Detection Technology Research And Implementation On SQL Injection Of Web Application

SQL injection vulnerability has been a great threaten to Web application system since its emergency,for its simple operation,strong concealment,and devastating features.The detection of SQL injection vulnerability has already been studied for a long time,but on the hand hand,the extraction of URL links in JavaScript and other dynamic script has rarely been concerned.And on the other hand,most of the injection detection tools are focus on the exploit of vulnerability and may threaten the safety of the SUT.As to the above problem,this paper researched on the technologies of web crawler and SQL injection vulnerabilities,and proposed a automated SQL injection detection mode based on web crawler.After researched on the technologies of the web stability judgments,web similarity judgments,vulnerability detection and link extraction techniques of dynamic web and isolated web,this paper designed and achieved a vulnerability detection system with low rate of missing and false detection,and then evaluated the function and performance of the system.The main jobs of this paper are as follows:(1)Researched on the related technologies of the SQL injection vulnerability detection.First analyzed the principle,attack vectors and attack category of SQL injection vulnerabilities.Then researched on the vulnerability detection technology.Finally,analyzed and compared the advantages and disadvantages of existing vulnerability detection tools.The above researches provides a theoretical basis for the design and implementation of this paper.(2)Designed and implemented the web crawler module that used for the link extraction.The web crawler module contains two main sub modules:link extraction module with web analysis and the URL processing module with URL standardization and re duplication.This paper focuses on the link extraction technology of dynamic and isolated web sites,thus improving the efficiency of web crawler module and reduce the rate of false detection.(3)Designed and implemented the URL queue processing module.In the URL queue processing module,mainly studied the link parameters validity detection technology and the method to detect the web stability.This module mainly used to pre process the URL queue and remove the invalid link,marked the stability of the web before it transferred to the vulnerability detection module,thereby improving the operating efficiency of overall system.(4)Designed and implemented the vulnerability detection module.In this module,first presented a test cases design based on the hierarchical method to improve the comprehensiveness of test cases and reduce its redundancy.Subsequently proposed a web similarity detection techniques based on the web stability.Finally,it gave the judgment method of vulnerability detection results based on the keywords of database and similarity detection techniques.(5)Evaluated of the usefulness of the system based on the function,performance and security test.And the experiment proved that this system could effectively detect SQL injection vulnerabilities with high security and low rate of missing and false detection.