摘要
为解决Web2.0环境中Web网站的SQL注入漏洞检测问题,提出了一种注入点提取方法。根据Web2.0网站的技术特点,通过分析网页HTML标记,解析执行网页客户端脚本,全面提取网站的数据输入点。根据数据输入点类型和参数组成,构建测试用例并建立注入点判定规则,从而提高了SQL注入漏洞检测效果。实验结果表明,增加脚本解析和数据输入点提取后,提高了Web2.0环境中SQL注入漏洞检测的测试覆盖率,降低了漏检率。本方法对使用传统技术和Web2.0技术网站进行的SQL注入漏洞检测,都具有适用性,能够获得较为全面的测试结果。
To solve the SQL injection vulnerability detection in website under Web2.0 environment, proposed an injection point extraction approach. According to the characteristics of Web2.0 websites, by analyzing HTML markup, parsing and executing web client script, this approach got comprehensive data entry points of the website. Depending on the type of data entry points and arguments,built test case and established the rule to determine injection points, thereby enhancing the SQL injection vulnerability detection. Experimental results showed that, after adding script analysis and data entry point extraction, the approach of SQL injection vulnerability detection under Web2.0 envi ronment increased test coverage and reduced the rate of missing. This approach that used to detect SQL injection vulnerability in website which used traditional and Web2.0 technologies, had some applicability,could gain a more comprehensive test results.
出处
《计算机技术与发展》
2013年第3期121-124,128,共5页
Computer Technology and Development
基金
西北工业大学基础研究基金(JC201149)
西北工业大学研究生创业种子基金项目(Z2012141)
关键词
WEB2
0
SQL注入漏洞
漏洞检测
脚本解析
注入点提取
Web2.0
SQL injection vulnerability
vulnerability detection
script analysis
injection point extraction
