Research on SQL Injection Attack and Defense Technology

doi:10.3969/j.issn.1671-1122.2015.09.030

Abstract

Abstract:

With the rapid development of computer network technology, the human is more and more reliance on the ubiquitous network, and a series of network security problem that make people pay more attention on it. At present, the SQL injection attack has become one of the primary means of hacking by hackers. This paper introduces the principle of SQL injection, depth study on the cause of SQL injection and actual combat encounter common SQL injection attack, proposed a new SQL injection detection techniques and tools to achieve in practice on the basis of actual penetration testing, and provides strong technical support for future testing SQL injection attacks or provides powerful guarantee for the information system in the SQL injection defense.

Key words: SQL injection attack, penetration testing, defense

CLC Number:

TP309

Wen-sheng LIU, De-guang LE, Wei LIU. Research on SQL Injection Attack and Defense Technology[J]. Netinfo Security, 2015, 15(9): 129-134.

Figures/Tables 10

References 14

[1]	隋亮. 基于渗透测试的SQL注入漏洞检测与防范[D]. 上海:东华大学,2014.
[2]	GOULD C, SU Z, DEVANBU P.JDBC Checker: A Static Analysis Tool for SQL/JDBC Applications[C]//In Proceedings of the 26th International Conference on Software Engineering (ICSE2004), IEEE Computer Society, Los Alamitos, USA, 2004: 697-698.
[3]	田玉杰,赵泽茂,王丽君,等. 基于分类的SQL注入攻击双层防御模型研究[J]. 信息网络安全,2015,(6):1-6.
[4]	HALFOND W G J, ORSO A. AMNESIA: Analysis and Monitoring for Neutralizing SQL-Injection Attacks[C]//In Proceedings Of the 20th IEEE and ACM International Conference on Automated Software Engineering (ASE2005), Long Beach, California, USA, 2005:174-183.
[5]	AMORIM AAD, COLLINS N, DEHON A, et al.A Verified Information-Flow Architecture[C]//In Proceedings Of 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL2014), San Diego, CA USA. 2014: 165-178.
[6]	NGUYEN-TUONG A, GUARNIERI S, GREENE D, et al.Automatically hardening web applications using precise tainting[C]//In Proceedings of the 20th IFIP International Information Security Conference, Makuhari-Messe, Chiba, Japan, 2005: 372-382.
[7]	杨玉龙,彭长根,周洲. 基于同态加密的防止SQL注入攻击解决方案[J]. 信息网络安全,2014,(1):30-33.
[8]	周琰. SQL注入检测方法的研究与实现[D]. 西安:西北大学,2011.
[9]	王一飞. 陌生网络边界防火墙规则配置方法研究[J]. 信息网络安全,2014,(9):161-164.
[10]	林世鑫. 基于SQL注入的Web数据安全防范与优化[J]. 电脑知识与技术,2014,(10):2184-2187.
[11]	张令通,罗森林,冯帆. 基于Windows环境的SQL注入攻击检测系统设计与实现[J]. 信息网络安全,2014,(7):16-19.
[12]	李晓龙. 基于SQL注入攻击的三种防御技术[J]. 湖北文理学院学报,2013,(5):18-21.
[13]	韦存堂,赵晶玲,崔宝江. 基于代理模式的SQL注入漏洞检测技术研究[J]. 信息网络安全,2014,(11):66-69.
[14]	王永生. 基于Web应用的SQL注入攻击入侵检测研究[D]. 郑州:郑州大学,2012.

[1]	Qiaoli YUE, Wanbo LV, Weihong HU, Haikuo ZHANG. Mitigating DDoS Attack Based on DNS Response Value Assessment [J]. Netinfo Security, 2019, 19(9): 56-60.
[2]	Weijun ZHU, Yongwen FAN, Shaohuan BAN. A Mimic-automaton-based Model for the MSISDN Virtualization and Its Method for Verifying the Security [J]. Netinfo Security, 2018, 18(4): 15-22.
[3]	ZHANG Jiawei, ZHANG Dongmei, HUANG Siqi. Design and Implementation of Anti APT Attack Trusted Software Base [J]. 信息网络安全, 2017, 17(6): 49-55.
[4]	Heng LI, Huawei SHEN, Xueqi CHENG, Yong ZHAI. Review of Network High Flow Distributed Denial of Service Attack and Defense Mechanisms [J]. Netinfo Security, 2017, 17(5): 37-43.
[5]	Yang XU, Yi CHEN, Rui HE, Xiaoyao XIE. Research of DDoS Detection and Multi-layer Defense in SDN [J]. Netinfo Security, 2017, 17(12): 22-28.
[6]	Qi SU, Wei WANG, Yin LIU, Zhanpeng YU. Research on the Scheme of Information Security Protection in Electric Power Industry [J]. Netinfo Security, 2017, 17(11): 84-88.
[7]	Yuxiang JI, Yan ZHU, Xiaoqiang TANG. Security Analysis of Web Based Software [J]. Netinfo Security, 2016, 16(9): 208-212.
[8]	Yubin WANG, Si CHEN, Nan CHENG. Research on Industrial Control System Security Defense [J]. Netinfo Security, 2016, 16(9): 35-39.
[9]	Xin LI, Weiwei ZHANG, Zichang SUI, Lixin ZHENG. Research and Analysis on the Novel SQL Injection and Defense Technique [J]. Netinfo Security, 2016, 16(2): 66-73.
[10]	Tingting SHI, Youjian ZHAO. Overviews of Network Intrusion Evasion and Defense Techniques [J]. Netinfo Security, 2016, 16(1): 70-74.
[11]	Yu-jie TIAN, Ze-mao ZHAO, Li-jun WANG, Ke LIAN. Research on Double Layer Defense Model for SQL Injection Attack Based on Classification [J]. Netinfo Security, 2015, 15(6): 1-6.
[12]	Kun-peng WEI, Zhi-hui GE, Bo YANG. Research on Attack-defense of PHP Web Application Upload Vulnerability [J]. Netinfo Security, 2015, 15(10): 53-60.
[13]	Xiao-shan WANG, An YANG, Zhi-qiang SHI, Li-min SUN. New Trend of Information Security in Industrial Control Systems [J]. Netinfo Security, 2015, 15(1): 6-11.
[14]	WANG Dong-xia, FENG Xue-wei, ZHAO Gang. Moving Target Defense Mechanisms [J]. 信息网络安全, 2014, 14(9): 98-100.
[15]	HUANG Chang-hui, WANG Hai-zhen, CHEN Si. Research on DDoS Attack and Defense based on Network Self-similarity Detecting [J]. 信息网络安全, 2014, 14(9): 69-71.