāo)系 統(tǒng)進(jìn)行探測(cè)。而在眾多Web應(yīng)用攻擊手段中,SQL注入攻擊是最常 用的也是最易于實(shí)施的方法。因此,做好針對(duì)SQL注入攻擊的入侵 檢測(cè)和防范工作以保證整個(gè)信息基礎(chǔ)設(shè)施的安全,是Web應(yīng)用系統(tǒng) 得以安全應(yīng)用的關(guān)鍵,同時(shí)也是網(wǎng)絡(luò)安全方面所研究的重要課題�；谝陨显�,本文有針對(duì)性地研究了SQL注入漏洞的相關(guān)防 范技術(shù)和檢測(cè)工具,并通過(guò)實(shí)驗(yàn)比較了典型工具的檢測(cè)情況,總結(jié) 了常見(jiàn)檢測(cè)工具使用的檢測(cè)字符,最后對(duì)現(xiàn)有的SQL注入漏洞檢測(cè) 字符進(jìn)行一定的改進(jìn)和匯總。同時(shí),本文利用SQL注入攻擊使用的 常見(jiàn)字符,在自動(dòng)化測(cè)試工具Selenium的基礎(chǔ)上,提出了SQL注入 漏洞的自動(dòng)化檢測(cè)技術(shù),通過(guò)實(shí)驗(yàn)證明,利用該技術(shù)編寫的測(cè)試用 例可以在一定程度上識(shí)別出SQL注入攻擊,對(duì)Web應(yīng)用系統(tǒng)中可能 出現(xiàn)的未知SQL注入點(diǎn)有一定的識(shí)別效果。這為研究SQL注入漏洞 的自動(dòng)化測(cè)試提供了一定的思考方向和參考價(jià)值。
[Abstract]:With the further popularization of Internet and the rapid development of computer network technology, Web technology has been widely used. Application system based on Web technology and database architecture has gradually become the mainstream and is widely used in internal and external business systems. However, the security risk faced by Web application system and the daily increasing of Web security penetration testing technology is an active prevention technology for Web application. Before the application is attacked, the target system is detected by simulating hacker attack on Web application. SQL injection attack is the most common and easy to implement in many Web application attack methods. Therefore, it is the key to secure the application of SQL application system to do the intrusion detection and prevention against SQL injection attack to ensure the security of the whole information infrastructure. At the same time, it is also an important research topic in network security. Based on the above reasons, this paper studies the relevant anti-norm technology and detection tools of SQL injection vulnerability, and compares the detection situation of typical tools through experiments. The detection characters used in common detection tools are summarized. Finally, the existing SQL injection vulnerability detection characters are improved and summarized. At the same time, using the common characters used in SQL injection attack, based on the automated testing tool Selenium, this paper puts forward the automatic detection technology of SQL injection vulnerability, which is proved by experiments. The test cases written by this technique can identify the SQL injection attack to a certain extent and can identify the unknown SQL injection points that may appear in the Web application system. This provides a certain thinking direction and reference value for the research of automated testing of SQL injection vulnerability.
【學(xué)位授予單位】：東華大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類號(hào)】：TP311.13;TP393.08

【參考文獻(xiàn)】

中國(guó)期刊全文數(shù)據(jù)庫(kù) 前10條

1 徐嘉銘;;SQL注入攻擊原理及在數(shù)據(jù)庫(kù)安全中的應(yīng)用[J];電腦編程技巧與維護(hù);2009年18期

2 劉帥;;SQL注入攻擊及其防范檢測(cè)技術(shù)的研究[J];電腦知識(shí)與技術(shù);2009年28期

3 吳海燕;苗春雨;劉啟新;孫方成;;Web應(yīng)用系統(tǒng)安全評(píng)測(cè)研究[J];計(jì)算機(jī)安全;2008年04期

4 俞小怡;常艷;許捍衛(wèi);;Web應(yīng)用中的攻擊防御技術(shù)的研究與實(shí)現(xiàn)[J];計(jì)算機(jī)安全;2008年06期

5 蘇偉斌,周惠民,顧大權(quán);網(wǎng)頁(yè)代碼漏洞剖析[J];計(jì)算機(jī)時(shí)代;2003年02期

6 楊波,朱秋萍;Web安全技術(shù)綜述[J];計(jì)算機(jī)應(yīng)用研究;2002年10期

7 練坤梅;許靜;田偉;張瑩;;SQL注入漏洞多等級(jí)檢測(cè)方法研究[J];計(jì)算機(jī)科學(xué)與探索;2011年05期

8 趙文龍;朱俊虎;王清賢;;SQL Injection分析與防范[J];計(jì)算機(jī)工程與設(shè)計(jì);2006年02期

9 余靜;高豐;徐良華;朱魯華;;基于SQL注入的滲透性測(cè)試技術(shù)研究[J];計(jì)算機(jī)工程與設(shè)計(jì);2007年15期

10 李建華;信息安全技術(shù)發(fā)展及若干關(guān)鍵技術(shù)[J];信息安全與通信保密;2002年10期

，

本文編號(hào)：2207043