| With the development of computer network, applications on network can provide people with a wide variety of services. However, at the same time, security vulnerabilities in those applications also cause potential dangers to people's information security. Therefore, the detection of security vulnerabilities in applications is particularly important. The most common Web vulnerabilities include cross-site scripting, SQL injection vulnerability, execute malicious files and so on, which are triggered by unvalidated external inputs.This paper proposes a intention-oriented method of detection. Different from the existing dynamic detection method of determining whether there is any SQLIA from the perspective of SQL syntax analysis, this method can predefine all database operations as expected by WEB application program, intercept and analyze operations to be submitted to the database during operation, and thus prevent operations that do not conform to the intents of operation. A string value analysis method is applied to analyze the security of the SQL string in the program, and pollution tags are added to those unsafe SQL string. At last, SQL is intercepted and detected during the operation. The method designs and implements a kind of language—SQLIDL to describe database operation intentions, translates permitted operations provided by developers into a set of DFA string, and fully supports the automaton representation of SQL operations.By virtue of the intention-oriented detection method, the dynamic detection prototype system based on users' intents has been produced. The real site test about using static analysis to examine the security to reduce the scope of dynamic detection shows that this method can detect and block existing SQLIA mode effectively. |
PDF Full Text Request