Black-box detection of XQuery injection and parameter tampering vulnerabilities in web applications

As web applications become the most popular way to deliver essential services to customers, they also become attractive targets for attackers. The attackers craft injection attacks in database-driven applications through the user-input fields intended for interacting with the applications. Even though precautionary measures such as user-input sanitization is employed at the client side of the application, the attackers can disable the JavaScript at client side and still inject attacks through HTTP parameters. The injected parameters result in attacks due to improper server-side validation of user input. The injected parameters may either contain malicious SQL/XML commands leading to SQL/XPath/XQuery injection or be invalid input that intend to violate the expected behavior of the web application. The former is known as an injection attack, while the latter is called a parameter tampering attack. While SQL injection has been intensively examined by the research community, limited work has been done so far for identifying XML injection and parameter tampering vulnerabilities. Database-driven web applications today rely on XML databases, as XML has gained rapid acceptance due to the fact that it favors integration of data with other applications and handles diverse information. Hence, this work proposes a black-box fuzzing approach to detect XQuery injection and parameter tampering vulnerabilities in web applications driven by native XML databases. A prototype XiParam is developed and tested on vulnerable applications developed with a native XML database, BaseX, as the backend. The experimental evaluation clearly demonstrates that the prototype is effective against detection of both XQuery injection and parameter tampering vulnerabilities.     

基于Java语言实现数据库的访问

Java语言是目前广泛使用的网络数据库编程语言,JDBC给数据库应用开发人员提供了一种标准的应用程序设计接口,使数据库开发人员可以用纯Java语言编写完整的数据库应用程序,Java和JDBC结合真正实现一次编写,处处运行。介绍JDBC技术,阐述了JDBC接口技术JDBCAPI和JDBC驱动程序,给出采用JDBC-ODBG桥来实现关系型数据库SQL查询的实现方法。例程中采用Access2000数据库,说明了用JDBC编写访问数据库的一般步骤：加载JDBC-ODBC桥驱动程序;建立与数据库的连接;执行SQL查询语句和处理对数据库的查询结果。所举案例对实际数据库项目的开发有一定的实用价值。     

SQL注入攻击与防范研究

由于多数程序员不了解SQL注入漏洞,目前互联网上网站经常遭受SQL注入攻击。对PHP＋MySQL型及ASP＋SQL Server型Web程序的SQL注入攻击办法进行了详细的描述,并给出了预防SQL注入漏洞的方法,有助于提高Web应用程序员的安全意识及Web程序的安全性。     

基于指令集随机化的SQL注入防御技术研究

WEB应用程序广泛受到SQL注入攻击的威胁,SQL攻击易于实施且危害严重。分析了现有的各种防范技术,在此基础上提出了一种基于指令集随机化技术的SQL注入防范原型系统。该系统首先对SQL关键字经过特殊的随机化处理,然后与用户输入组装成完整的SQL语句,再使用随机化的SQL语法分析程序对语句是否存在注入进行判定。系统的实现不依赖于现有WEB应用程序和服务器平台。实验表明,此系统具有较好的防范SQL注入的效果和较低的运行开销。     

二阶SQL注入攻击防御模型

随着互联网技术的快速发展,Web应用程序的使用也日趋广泛,其中基于数据库的Web应用程序己经广泛用于企业的各种业务系统中。然而由于开发人员水平和经验参差不齐,使得Web应用程序存在大量安全隐患。影响Web应用程序安全的因素有很多,其中SQL注入攻击是最常见且最易于实施的攻击,且SQL注入攻击被认为是危害最广的。因此,做好SQL注入攻击的防范工作对于保证Web应用程序的安全十分关键,如何更有效地防御SQL注入攻击成为重要的研究课题。SQL注入攻击利用结构化查询语言的语法进行攻击。传统的SQL注入攻击防御模型是从用户输入过滤和SQL语句语法比较的角度进行防御,当数据库中的恶意数据被拼接到动态SQL语句时,就会导致二阶SQL注入攻击。文章在前人研究的基础上提出了一种基于改进参数化的二阶SQL注入攻击防御模型。该模型主要包括输入过滤模块、索引替换模块、语法比较模块和参数化替换模块。实验表明,该模型对于二阶SQL注入攻击具有很好的防御能力。     

基于统计异常的Web应用入侵检测模型研究

传统的网络安全技术已经难以有效防范针对Web应用的攻击行为,Web应用入侵检测作为一种重要的安全技术已受到了广泛的重视。访问日志是Web应用入侵检测的重要数据,然而,海量的日志记录令应用管理员望而却步,若缺乏有效的分析方法,将很难发现和定位入侵行为。致力于这个问题的解决,多种误用和异常检测模型已被提出和采用。针对动态页面采用参数值长度、字符分布等统计异常模型,对真实Web应用的访问日志进行入侵检测,实验结果表明,模型可以有效地检测SQL注入等攻击。     

基于Hash锁的RFID SQL注入攻击防御方法

传统的SQL注入攻击技术被攻击者用于攻击RFID系统,使后台数据库中的用户数据处于不安全状态。文章分析了使用SQL注入攻击RFID后端数据库的实施过程,针对这一安全问题提出了基于Hash锁的防SQL注入方法,并进行了模拟实验,该方法可以有效地防御RFIDSQL注入攻击。     

Data-mining based SQL injection attack detection using internal query trees

Detecting SQL injection attacks (SQLIAs) is becoming increasingly important in database-driven web sites. Until now, most of the studies on SQLIA detection have focused on the structured query language (SQL) structure at the application level. Unfortunately, this approach inevitably fails to detect those attacks that use already stored procedure and data within the database system. In this paper, we propose a framework to detect SQLIAs at database level by using SVM classification and various kernel functions. The key issue of SQLIA detection framework is how to represent the internal query tree collected from database log suitable for SVM classification algorithm in order to acquire good performance in detecting SQLIAs. To solve the issue, we first propose a novel method to convert the query tree into an n-dimensional feature vector by using a multi-dimensional sequence as an intermediate representation. The reason that it is difficult to directly convert the query tree into an n-dimensional feature vector is the complexity and variability of the query tree structure. Second, we propose a method to extract the syntactic features, as well as the semantic features when generating feature vector. Third, we propose a method to transform string feature values into numeric feature values, combining multiple statistical models. The combined model maps one string value to one numeric value by containing the multiple characteristic of each string value. In order to demonstrate the feasibility of our proposals in practical environments, we implement the SQLIA detection system based on PostgreSQL, a popular open source database system, and we perform experiments. The experimental results using the internal query trees of PostgreSQL validate that our proposal is effective in detecting SQLIAs, with at least 99.6% of the probability that the probability for malicious queries to be correctly predicted as SQLIA is greater than the probability for normal queries to be incorrectly predicted as SQLIA. Finally, we perform additional experiments to compare our proposal with syntax-focused feature extraction and single statistical model based on feature transformation. The experimental results show that our proposal significantly increases the probability of correctly detecting SQLIAs for various SQL statements, when compared to the previous methods.     

Lom: Discovering logic flaws within MongoDB-based web applications

Logic flaws within web applications will allow malicious operations to be triggered towards back-end database. Existing approaches to identifying logic flaws of database accesses are strongly tied to structured query language (SQL) statement construction and cannot be applied to the new generation of web applications that use not only structured query language (NoSQL) databases as the storage tier. In this paper, we present Lom, a black-box approach for discovering many categories of logic flaws within MongoDBbased web applications. Our approach introduces a MongoDB operation model to support new features of MongoDB and models the application logic as a mealy finite state machine. During the testing phase, test inputs which emulate state violation attacks are constructed for identifying logic flaws at each application state. We apply Lom to several MongoDB-based web applications and demonstrate its effectiveness.     

基于SQL注入的Web数据安全防范与优化

SQL注入利用数据库系统的安全漏洞,以及程序中的验证漏洞,构造合适的SQL语句,并通过正常的URL访问进行代码提交,获取数据库中的相关信息,从而实现网站攻击的目的。加强用户提交数据的合法性验证,是防止SQL注入的基本方法。而改善ASP中的Request函数,使其具有对一切用户数据进行合法验证的能力,是SQL注入威胁下,Web数据安全防范方法的最佳优化。     

基于SQL Server的SQL注入攻击防范方法

在基于SQL Server服务器的Web应用程序中,确保安全性是一个重要而复杂的问题。该文针对SQL Server数据库的安全性,介绍了SQL注入攻击概念及几种常用的攻击方法,从两个方面提出了一些防范SQL注入攻击方法,最大限度地减少SQL注入攻击的可能性,尽可能保证SQL Server数据库的安全性。     

SQL注入攻击与防护措施研究

SQL注入是Web应用中常见的一种针对数据库层的攻击方法。该文分析了SQL注入的原理和攻击方法,总结了实践中常用的针对SQL注入的防范措施。此防护措施经适当修改即可用于多种平台类型的Web应用中。     

MySQL注入攻击及防范方法

随着网络应用的不断丰富,以及人们对于数据安全的重要性也不断加强,数据库的信息安全也逐渐被重视。数据库的攻击最常见的一种方法是SQL注入攻击。本文通过对SQL注入攻击的原理及常用技术手段的分析,借助MySQL函数的方法,对MySQL注入攻击的防范提出了通过浏览器和服务器两端进行双重防御的解决方法。     

Policy-based SQLIA detection and prevention approach for RFID systems

While SQL injection attacks have been plaguing web application systems for years, the possibility of them affecting RFID systems was only identified very recently. However, very little work exists to mitigate this serious security threat to RFID-enabled enterprise systems. In this paper, we propose a policy-based SQLIA detection and prevention method for RFID systems. The proposed technique creates data validation and sanitization policies during content analysis and enforces those policies during runtime monitoring. We tested all possible types of dynamic queries that may be generated in RFID systems with all possible types of attacks that can be mounted on those systems. We present an analysis and evaluation of the proposed approach to demonstrate the effectiveness of the proposed approach in mitigating SQLIA.     

一种基于DBMS的无监督异常检测算法及其应用

传统的基于身份认证和存取控制的数据库安全机制存在一定的局限性，如无法防止SQL注入、合法用户权限滥用等非法行为，而现存的入侵检测研究多集中在网络和操作系统，由此提出一个基于DBMS的无监督异常检测算法。首先定义了数据库查询的表示方法及其相似度计算方法，其次给出了包括查询聚类、标记和检测三阶段的异常检测算法，最后给出了算法在合成数据中的聚类结果及其在真实数据中检测SQL注入的应用，并讨论了利用数据库索引的扩展算法。     

基于ASP．NET的网站设计安全问题研究

在基于ASP．NET开发网站过程中,网站安全是一个较为复杂的问题。针对隐藏域保护、恶意脚本注入攻击、SQL注入攻击以及数据库安全保护等问题进行了深入的分析和研究,给出了相应的安全配置策略,并提出了具体的程序设计技巧,降低了黑客入侵网站的机率,提高了网站的安全性。     

基于ASP.NET的网站设计安全问题研究

在基于ASP.NET开发网站过程中,网站安全是一个较为复杂的问题。针对隐藏域保护、恶意脚本注入攻击、SQL注入攻击以及数据库安全保护等问题进行了深入的分析和研究,给出了相应的安全配置策略,并提出了具体的程序设计技巧,降低了黑客入侵网站的机率,提高了网站的安全性。     

SQL注入方法剖析及防范策略

SQL注入是Web系统中经常存在的一种漏洞,攻击者利用这种漏洞可以通过SQL语句直接访问数据库,从而对系统的安全造成了很大的隐患。该文通过大量的实例介绍了SQL注入攻击方法及防范这种攻击的措施。     

达梦数据库Web服务技术研究

本文提出了一种将数据库同Web服务技术相结合的方法，一方面使得数据库可以将其存储的数据以Web服务的形式提供给外部使用，另一方面也可以在数据库内部直接使用SQL语句或存储过程调用外部的Web服务对数据进行处理或取得数据，该方法具有使得数据库能够不依赖应用程序而直接同Web服务进行交互的特点。     

ADO.Net连接池中非正常断开连接的异常控制

动态的Web站点常常要从数据库中获得必要的数据来生成Web页面，因此Web应用程序与数据库之间将耗费巨大的开销来创建数据库连接，ADO．Net采用连接池来减少创建数据库连接的开销。但是，ADO．Net连接池中经常会出现非正常断开的连接，池管理程序会将这些实际无效的连接分配给请求的应用程序使用，应用程序在使用这些连接执行SQL语句时会发生连接异常，提出了避免在SQL Server，Net数据提供程序中出现这种连接异常的解决方案。