| Nowadays web applications are widely used, however a lot of security problems happened due to developers'skill varies differently. In OWASP (Open Web Application Security Project) TOP10 list, SQL injection attacks are becoming one of the most extensive security problems, so effective defense of SQL injection attacks become an urgent problem.After learning characteristics of SQL injection attacks, we extracted two main features: one is common SQL injection attacks always include features of offensive strings; the other is the essential feature, which SQL injection attacks must modify the logic of original SQL statement. Based on study of other defensive approaches, this paper proposed a double layer defense model to defend against SQL injection, which combines "Application Filter" defense of Web Application Firewall with "Logical_SQL" defense on application-layer.Our model combines static analysis and dynamic monitoring in both layers: the first layer intercepts HttpRequest and checks whether malicious injection strings exist or not, the second layer intercepts execution of SQL statements and checks whether the logical structure of SQL statements changed or not.To protect web applications upon J2EE platform, our system called"Double Layer Defense Project"is implemented to defense against SQL injection, which intercepts requests by java filter chain, and uses some analysis tools to check SQL statements'logic instantly. Finally, experiment results show that our model can filter malicious offensive strings lightly, and judge a non-characteristic SQL injection in the second layer. It defends against SQL injection attacks comprehensivly and effectively indeed. |
PDF Full Text Request