A Defense against Compositional SQL Injection Attack through Validation on Input Legitimacy

• Main Authors: An-Na Lee, 李安娜
• Other Authors: Hsiao-Rong Tyan
• Format: Others
• Language: zh-TW
• Published: 2011
• Online Access: http://ndltd.ncl.edu.tw/handle/97401110032725711181

碩士 === 中原大學 === 資訊工程研究所 === 99 === With Web2.0 as the dominant web service model, the majority of dynamic web services adopted the system structure with front end web application programs responsible for customized web page generation and back end database serving as data repository such that flexible and customizable dynamic services can be easily achieved. However, it comes with the price of the potential risk of SQL injection attacks which may lead to data theft or content destruction, even database crash. Filtering user inputs and blocking those from which SQL injection attack may be formed can prevent attacks from happening. Among the solutions adopting the input validation strategy, a two step input validation method consisting of performing static analysis on web applications for collecting input attribute information as well as applying dynamic analysis on run-time submitted user inputs according its attributes can provide adequate protection against SQL injection attack while preventing malicious user from obtaining error messages. However, a SQL command can be a product of a sequence of operations crossing multiple web application program boundaries, and a parameter in a SQL command can be the composition of multiple-inputs. In this thesis, we extended the original two-step input-validation method so that web applications with multiple page SQL command formulation as well as multi-input parameter can be protected. We devise an enhanced static analysis procedure to discover the composition sequence of multi-page-generated SQL command as well as the relation between user inputs and corresponding SQL parameters. We also proposed a modified dynamic analysis procedure to validate inputs according to the information obtained from the static analysis. A prototype system has been developed and tested. The result shows that our proposed enhanced two-step input-validation method can defend a web application against multi-page and multi-input SQL injection attacks.