摘要
针对SQL注入漏洞测试过程中准确度和效率不足以及其之间的竞争问题,提出一种基于攻击反馈模型(Attacking Feedback Model,AFM)的SQL注入漏洞渗透测试方法。该方法在梳理SQL注入攻击反馈分析技术的基础上,基于典型的SQL注入攻击逻辑及其攻击树构建多种攻击反馈测试单元,以及一系列由这些测试单元构成的测试阶段,通过自底向上的反馈信息流实现一种启发式的动态测试方法。该文实现了一个原型系统,并在预先植入漏洞的目标漏洞系统上与两个知名渗透测试工具进行对比实验,结果显示文章所述方法能有效提高SQL注入漏洞渗透测试的准确度和检测效率。
Aimed at the problem of insufficient accuracy and efficiency in the process of SQL injection vulnerability test and the competition problem between them,an approach of SQL injection vulnerability penetration test based on AFM(attacking feedback model)is proposed.Based on the analysis of SQL injection attack feedback techniques,this approach constructed a variety of attacking feedback test units and a series of test stages composed of these test units based on the typical SQL injection attack logic and attack tree.This approach realized a heuristic dynamic test method through a bottom to up feedback information flow mechanism.A prototype system was implemented,and the experimental comparison and analysis with two well-known penetration testing tools was carried out on a target vulnerability system with pre-implanted vulnerabilities.The results show that the proposed method can effectively improve the test accuracy and detection efficiency of SQL injection vulnerability penetration test.
作者
刘磊
许静
朱静雯
陈亮
李洁
Liu Lei;Xu Jing;Zhu Jingwen;Chen Liang;Li Jie(College of Artificial Intelligence,Nankai University,Tianjin 300350,China;College of Software,Nankai University,Tianjin 300350,China;Electric Power Research Institute,State Grid Tianjin Electric Power Company,Tianjin 300384,China)
出处
《计算机应用与软件》
北大核心
2023年第6期323-329,共7页
Computer Applications and Software
基金
国家电网公司总部科技项目(SGTJDK00DWJS1900105)。
关键词
Web系统漏洞
渗透测试
SQL注入
攻击树模型
Web system vulnerability
Penetration test
SQL injection
Attacking tree model
