一种轻量级的服务端防SQL注入攻击方法
|
摘要
SQL注入攻击是针对基于数据库的网站和信息系统的一种常见攻击。通过非法的输入,攻击者可以绕开验证、非法获取内容甚至篡改系统数据。通常在客户端的验证可以被攻击者用跳过输入界面直接提交非法数据的方法攻击;而服务端的验证又会严重消耗服务器的资源。为了克服上述缺陷,通过对注入语句的分析,提出了一种轻量级的服务端验证方法,用文本挖掘的方法取得最不常见的字符串替换掉输入中的少数字符以阻止SQL注入攻击,同时最小化服务器用于验证输入合法性的资源。
SQL injection attack is a common attack against database-based websites and information systems. Through illegal input, attackers can bypass authentication, illegally acquire content and even tamper with system data. In general, client-side validation can be attacked by attackers by directly submitting illegal data by skipping the input interface, while server-side validation can seriously consume server resources. In order to overcome the above defects, a lightweight server-side validation method is proposed by analyzing the injected statements. The method of text mining is used to get the least common strings and replace a few characters in the input to prevent SQL injection attacks, while minimizing the resources that servers use to validate input legitimacy.
SQL injection attack is a common attack against database-based websites and information systems. Through illegal input, attackers can bypass authentication, illegally acquire content and even tamper with system data. In general, client-side validation can be attacked by attackers by directly submitting illegal data by skipping the input interface, while server-side validation can seriously consume server resources. In order to overcome the above defects, a lightweight server-side validation method is proposed by analyzing the injected statements. The method of text mining is used to get the least common strings and replace a few characters in the input to prevent SQL injection attacks, while minimizing the resources that servers use to validate input legitimacy.
引文
[1] DALAI A K,JENA S K.Neutralizing SQL injection attack using server side code modification in web applications[J].Security and Communication Networks,2017,2017:1-12.
[2] NAGPAL B,CHAUHAN N,SINGH N.A survey on the detection of SQL injection attacks and their countermeasures[J].Journal of Information Processing Systems,2017,13(4):689-702.
[3] WU T Y,CHEN C M,SUN X Y,et al.A countermeasure to SQL injection attack for cloud environment[J].Wireless Personal Communications,2017,96(4):5279-5293.
[4] 张慧琳,丁羽,张利华,等.基于敏感字符的SQL注入攻击防御方法[J].计算机研究与发展,2016,53(10):2261-2275.
[5] PINZON C I,DE PAZ J F,HERRERO A,et al.IdMAS-SQL:intrusion detection based on MAS to detect and block SQL injection through data mining[J].Information Sciences,2013,231:15-31.
[7] 周水庚,俞红奇,胡运发,等.基于N-gram信息的中文文档分类研究[J].中文信息学报,2001,15(1):34-39.
[6] 王伟平,李昌,段桂华.基于正则表示的SQL注入过滤模块设计[J].计算机工程,2011,37(5):158-160.
[8] American National Corpus Project.Open American National Corpus[DB/OL].[2018-08-15].http://www.anc.org/OANC.
[9] The Blog Authorship Corpus[DB/OL].[2018-08-15].http://www.cs.biu.ac.il/~koppel/blogs/blogs.zip.
[2] NAGPAL B,CHAUHAN N,SINGH N.A survey on the detection of SQL injection attacks and their countermeasures[J].Journal of Information Processing Systems,2017,13(4):689-702.
[3] WU T Y,CHEN C M,SUN X Y,et al.A countermeasure to SQL injection attack for cloud environment[J].Wireless Personal Communications,2017,96(4):5279-5293.
[4] 张慧琳,丁羽,张利华,等.基于敏感字符的SQL注入攻击防御方法[J].计算机研究与发展,2016,53(10):2261-2275.
[5] PINZON C I,DE PAZ J F,HERRERO A,et al.IdMAS-SQL:intrusion detection based on MAS to detect and block SQL injection through data mining[J].Information Sciences,2013,231:15-31.
[7] 周水庚,俞红奇,胡运发,等.基于N-gram信息的中文文档分类研究[J].中文信息学报,2001,15(1):34-39.
[6] 王伟平,李昌,段桂华.基于正则表示的SQL注入过滤模块设计[J].计算机工程,2011,37(5):158-160.
[8] American National Corpus Project.Open American National Corpus[DB/OL].[2018-08-15].http://www.anc.org/OANC.
[9] The Blog Authorship Corpus[DB/OL].[2018-08-15].http://www.cs.biu.ac.il/~koppel/blogs/blogs.zip.