CN114157476A - SQL injection vulnerability detection method, device, terminal and medium based on Web application protection system - Google Patents
SQL injection vulnerability detection method, device, terminal and medium based on Web application protection system Download PDFInfo
- Publication number
- CN114157476A CN114157476A CN202111450884.7A CN202111450884A CN114157476A CN 114157476 A CN114157476 A CN 114157476A CN 202111450884 A CN202111450884 A CN 202111450884A CN 114157476 A CN114157476 A CN 114157476A
- Authority
- CN
- China
- Prior art keywords
- request
- return packet
- sql injection
- request return
- web application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000002347 injection Methods 0.000 title claims abstract description 106
- 239000007924 injection Substances 0.000 title claims abstract description 106
- 238000001514 detection method Methods 0.000 title claims description 24
- 230000004044 response Effects 0.000 claims abstract description 41
- 238000007781 pre-processing Methods 0.000 claims abstract description 33
- 238000000034 method Methods 0.000 claims abstract description 28
- 238000012545 processing Methods 0.000 claims description 28
- 238000004590 computer program Methods 0.000 claims description 14
- 230000008569 process Effects 0.000 claims description 10
- 230000008030 elimination Effects 0.000 claims description 6
- 238000003379 elimination reaction Methods 0.000 claims description 6
- 238000010276 construction Methods 0.000 claims description 3
- 238000000605 extraction Methods 0.000 claims description 3
- 238000004422 calculation algorithm Methods 0.000 abstract description 16
- 239000000284 extract Substances 0.000 abstract description 4
- 230000002708 enhancing effect Effects 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 10
- 230000000694 effects Effects 0.000 description 5
- 238000004364 calculation method Methods 0.000 description 4
- 235000014510 cooky Nutrition 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 239000003795 chemical substances by application Substances 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 235000019800 disodium phosphate Nutrition 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method, a device, a terminal and a medium for detecting SQL injection loopholes based on a Web application protection system, which improve the use mode of an algorithm of a longest public subsequence, preprocess a data structure of request response content, count out a standard request return packet based on the flow of daily flowing through WAF, extract the longest public subsequence of a current request return packet and the standard request return packet according to the longest public subsequence algorithm, calculate the message length ratio of the longest public subsequence in the current request return packet, and determine whether to release or intercept the SQL injection request by judging the comparison of the ratio and a preset threshold value, thereby enhancing the capability of the WAF for intercepting SQL injection attacks in the modes of normal request collection, preprocessing and the like.
Description
Technical Field
The invention relates to the field of Web application protection, in particular to a method, a device, a terminal and a medium for detecting SQL injection vulnerability based on a Web application protection system.
Background
The Web Application protection system is also called as a website Application level intrusion prevention system, and the whole English process is Web Application Firewall, called as WAF for short, and utilizes an internationally recognized theory: a Web application firewall is a product that provides protection specifically for Web applications by enforcing a series of security policies against HTTP/HTTPs.
The SQL injection means that the web application program does not judge the legitimacy of the data input by the user or filters the data badly, and an attacker can add an extra SQL statement at the end of a query statement defined in advance in the web application program to realize illegal operation under the condition that an administrator is not aware of the additional SQL statement, so that the database server is deceived to execute unauthorized random queries, and corresponding data information is further obtained.
The WAF intercepts SQL injection attack requests by matching regular expressions in request packets, but SQL grammars are flexible and changeable, databases are numerous in types, and if the flexible and changeable requests are matched by using strict rules, some normal business requests can be blocked by mistake, so that SQL injection attacks are often intercepted by using regular matching rules which are not easy to block normal requests by mistake in common scenes, and therefore, part of SQL injection attack requests are released due to the fact that the rules are not strict enough.
Accordingly, those skilled in the art are working to develop a technical solution that enhances the ability of the WAF to intercept SQL injection attacks.
Disclosure of Invention
In view of the above defects in the prior art, the present invention provides a method, an apparatus, a terminal and a medium for detecting SQL injection vulnerabilities based on a Web application protection system, which are used to solve the technical problem of how to enhance the ability of a WAF to intercept SQL injection attacks.
In order to achieve the above object, the present invention provides a method for detecting SQL injection vulnerabilities based on a Web application protection system, which comprises: receiving an SQL injection request, and preprocessing response content of the SQL injection request to obtain a corresponding current request return packet; extracting the longest public subsequence of the current request return packet and the standard request return packet; calculating the message length ratio of the longest public subsequence in the current request return packet, and comparing the length ratio with a preset ratio threshold; if the length ratio reaches the preset ratio threshold, the SQL injection request is passed; otherwise, performing regular matching on the SQL injection request, and performing interception or release processing according to a matching result.
In a preferred embodiment of the present invention, the preprocessing the response content of the SQL injection request includes: and arranging nested key values in the response content according to the alphabetical order, and only keeping the longest value of the list when the content of the nested key values is the list so as to form a tree structure.
In another preferred embodiment of the present invention, the standard request return packet is: and after the HTTP/S flow passing through the Web application protection system is subjected to deduplication, counting a request return packet corresponding to the response message length with the highest frequency.
In another preferred embodiment of the present invention, the obtaining process of the standard request return packet includes: collecting HTTP/S flow passing through the Web application protection system; the HTTP/S flow is subjected to duplication elimination according to the URL and the parameter key value; counting the response message lengths of the request return packets after the duplication removal, and selecting the request return packet corresponding to the response message length with the highest frequency; and preprocessing the selected request return packet to obtain the standard request return packet.
In another preferred embodiment of the present invention, the length ratio is a ratio of a packet length of the longest common subsequence to a packet length of the current request return packet.
In another preferred embodiment of the present invention, the performing regular matching on the SQL injection request and intercepting or passing the SQL injection request according to a matching result includes: performing regular matching on the SQL injection request according to a regular matching rule; if the matching is successful, intercepting the SQL injection request; otherwise, the SQL injection request is passed.
In order to achieve the above object, the present invention further provides a device for detecting SQL injection vulnerabilities based on a Web application protection system, which is characterized by comprising: the system comprises a preprocessing module, a data processing module and a data processing module, wherein the preprocessing module is used for receiving an SQL injection request, preprocessing the response content of the SQL injection request and obtaining a corresponding current request return packet; the longest public subsequence extraction module is used for extracting the longest public subsequence of the current request return packet and the standard request return packet; the injection request processing module is used for calculating the message length ratio of the longest public subsequence in the current request return packet and comparing the length ratio with a preset ratio threshold; if the length ratio reaches the preset ratio threshold, the SQL injection request is passed; otherwise, performing regular matching on the SQL injection request, and performing interception or release processing according to a matching result.
In a preferred embodiment of the present invention, the apparatus further includes a standard request return packet construction module, configured to construct the standard request return packet; the building process of the standard request return packet building module comprises the following steps: collecting HTTP/S flow passing through the Web application protection system; the HTTP/S flow is subjected to duplication elimination according to the URL and the parameter key value; counting the response message lengths of the request return packets after the duplication removal, and selecting the request return packet corresponding to the response message length with the highest frequency; and preprocessing the selected request return packet to obtain the standard request return packet.
To achieve the above and other related objects, the present application further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the SQL injection vulnerability detection method based on a Web application protection system.
To achieve the above and other related objects, a fourth aspect of the present application provides an SQL injection vulnerability detection terminal, including: a processor and a memory; the memory is used for storing computer programs, and the processor is used for executing the computer programs stored in the memory, so that the terminal executes the SQL injection vulnerability detection method based on the Web application protection system.
The SQL injection vulnerability detection method, the device, the terminal and the medium based on the Web application protection system have the following technical effects: the method improves the use mode of the algorithm of the longest public subsequence, performs data structure preprocessing on request response content, counts out a standard request return packet based on the flow of daily flow through WAF, extracts the longest public subsequence of the current request return packet and the standard request return packet according to the longest public subsequence algorithm, calculates the message length ratio of the longest public subsequence in the current request return packet, and determines whether to release or intercept the SQL injection request by judging the comparison of the ratio and a preset threshold value, so the capability of the WAF for intercepting the SQL injection attack can be enhanced by the normal request collection, preprocessing and the like.
The conception, the specific structure and the technical effects of the present invention will be further described with reference to the accompanying drawings to fully understand the objects, the features and the effects of the present invention.
Drawings
Fig. 1 is a schematic flowchart illustrating an SQL injection vulnerability detection method based on a Web application protection system according to an embodiment of the present invention.
FIG. 2A is a diagram illustrating a common subsequence in an embodiment of the present invention.
FIG. 2B is a diagram of a common substring according to an embodiment of the present invention.
FIG. 2C is a diagram illustrating the longest common subsequence in an embodiment of the present invention.
Fig. 3 is a schematic diagram illustrating a process of obtaining a standard request return packet according to an embodiment of the present invention.
Fig. 4 is a schematic structural diagram of an SQL injection vulnerability detection apparatus based on a Web application protection system according to an embodiment of the present invention.
Fig. 5 is a schematic structural diagram of an SQL injection vulnerability detection terminal according to an embodiment of the present invention.
Detailed Description
The embodiments of the present invention are described below with reference to specific embodiments, and other advantages and effects of the present invention will be easily understood by those skilled in the art from the disclosure of the present specification. The invention is capable of other and different embodiments and of being practiced or of being carried out in various ways, and its several details are capable of modification in various respects, all without departing from the spirit and scope of the present invention. It is to be noted that the features in the following embodiments and examples may be combined with each other without conflict.
It should be noted that the drawings provided in the following embodiments are only for illustrating the basic idea of the present invention, and the drawings only show the components related to the present invention rather than the number, shape and size of the components in actual implementation, and the type, quantity and proportion of the components in actual implementation may be changed freely, and the layout of the components may be more complicated.
Some exemplary embodiments of the invention have been described for illustrative purposes, and it is to be understood that the invention may be practiced otherwise than as specifically described.
Fig. 1 shows a schematic flow chart of an SQL injection vulnerability detection method based on a Web application protection system in an embodiment of the present invention. The Web application protection system is also referred to as a website application level intrusion prevention system, which is abbreviated as WAF, and it will be understood by those skilled in the art that the Web application protection system and WAF referred to hereinafter are actually referred to in the same sense.
Illustratively, the web application defense system may be a hardware device, a software product, or a cloud-based WAF. The WAF of the hardware device exists in the form of an independent hardware device, and is supported to be deployed in a network in various modes (such as a transparent bridge mode, a bypass mode, a reverse proxy and the like) to provide security protection for the Web application at the back end. The WAF of the software product is realized by adopting a pure software mode, such as ModSecurity, Naxsi, website security dog and the like, exists in the form of the software product, and has the advantages of simple installation, easy use, low cost and the like. The method comprises the steps that a cloud-based WAF establishes virtual hosts for a protected Web server, provides a corresponding security policy for each virtual host to protect, and configures a Web application firewall into a reverse proxy server for acting on a connection request of the Web server to an external network; when the Web application firewall can act as a host on an external network to access the internal Web server, the Web application firewall is externally represented as a Web server; it is responsible for transmitting the request on the external network to the internal application server, then return the data of the internal response to the external network; the Web application firewall does not store the real data of any internal server, and all static Web pages or CGI programs are stored in the internal Web server; therefore, the Web page information is not damaged by the attack on the firewall of the Web application, thereby enhancing the safety of the Web server.
In this embodiment, the method for detecting the SQL injection vulnerability based on the Web application protection system mainly includes steps S11 to S14, and the execution process and principle of each step will be further explained below.
Step S11: and receiving an SQL injection request, and preprocessing the response content of the SQL injection request to obtain a corresponding current request return packet.
It should be understood that the SQL injection request means that the validity of the data input by the user is not judged or not filtered tightly by the Web application program, so that an attacker can add an additional SQL statement at the end of a query statement defined in advance in the Web application program and perform an illegal operation without the knowledge of an administrator, thereby deceiving the database server and performing any illegal authorized query to obtain corresponding data information.
Illustratively, the injection manner of the SQL injection request includes, but is not limited to, a GET-type injection request, a POST-type injection request, a COOKIE-type injection request, or an HTTP-type injection request. A common injection format of the GET-type injection request is "id ═ xxx", and the like, and a parameter submission mode carried later is GET type, for example: GET/sql/Less 2/? id is 1; the format of POST type injection requests is for example: POST/sql/Less ═ 11/? id is 1; the COOKIE type injection request is similar to the GET type or POST type injection request, but the parameters are submitted in a COOKIE fashion, for example: cookie: uneme ═ admin; parameters of an HTTP-type injection request include, but are not limited to, User-Agent, Cookie, X-forwarded-for, Client-IP, Repreferer, Host, etc., such as: User-Agent Mozilla or updatexml (1, concat (0x7e, database ()),0), etc.
In some optional examples, the data structure preprocessing performed on the response content of the SQL injection request specifically includes: and arranging nested key values in the request response content according to the alphabetical order, and only keeping the longest value of the list when the value is the list so as to form a tree structure.
Currently, data received from the server side must be sent in a format that can be understood by a browser, and the programming language of the server side can only return data in 3 formats as follows: JSON data format, XML data format, and HTML data format. Wherein: the JSON data format is a JavaScript native format, namely no special API or toolkit is needed when the JSON data is processed in the JavaScript; rules of JSON are for example: an object is an unordered set of "name/value" pairs, one object starting with "{" and ending with "}", each name being followed by a ": symbol", the names/values being separated by commas. The XML language is a source language that allows a user to define his own markup language; XML itself is not recognized and run by a computer, but can only be interpreted in another language, and is a software and hardware independent information transfer tool. The HTML language is a hypertext mark-up language, the hypertext means that the page can contain non-character elements such as pictures, links, even music and programs, the mark means information symbols which can be understood by the computer, and through the mark, articles containing various information can be processed between the computers.
For convenience of understanding, the following description will be given by taking JSON data format as an example to illustrate the process and principle of data structure preprocessing, that is, taking JSON as an example, all nested key values are arranged in alphabetical order, and when the value is a list, the longest value of the list is left and the rest are deleted; on the basis, the html/xml format can also be processed like a tree structure.
Before preprocessing, the response content of the SQL injection request is:
{
"c":[
"rj131-115577",
"rj131-115577",
"rj131-115577",
"rj131-115577",
"rj131-115577",
"rj131-115577",
"rj131-115577",
"rj131-115577",
"rj131-115577",
"rj131-115577",
"rj131-115577",
"rj131-115577"
],
"a":"123",
"b":"123"
}
it should be noted that, before the response content of the SQL injection request is preprocessed, the nested key values are not arranged in alphabetical order, and the order is "c-a-b". In addition, the value of the nested key value c is a list, namely, a plurality of rows of 'rj 131-115577' exist, so that only the longest value of the list is reserved, and the rest are deleted, and finally, the following tree structure is obtained after preprocessing:
{
"a":"123",
"b":"123",
"c":[
"rj131-115577"
]
}
step S12: and extracting the longest common subsequence of the current request return packet and the standard request return packet.
In this embodiment, the longest common subsequence algorithm is used to extract the longest common subsequence. The longest common subsequence algorithm is an algorithm that finds the longest common subsequence of two given strings based on the two strings. The longest common subsequence algorithm is usually used in a black box scanner, and is used for finding sql injection attacks by comparing differences between normal requests and malicious requests, and according to the principle, the problem that regular rules are not strict enough and are put through can be well made up, but the deployment environments and capabilities of the wf and the scanner are different, the normal requests and the malicious requests of the scanner are completely determined by the scanner program and are sent out by the scanner program, and no accident exists, so that better vulnerability detection can be performed.
It should be noted that the longest common subsequence (changest common sequence) refers to a subsequence of a given sequence, and is the result of removing zero or more elements of the given sequence. It should be understood that the longest common subsequence and the longest common substring are two different concepts, a substring referring to a subsequence of any number of consecutive characters in a given string.
For ease of understanding, reference will now be made to the corresponding explanation in conjunction with fig. 2A to 2C:
FIG. 2A is a diagram of a common subsequence, where a given sequence is { a, b, c, d, e, f, g, h }, and the given sequence is exemplified by { a, c, e, f }, i.e., the element b, d, f, h is removed and the result obtained by keeping the original element sequence is the subsequence; the subsequences of the given sequence are not limited to these, and for example { a, h }, { c, d, e }, etc. are also subsequences of the given sequence.
FIG. 2B is a diagram of common substrings, where the given sequence is also { a, B, c, d, e, f, g, h }, and the substrings of the given sequence are exemplified by { c, d, e, f }, i.e., the substrings are the result of the original and continuous element sequence being maintained after the elements a, B, g, h are removed; the substrings of the given sequence are not limited in this regard, e.g., { a, b, c, d }, { g, h }, etc., are also substrings of the given sequence.
FIG. 2C shows a schematic of the longest common subsequence. Given that the sequence S1 is {1,3,4,5,6,7,7,8}, given that the sequence S2 is {3,5,7,48,6,7,8,2}, identical subsequences of the sequences S1 and S2 are referred to as common subsequences, and the longest of all common subsequences is the longest common subsequence, i.e., {3,4,6,7,8 }.
In this embodiment, the standard request return packet is: and after the HTTP/S flow passing through the Web application protection system is subjected to duplication elimination, counting a request return packet corresponding to a response message length value with the highest frequency. More specifically, the standard request return packet is obtained as shown in fig. 3:
step S31: and collecting HTTP/S flow passing through the Web application protection system.
Step S32: and carrying out duplication removal on the HTTP/S flow according to the URL and the parameter key value. It should be understood that repeated request return packets of the same URL and parameter key affect the subsequent frequency statistics, so that the HTTP/S traffic needs to be deduplicated.
Step S33: counting the response message lengths of the request return packets after the duplication removal, and selecting the request return packet corresponding to the response message length with the highest frequency;
step S34: and preprocessing the selected request return packet to obtain the standard request return packet. The data formats commonly used in the programming language of the server end at present include JSON data format, XML data format and HTML data format, and the characteristics of each data format are described in detail above, so that the details are not repeated. The present example still illustrates the preprocessing process in the JSON data format as an example.
For example, the request response content of a demo request case before preprocessing is:
{
"b":"123",
"c":[
"rj111-115577",
"rj121-115577",
"rj131-115577"
],
"a":"123"
}
in the preprocessing of responding to the request response content, namely the nested key values are arranged in alphabetical order, the nested key values with the values of the list only reserve the longest value of the list, and the final processing result is as follows:
{
"a":"123",
"b":"123",
"c":[
"rj131-115577"
]
}
step S13: and calculating the message length ratio of the longest public subsequence in the current request return packet, and comparing the length ratio with a preset ratio threshold.
And the length ratio is the message length of the public subsequence/the message length of the current request return packet. For example, assuming that the request response contents of the standard request return packet are ID1 Fristname, admin Surname admin, and these request response contents are all present in the contents of the current request return packet (attack request), the longest common subsequence extracted is the entire contents of the standard request return packet. The length of the standard request return packet may be, for example, 100, and the length of the current request return packet is, for example, 300, then the calculation result of the length-to-ratio value is 1/3, and then the calculated length-to-ratio value is compared with the preset ratio threshold.
In order to further highlight the significant technical effects of the present invention, the prior art schemes are compared as follows: under the default function, after a user id is filled in a form by a user, the submission request returns the relevant information of the user; assuming that the length of the returned message is 100, in most cases, the return of the normal request is the same, so the length of the request with the largest number after statistics is 100. For example, after the user enters the user id, the following is returned: "ID: 1, First name: admin, Surname: admin".
When SQL injection attack is performed on the function, because a bug exists in a background code, SQL statements are executed in a mode of splicing SQL, $ query ═ SELECT first _ name, last _ name FROM users WHERE user _ id $ id'; therefore, when the id parameter of the malicious request input by the user is 1' end selection 1, schema _ name from information _ schema, schema # the response is greatly changed, for example, the length of the response message is changed from 100 to 300.
If the problem of WAF is directly introduced into the longest common subsequence algorithm commonly used in scanners, in the request corresponding message of the json format, because of the characteristics of the json format, the key value is always randomly changed, and is similar to a result list, and the number of the key values is continuously increased along with the increase of contents. Because the order of the key values is changed, the calculation result of the longest common subsequence is reduced and is no longer 1, or because the results originally only have 2 data and are changed into 30 data along with the increase of time, the calculation result of the longest common subsequence is reduced, so that the calculation result of the longest common subsequence after WAF matching is low, the request is considered to be abnormal, and the false alarm is caused by entering an interception process to perform strict regular matching.
The method improves the use mode of the algorithm of the longest public subsequence, performs data structure preprocessing on request response content, counts out a standard request return packet based on the flow of daily flow through WAF, extracts the longest public subsequence of the current request return packet and the standard request return packet according to the longest public subsequence algorithm, calculates the message length ratio of the longest public subsequence in the current request return packet, and determines whether to release or intercept the SQL injection request by judging the comparison of the ratio and a preset threshold value, so the capability of the WAF for intercepting SQL injection attack can be enhanced by the normal request collection, preprocessing and the like.
Step S14: if the length ratio reaches the preset ratio threshold, the SQL injection request is passed; otherwise, performing regular matching on the SQL injection request, and performing interception or release processing according to a matching result.
It should be noted that the preset duty ratio threshold may be set according to actual conditions, and this embodiment does not limit this. In this example, the preset duty ratio threshold is set to 0.5 according to an empirical value, and since the length duty ratio value 1/3 does not reach the preset duty ratio threshold of 0.5, the SQL injection request cannot be passed through, and strict regular matching should be performed on the SQL injection request. If the matching is successful, the SQL injection request is intercepted; if the match is unsuccessful, the SQL injection request can be released.
Fig. 4 is a schematic structural diagram showing an SQL injection vulnerability detection apparatus based on a Web application protection system according to an embodiment of the present invention. The SQL injection vulnerability detection apparatus 400 in this embodiment includes a preprocessing module 401, a longest common subsequence extraction module 402, and an injection request processing module 403.
The preprocessing module 401 is configured to receive an SQL injection request, and preprocess response content of the SQL injection request to obtain a corresponding current request return packet.
In some examples, the preprocessing module 401 arranges the nested key values in the request response content in alphabetical order and retains only the longest list value when the value is a list to form a tree structure.
The longest common subsequence extracting module 402 is configured to extract the longest common subsequence of the current request return packet and the standard request return packet.
In this embodiment, the longest common subsequence algorithm is used to extract the longest common subsequence. The longest common subsequence algorithm is an algorithm that finds the longest common subsequence of two given strings based on the two strings. The longest common subsequence (changest common sequence) refers to a subsequence of a given sequence, which is the result of removing zero or more elements of the given sequence. It should be understood that the longest common subsequence and the longest common substring are two different concepts, a substring referring to a subsequence of any number of consecutive characters in a given string.
The injection request processing module 403 is configured to calculate a message length ratio of the longest public subsequence in the current request return packet, and compare the length ratio with a preset ratio threshold; if the length ratio reaches the preset ratio threshold, the SQL injection request is passed; otherwise, performing regular matching on the SQL injection request, and performing interception or release processing according to a matching result.
In some examples, the SQL injection vulnerability detection apparatus 400 further comprises a standard request return package construction module 404 configured to construct the standard request return package; the building process of the standard request return packet building module comprises the following steps: collecting HTTP/S flow passing through the Web application protection system; the HTTP/S flow is subjected to duplication elimination according to the URL and the parameter key value; counting the response message lengths of the request return packets after the duplication removal, and selecting the request return packet corresponding to the response message length with the highest frequency; and preprocessing the selected request return packet to obtain the standard request return packet.
It should be understood that the division of the modules of the above apparatus is only a logical division, and the actual implementation may be wholly or partially integrated into one physical entity or may be physically separated. And these modules can be realized in the form of software called by processing element; or may be implemented entirely in hardware; and part of the modules can be realized in the form of calling software by the processing element, and part of the modules can be realized in the form of hardware. For example, the injection request processing module may be a processing element separately set up, or may be implemented by being integrated into a chip of the apparatus, or may be stored in a memory of the apparatus in the form of program code, and a function of the injection request processing module may be called and executed by a processing element of the apparatus. Other modules are implemented similarly. In addition, all or part of the modules can be integrated together or can be independently realized. The processing element described herein may be an integrated circuit having signal processing capabilities. In implementation, each step of the above method or each module above may be implemented by an integrated logic circuit of hardware in a processor element or an instruction in the form of software.
For example, the above modules may be one or more integrated circuits configured to implement the above methods, such as: one or more Application Specific Integrated Circuits (ASICs), or one or more microprocessors (DSPs), or one or more Field Programmable Gate Arrays (FPGAs), among others. For another example, when one of the above modules is implemented in the form of a Processing element scheduler code, the Processing element may be a general-purpose processor, such as a Central Processing Unit (CPU) or other processor capable of calling program code. For another example, these modules may be integrated together and implemented in the form of a system-on-a-chip (SOC).
Fig. 5 shows a schematic structural diagram of an SQL injection vulnerability detection terminal according to an embodiment of the present invention. The SQL injection vulnerability detection terminal comprises: a processor 51, a memory 52, a communicator 53; the memory 52 is connected with the processor 51 and the communicator 53 through a system bus and completes mutual communication, the memory 52 is used for storing computer programs, the communicator 53 is used for communicating with other devices, and the processor 51 is used for running the computer programs, so that the electronic terminal executes the steps of the SQL injection vulnerability detection method based on the Web application protection system.
The above-mentioned system bus may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The system bus may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus. The communication interface is used for realizing communication between the database access device and other equipment (such as a client, a read-write library and a read-only library). The Memory may include a Random Access Memory (RAM), and may further include a non-volatile Memory (non-volatile Memory), such as at least one disk Memory.
The Processor may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the Integrated Circuit may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, or a discrete hardware component.
The invention also provides a computer readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the SQL injection vulnerability detection method based on the Web application protection system is realized.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the above method embodiments may be performed by hardware associated with a computer program. The aforementioned computer program may be stored in a computer readable storage medium. When executed, the program performs steps comprising the method embodiments described above; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
In the embodiments provided herein, the computer-readable and writable storage medium may include read-only memory, random-access memory, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, flash memory, a USB flash drive, a removable hard disk, or any other medium that can be used to store desired program code in the form of instructions or data structures and that can be accessed by a computer. Also, any connection is properly termed a computer-readable medium. For example, if the instructions are transmitted from a website, server, or other remote source using a coaxial cable, fiber optic cable, twisted pair, Digital Subscriber Line (DSL), or wireless technologies such as infrared, radio, and microwave, then the coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave are included in the definition of medium. It should be understood, however, that computer-readable-writable storage media and data storage media do not include connections, carrier waves, signals, or other transitory media, but are intended to be non-transitory, tangible storage media. Disk and disc, as used in this application, includes Compact Disc (CD), laser disc, optical disc, Digital Versatile Disc (DVD), floppy disk and blu-ray disc where disks usually reproduce data magnetically, while discs reproduce data optically with lasers.
In summary, the invention provides a method, a device, a terminal and a medium for detecting SQL injection vulnerabilities based on a Web application protection system, which improve the usage of algorithms of a longest common subsequence, preprocess a data structure of request response contents, count a standard request return packet based on the flow of daily flow through a WAF, extract the longest common subsequence of a current request return packet and the standard request return packet according to the longest common subsequence algorithm, calculate the ratio of message lengths of the longest common subsequence in the current request return packet, and determine whether to release or intercept the SQL injection request by comparing the ratio with a preset threshold, so that the ability of intercepting the SQL injection attack by the WAF can be enhanced by collecting and preprocessing the normal request.
The foregoing embodiments are merely illustrative of the principles and utilities of the present invention and are not intended to limit the invention. Any person skilled in the art can modify or change the above-mentioned embodiments without departing from the spirit and scope of the present invention. Accordingly, it is intended that all equivalent modifications or changes which can be made by those skilled in the art without departing from the spirit and technical spirit of the present invention be covered by the claims of the present invention.
Claims (10)
1. A SQL injection vulnerability detection method based on a Web application protection system is characterized by comprising the following steps:
receiving an SQL injection request, and preprocessing response content of the SQL injection request to obtain a corresponding current request return packet;
extracting the longest public subsequence of the current request return packet and the standard request return packet;
calculating the message length ratio of the longest public subsequence in the current request return packet, and comparing the length ratio with a preset ratio threshold;
if the length ratio reaches the preset ratio threshold, the SQL injection request is passed; otherwise, performing regular matching on the SQL injection request, and performing interception or release processing according to a matching result.
2. The method according to claim 1, wherein the preprocessing the response content of the SQL injection request includes: and arranging nested key values in the response content according to the alphabetical order, and only keeping the longest value of the list when the content of the nested key values is the list so as to form a tree structure.
3. The method according to claim 1, wherein the standard request return package is: and after the HTTP/S flow passing through the Web application protection system is subjected to deduplication, counting a request return packet corresponding to the response message length with the highest frequency.
4. The method according to claim 3, wherein the obtaining of the standard request return packet comprises:
collecting HTTP/S flow passing through the Web application protection system;
the HTTP/S flow is subjected to duplication elimination according to the URL and the parameter key value;
counting the response message lengths of the request return packets after the duplication removal, and selecting the request return packet corresponding to the response message length with the highest frequency;
and preprocessing the selected request return packet to obtain the standard request return packet.
5. The method according to claim 1, wherein the length-to-length ratio is a ratio of a message length of the longest common subsequence to a message length of the current request return packet.
6. The method according to claim 1, wherein the regular matching of the SQL injection request and the interception or passing processing according to the matching result comprise: performing regular matching on the SQL injection request according to a regular matching rule; if the matching is successful, intercepting the SQL injection request; otherwise, the SQL injection request is passed.
7. The utility model provides a SQL injects vulnerability detection device based on Web application protection system which characterized in that includes:
the system comprises a preprocessing module, a data processing module and a data processing module, wherein the preprocessing module is used for receiving an SQL injection request, preprocessing the response content of the SQL injection request and obtaining a corresponding current request return packet;
the longest public subsequence extraction module is used for extracting the longest public subsequence of the current request return packet and the standard request return packet;
the injection request processing module is used for calculating the message length ratio of the longest public subsequence in the current request return packet and comparing the length ratio with a preset ratio threshold; if the length ratio reaches the preset ratio threshold, the SQL injection request is passed; otherwise, performing regular matching on the SQL injection request, and performing interception or release processing according to a matching result.
8. The Web application protection system-based SQL injection vulnerability detection apparatus of claim 7, further comprising: the standard request return packet construction module is used for constructing the standard request return packet; the building process of the standard request return packet building module comprises the following steps: collecting HTTP/S flow passing through the Web application protection system; the HTTP/S flow is subjected to duplication elimination according to the URL and the parameter key value; counting the response message lengths of the request return packets after the duplication removal, and selecting the request return packet corresponding to the response message length with the highest frequency; and preprocessing the selected request return packet to obtain the standard request return packet.
9. A computer-readable storage medium, on which a computer program is stored, wherein the computer program, when executed by a processor, implements the SQL injection vulnerability detection method based on the Web application protection system according to any of claims 1 to 6.
10. The SQL injection vulnerability detection terminal is characterized by comprising: a processor and a memory;
the memory is used for storing a computer program;
the processor is used for executing the computer program stored in the memory to enable the terminal to execute the SQL injection vulnerability detection method based on the Web application protection system according to any claim 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111450884.7A CN114157476A (en) | 2021-12-01 | 2021-12-01 | SQL injection vulnerability detection method, device, terminal and medium based on Web application protection system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111450884.7A CN114157476A (en) | 2021-12-01 | 2021-12-01 | SQL injection vulnerability detection method, device, terminal and medium based on Web application protection system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114157476A true CN114157476A (en) | 2022-03-08 |
Family
ID=80455808
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111450884.7A Pending CN114157476A (en) | 2021-12-01 | 2021-12-01 | SQL injection vulnerability detection method, device, terminal and medium based on Web application protection system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114157476A (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8225402B1 (en) * | 2008-04-09 | 2012-07-17 | Amir Averbuch | Anomaly-based detection of SQL injection attacks |
| CN106357696A (en) * | 2016-11-14 | 2017-01-25 | 北京神州绿盟信息安全科技股份有限公司 | Detection method and detection system for SQL injection attack |
| CN107566392A (en) * | 2017-09-22 | 2018-01-09 | 北京知道创宇信息技术有限公司 | A kind of detection method and proxy server of the type SQL injection that reports an error |
| CN109246113A (en) * | 2018-09-21 | 2019-01-18 | 郑州云海信息技术有限公司 | A kind of the SQL injection leak detection method and device of REST API |
| US20190306191A1 (en) * | 2018-03-30 | 2019-10-03 | Beijing Baidu Netcom Science And Technology Co., Ltd. | Sql injection interception detection method and device, apparatus and computer readable medium |
| CN111581637A (en) * | 2020-05-20 | 2020-08-25 | 深圳前海微众银行股份有限公司 | SQL injection detection method, device, equipment and computer storage medium |
| CN113726787A (en) * | 2021-08-31 | 2021-11-30 | 中国平安人寿保险股份有限公司 | SQL injection generation method, device, equipment and storage medium |
-
2021
- 2021-12-01 CN CN202111450884.7A patent/CN114157476A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8225402B1 (en) * | 2008-04-09 | 2012-07-17 | Amir Averbuch | Anomaly-based detection of SQL injection attacks |
| CN106357696A (en) * | 2016-11-14 | 2017-01-25 | 北京神州绿盟信息安全科技股份有限公司 | Detection method and detection system for SQL injection attack |
| CN107566392A (en) * | 2017-09-22 | 2018-01-09 | 北京知道创宇信息技术有限公司 | A kind of detection method and proxy server of the type SQL injection that reports an error |
| US20190306191A1 (en) * | 2018-03-30 | 2019-10-03 | Beijing Baidu Netcom Science And Technology Co., Ltd. | Sql injection interception detection method and device, apparatus and computer readable medium |
| CN109246113A (en) * | 2018-09-21 | 2019-01-18 | 郑州云海信息技术有限公司 | A kind of the SQL injection leak detection method and device of REST API |
| CN111581637A (en) * | 2020-05-20 | 2020-08-25 | 深圳前海微众银行股份有限公司 | SQL injection detection method, device, equipment and computer storage medium |
| CN113726787A (en) * | 2021-08-31 | 2021-11-30 | 中国平安人寿保险股份有限公司 | SQL injection generation method, device, equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 吉睿;: "对网站安全狗SQL注入防护缺陷的研究", 网络安全技术与应用, no. 06, 15 June 2016 (2016-06-15) * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111382430B (en) | System and method for classifying objects of a computer system | |
| CN107066883B (en) | System and method for blocking script execution | |
| Song et al. | Advanced evasion attacks and mitigations on practical ML‐based phishing website classifiers | |
| US9712560B2 (en) | Web page and web browser protection against malicious injections | |
| US9509714B2 (en) | Web page and web browser protection against malicious injections | |
| Borgolte et al. | Delta: automatic identification of unknown web-based infection campaigns | |
| CN107122221B (en) | Compiler for regular expressions | |
| US8499167B2 (en) | System and method for efficient and accurate comparison of software items | |
| US20200104488A1 (en) | Detecting frame injection through web page analysis | |
| EP3646218A1 (en) | Cyber-security system and method for weak indicator detection and correlation to generate strong indicators | |
| US20210203678A1 (en) | Network security intrusion detection | |
| WO2021017318A1 (en) | Cross-site scripting attack protection method and apparatus, device and storage medium | |
| CN112685734B (en) | Security protection method, device, computer equipment and storage medium | |
| CN111628990A (en) | Attack recognition method and device and server | |
| CN104954346A (en) | Attack recognition method based on object analysis and device thereof | |
| CN104766013A (en) | Skip list based cross-site scripting attack defense method | |
| Aung et al. | URL-based phishing detection using the entropy of non-alphanumeric characters | |
| CN113055399A (en) | Attack success detection method, system and related device for injection attack | |
| CN104954345A (en) | Attack recognition method based on object analysis and device thereof | |
| Bird et al. | Actions speak louder than words: Semi-supervised learning for browser fingerprinting detection | |
| CN113067792A (en) | XSS attack identification method, device, equipment and medium | |
| US11481489B2 (en) | System and method for generating a representation of a web resource to detect malicious modifications of the web resource | |
| IŞiker et al. | Machine learning based web application firewall | |
| CN112583827A (en) | Data leakage detection method and device | |
| CN114157476A (en) | SQL injection vulnerability detection method, device, terminal and medium based on Web application protection system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |