Researches On The SQL Injection Attack Methods And Defensive Measures Based On The Web Applications

With the rapid development of Internet technology,more and more network services are in the forms of Web applications.There are many types of attacks for the Web applications.Among them,the SQL injection attack is the most common,easiest implement and most harmful attack.Previous studies on the SQL injection attack are mainly focused on the attacks which are based on the submission of the HTTP GET or POST.With the development of the injection technology,a new type of SQL injection attack,which is based on the HTTP HEADER,becomes popular.This attack technology has the very strong concealment and harmfulness,and begins to spread.As studies on this new type of SQL injection attack are lacking,this thesis conducts a deep research on the attack.The generation background,attack principle,development trend,defense means as well as defense system of the SQL injection attack are introduced in this thesis.The author develops a Web application,which contains the new type of SQL injection vulnerabilities,and sets up a test environment.Then,with the famous injection tool named SqlMap,the injection experiments are conducted.Analysis of the experimental results reveals the principle and process of the new type of SQL injection attack,which is based on the HTTP HEADER.For such new type of Injection attack,a defense system named HHSIDS(Http Header SQL Injection Defend System)is designed.Finally,with the JAVA code,the defense System is implemented.The main defense target of the HHSIDS defense system is the new type of SQL injection attack based on HTTP HEADER.Besides,for the general SQL injection attacks based on the HTTP GET or POST,the defense system also has a good defense effect.HHSIDS defense system solves the problem that the traditional defense systems cannot effectively defense the SQL injection attack based on the HTTP HEADER.The author conducts a large number of SQL injection attack experiments for the HHSIDS defense system.Through the function test and performance test,the reliability and robustness of the defense system are evaluated.Experimental data show that the defense system has the lower false positive rate and false negative rate,and has the evident effects on the defense against the SQL injection attacks without obvious delay response of the application request.Thus,the defense system has certain application value.