WO2013065087A1 - Diagnostic device - Google Patents

Diagnostic device Download PDF

Info

Publication number
WO2013065087A1
WO2013065087A1 PCT/JP2011/006137 JP2011006137W WO2013065087A1 WO 2013065087 A1 WO2013065087 A1 WO 2013065087A1 JP 2011006137 W JP2011006137 W JP 2011006137W WO 2013065087 A1 WO2013065087 A1 WO 2013065087A1
Authority
WO
WIPO (PCT)
Prior art keywords
request
query
application
unit
syntax
Prior art date
Application number
PCT/JP2011/006137
Other languages
French (fr)
Japanese (ja)
Inventor
雅之 久田
Original Assignee
株式会社Nst
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社Nst filed Critical 株式会社Nst
Priority to PCT/JP2011/006137 priority Critical patent/WO2013065087A1/en
Publication of WO2013065087A1 publication Critical patent/WO2013065087A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Definitions

  • the present invention relates to data processing technology, and more particularly to an apparatus for diagnosing application vulnerabilities.
  • the present invention has been made in view of these problems, and a main purpose thereof is to provide a technique that can contribute to improving the reliability of vulnerability detection of applications.
  • a diagnostic device is a device for diagnosing the vulnerability of an application that issues a query to a database, and includes a plurality of types including special characters predetermined in the database Judgment that a vulnerability exists when a special character is set in a conditional clause without escaping in the query generated by the supply unit that supplies the request to the application and the application that acquired the request A section.
  • the outline of the diagnostic apparatus is as follows.
  • This apparatus diagnoses whether or not there is a vulnerability in the Web application by confirming the content of the SQL query generated by the Web application based on the request.
  • this apparatus generates a plurality of types of requests (hereinafter also referred to as “diagnostic requests”) in which pseudo-attack data (character strings including special characters) is set as a parameter, and sends them to the Web application to be diagnosed.
  • This apparatus acquires the SQL query generated by the Web application based on these requests. Then, it is determined whether or not there is a vulnerability by checking whether or not the special character set in the conditional clause of the acquired SQL query has been escaped (hereinafter also referred to as “escape determination”).
  • this apparatus uses the syntax of the SQL query generated by the Web application based on the diagnostic request, and a request that is a template and has normal data set as a parameter (hereinafter also referred to as “normal request”). Whether or not the syntax of the SQL query generated by the Web application is different, and determines whether or not there is a vulnerability (hereinafter also referred to as “syntax determination”). Further, it is determined whether or not there is a vulnerability by checking whether or not the SQL query based on the diagnosis request is a syntax error (hereinafter also referred to as “error determination”).
  • FIG. 1 shows the process of diagnosis in the present embodiment.
  • the diagnosis process is roughly divided into a cyclic phase, a test case generation phase, a test phase, and an analysis phase.
  • a test case generation phase a test case generation phase
  • an analysis phase a test phase
  • FIG. 1 shows the process of diagnosis in the present embodiment.
  • Visiting phase This is the phase in which normal requests that serve as a template for diagnostic requests are acquired. Specifically, the request transmitted when following the links included in the response is acquired as a normal request. Also, an SQL query generated by the Web application based on this normal request is acquired. This SQL query is used in the syntax determination of the analysis phase.
  • Test case generation phase This is the phase in which a diagnostic request is generated. Specifically, various diagnostic requests are generated using the normal request acquired in the patrol phase as a template.
  • Test phase This is a phase in which a pseudo attack is performed. Specifically, a plurality of diagnosis requests generated in the test case generation phase are transmitted to the diagnosis target Web application. Then, an SQL query generated by the Web application based on the diagnosis request is acquired.
  • Analysis phase This phase analyzes whether or not there are vulnerabilities. Specifically, escape determination, syntax determination, and error determination are performed using the SQL queries acquired in the test phase and the cyclic phase.
  • FIG. 2 shows the function and configuration of the diagnostic apparatus 400 according to the present embodiment.
  • Each of these blocks can be realized in hardware by an element such as a CPU of a computer or a mechanical device, and is realized in software by a computer program or the like, but here, functions realized by their cooperation.
  • Draw a block Therefore, those skilled in the art will understand that these functional blocks can be realized in various forms by a combination of hardware and software.
  • the diagnosis device 400 is a device for diagnosing the vulnerability of the Web application, and operates the Web application to be diagnosed in this device to diagnose the vulnerability.
  • Diagnosis device 400 includes information analysis device 200 and information collection device 300.
  • the diagnosis device 400 may be a single device that integrally includes the functions of the information analysis device 200 and the information collection device 300, or may be a collection of two devices.
  • the operation terminal 100 is an information processing terminal operated by a person in charge of diagnosis (hereinafter referred to as “diagnosis practitioner”), and receives predetermined information and instructions from the diagnosis practitioner. Then, the information is transmitted to the diagnostic apparatus 400.
  • the information analysis apparatus 200 includes a circulation unit 210, a pseudo attack data holding unit 220, a request generation unit 230, a request supply unit 240, a response reception unit 250, an association unit 260, a syntax analysis unit 270, a determination unit 280, and a result display unit 290.
  • the information collection device 300 includes an execution environment 310, a request acquisition unit 320, a request holding unit 330, a query acquisition unit 340, and a query holding unit 350.
  • the traveling unit 210 receives information related to a request serving as a base point from the operation terminal 100 and transmits a request based on the information to the application 318. Further, when a link is included in the response from the application 318, a request is transmitted so as to follow this one after another. Then, the information collection apparatus 300 acquires the request (normal request) transmitted at this time and the SQL query issued by the application 318 based on this request.
  • the pseudo attack data holding unit 220 holds the pseudo attack data set as parameters when generating a diagnosis request.
  • the “pseudo attack data” is data in which a known attack pattern for confirming the presence or absence of SQL injection vulnerability is set. For example, special characters such as “'(single quotation)” and “%” are used. It is data including.
  • the request generation unit 230 generates a plurality of diagnosis requests based on a plurality of normal requests that are held in the request holding unit 330 and acquired in the cyclic phase. Specifically, it is generated by replacing the value set in the acquired request parameter with pseudo attack data.
  • a plurality of diagnosis requests are generated from each normal request based on a plurality of pseudo-attack data so that it can be comprehensively checked whether or not there is a vulnerability.
  • FIG. 3A shows an example of a normal request that serves as a template for a diagnostic request
  • FIGS. 3B to 3D show diagnostic requests generated based on the normal request of FIG.
  • the diagnosis request shown in FIG. 3B the parameter “user1” of the normal request shown in FIG. 3A is replaced with the special character “%”.
  • FIG. 3B shows an example of a normal request that serves as a template for a diagnostic request
  • FIGS. 3B to 3D show diagnostic requests generated based on the normal request of FIG.
  • the request supply unit 240 transmits a plurality of diagnosis requests generated by the request generation unit 230 to the application 318.
  • the response receiving unit 250 receives a response from the application 318.
  • the execution environment 310 is an environment for operating the application 318 to be diagnosed, and includes a Web server 312, an application server 314, and a database server 316.
  • the Web server 312 has a function of transmitting a processing result or the like by a Web application in response to a client request.
  • the application server 314 has a function of executing various business processes by executing a Web application.
  • the database server 316 has a function of searching and outputting information stored in the database in response to a query.
  • the escape character for the database server 316 is “ ⁇ (backslash)”.
  • an application 318 to be diagnosed is arranged. This arrangement is performed by a person who receives a vulnerability diagnosis service. Of course, it may be performed by a diagnosis practitioner who has received an application from that person.
  • the request acquisition unit 320 provides a so-called HTTP proxy server function, and relays a request for the application 318 from the information analysis apparatus 200. At that time, the request content is acquired and stored in the request holding unit 330. The request acquisition unit 320 acquires both the request transmitted by the traveling unit 210 in the traveling phase and the request transmitted by the request supply unit 240 in the test phase.
  • the request holding unit 330 holds the request acquired by the request acquisition unit 320.
  • FIG. 4 shows the data structure of the request holding unit 330.
  • the request holding unit 330 holds a request ID for uniquely identifying a held request, a request, and a time stamp at the time of acquisition in association with each other.
  • requests including a predetermined protocol, host name, and directory path may be held for requests acquired in the patrol phase. For example, if only the request with the protocol “http” and the host name “www.example.co.jp” is retained (no directory path is specified), the diagnosis is sent from the target to which the diagnosis request is sent in the test phase. You can exclude external sites that are not eligible.
  • the query acquisition unit 340 provides a so-called SQL proxy server function, and relays the SQL query issued by the application 318 to the database. At that time, the contents of the SQL query are acquired and stored in the query holding unit 350.
  • the query holding unit 350 holds the SQL query acquired by the query acquisition unit 340.
  • FIG. 5 shows the data structure of the query holding unit 350.
  • the query holding unit 350 holds the SQL query ID for uniquely identifying the held SQL query, the SQL query, and the time stamp at the time of acquisition in association with each other.
  • the associating unit 260 identifies the request based on which request the SQL query was generated. Specifically, the request for the time stamp immediately before the time stamp of the SQL query is specified as the request for the SQL query. For example, assume that the data held in the request holding unit 330 and the query holding unit 350 are in the states shown in FIGS. In this case, the request that is the basis of the SQL query with the SQL query IDs “4” to “5” is identified as the request with the request ID “2” having the immediately preceding time stamp.
  • the syntax analysis unit 270 performs syntax analysis of the conditional clause of the SQL query held in the query holding unit 350, specifically, creates a syntax tree.
  • an arbitrary syntax analyzer such as existing syntax analysis software can be used.
  • FIG. 6A shows an SQL query generated based on the normal request shown in FIG. 3A
  • FIG. 6B shows its syntax tree.
  • the lowest layer node 10 indicates the lowest layer node, and an operand is assigned.
  • the internal node 20 is a node other than the lowest layer, has a plurality of child nodes, and is assigned an operator. If the SQL query to be parsed is a syntax error, the syntax analysis unit 270 detects that fact. Returning to FIG.
  • the determination unit 280 performs escape determination using the syntax tree generated by the syntax analysis unit 270. Specifically, the operand of the lowest node of the syntax tree is checked, and if a special character is included, it is checked whether or not it is escaped.
  • FIGS. 7A and 8A are SQL queries generated based on the diagnostic request of FIG. 3B, and there is no SQL injection vulnerability, and there is a vulnerability. SQL query generated in FIGS. 7B and 8B show the syntax trees of the SQL queries in FIGS. 7A and 8A, respectively.
  • the special character “%” is escaped and becomes “ ⁇ %”.
  • the special character “%” is set without being escaped. In this case, the determination unit 280 determines that vulnerability exists. Returning to FIG.
  • the determination unit 280 performs syntax determination using the SQL query based on the normal request and the syntax tree of the SQL query based on the diagnostic request. Specifically, after associating the request with the SQL query generated based on the request by the associating unit 260, the syntax tree of the SQL query based on the normal request and the diagnostic request generated using the normal request as a template It is compared with the syntax tree of the SQL query based on it to check whether the depth and width are different, and whether the operator assigned to the corresponding node is different.
  • FIG. 9 (a) and 10 (a) are the SQL queries generated based on the diagnostic request in FIG. 3 (c), and there are no SQL injection vulnerabilities or vulnerabilities, respectively.
  • the syntax of the SQL query is different from the SQL query based on the normal request.
  • the determination unit 280 determines that vulnerability exists. As described above, by performing syntax determination, it is possible to determine whether or not there is a vulnerability even when the syntax is changed by the pseudo attack data and the special character is not included in the operand.
  • the determination unit 280 confirms whether or not an SQL query based on the diagnosis request includes a syntax error, and performs error determination.
  • 11 (a) and 11 (b) are SQL queries generated based on the diagnostic request in FIG. 3 (d), which are generated when there is no SQL injection vulnerability and when there is a vulnerability, respectively. SQL query to be performed.
  • FIG. 11B since the special character “′” is not escaped, “pass” is used as a search condition for passwd, and “1 ′” that follows is inappropriate as SQL. Therefore, in FIG. 11B, an error occurs when the syntax analysis unit 270 performs syntax analysis. In this case, the determination unit 280 determines that vulnerability exists.
  • the result display unit 290 displays the diagnosis result on the operation terminal 100.
  • FIG. 12 is a screen showing the diagnosis result displayed by the result display unit 290.
  • a result 70 indicates a diagnosis result of whether or not a vulnerability exists.
  • Detailed information 80 indicates details of the diagnosis result. Specifically, an SQL query that is a basis for a diagnosis result that vulnerability exists, and a result of each determination for the SQL query are shown. In addition, the result of association by the association unit 260 is received, and the request that is the basis of the SQL query is also displayed.
  • FIG. 13 is a flowchart showing the operation of the diagnostic apparatus 400.
  • 13A shows the operation in the cyclic phase
  • FIG. 13B shows the operation in the test case generation phase
  • FIG. 13C shows the operation in the test phase
  • FIG. 13D shows the operation in the analysis phase.
  • the traveling unit 210 of the information analysis device 200 transmits, to the application 318, information related to a base request received from the operation terminal 100 or a normal request based on a link included in the response. (S10).
  • the request acquisition unit 320 of the information collection device 300 relays a request to the application 318, and at that time, acquires a normal request and holds it in the request holding unit 330 (S20).
  • the application 318 Upon receiving the request, the application 318 generates an SQL query and issues it to the database.
  • the query acquisition unit 340 relays the query, and at that time, acquires the SQL query and holds it in the query holding unit 350 (S30).
  • the response receiving unit 250 of the information analysis apparatus 200 receives a response from the application 318 (S40). When a link is included in the response from the application 318, this flow is repeated and a normal request based on the link is transmitted to the application 318. In this way, the normal request and the SQL query based on the normal request are acquired.
  • the request generation unit 230 of the information analysis apparatus 200 generates a plurality of diagnosis requests based on the plurality of normal requests acquired in the cyclic phase (S50).
  • the request supply unit 240 of the information analysis apparatus 200 transmits a diagnosis request to the application 318 (S60).
  • the request acquisition unit 320 of the information collection device 300 acquires the diagnosis request and holds it in the request holding unit 330 in the same manner as in the diagnosis phase (S70).
  • the query acquisition unit 340 acquires the SQL query and stores it in the query storage unit 350 (S80).
  • the response receiving unit 250 of the information analysis apparatus 200 receives a response from the application 318 (S90). This flow is repeated for the number of diagnostic requests generated in the test case generation phase. In this way, the diagnosis request and the SQL query based on the diagnosis request are acquired.
  • the syntax analysis unit 270 of the information analysis device 200 parses the SQL query acquired by the query acquisition unit 340 of the information collection device 300, and generates a syntax tree (S100).
  • the determination unit 280 determines whether to escape the syntax tree appropriately (S110).
  • an error determination is made as to whether or not the SQL query has a syntax error (S130). If any one of the three determinations determines that there is a vulnerability, the Web application to be diagnosed has a vulnerability.
  • the result display unit 290 displays the diagnosis result on the operation terminal 100 (S140).
  • the SQL query generated by the application based on the diagnosis request is confirmed, and it is determined whether or not the SQL injection vulnerability exists. Therefore, the determination can be made without being affected by the creation of the application, and it can be determined whether or not the vulnerability exists more reliably than in the case where the determination is made by checking the response from the application. Also, since we are also looking at whether or not the SQL query has been changed by the pseudo attack data, even if the syntax is changed and the special character is not included in the operand, it is determined whether or not the vulnerability exists. Can do. In addition, it is possible to specify the request based on which request the SQL query was generated based on the time stamp. Then, by specifying the request, it is possible to easily specify in which part of the application the vulnerability exists.
  • Modification 1 In the embodiment, an example in which the diagnosis target is a Web application has been described. However, the present invention is not limited thereto, and may be a network application. In this embodiment, an example of diagnosing the vulnerability of SQL injection, that is, an example in which a query issued by an application is an SQL query is shown. However, the present invention is not limited to this, and other queries such as XQuery may be used. Good.
  • the information collection device 300 is a single device having functions of a Web server, an application server, and a database server has been described, but the present invention is not limited to this. Therefore, for example, the Web server, the application server, and the database server may be mounted on physically different devices, and the information collection device 300 may be a collection of them. Of course, it may be an aggregate of a device having any two of the three server functions and a device having the remaining functions.
  • an example of a three-layer structure including a Web server, an application server, and a database server is shown, but the present invention is not limited to this. Therefore, for example, there is no Web server, and a two-layer structure including an application server and a database server may be used. Also in this case, of course, each server function may be implemented in a physically different device.
  • Modification 3 In the embodiment, the example in which the determination is made in the order of the escape determination, the syntax determination, and the error determination to determine whether or not the vulnerability exists is shown, but the present invention is not limited to this. Therefore, for example, determination may be made in the order of error determination, syntax determination, and escape determination.
  • 100 operation terminal 200 information analysis device, 210 patrol unit, 220 pseudo attack data holding unit, 230 request generation unit, 240 request supply unit, 250 response reception unit, 260 association unit, 270 syntax analysis unit, 280 determination unit, 300 information Collection device, 310 execution environment, 320 request acquisition unit, 330 request holding unit, 340 query acquisition unit, 350 query holding unit, 400 diagnostic device.
  • the present invention can be used for an apparatus for diagnosing application vulnerabilities.

Abstract

An information analysis device (200) generates and sends a diagnosis request to an application to be diagnosed (318). On the basis of said request, an information gathering device (300) acquires a generated SQL query. The information analysis device (200) checks whether a special character set in an SQL query conditional clause has been escape-processed, thereby determining whether vulnerability exists. Moreover, the information analysis device (200) checks whether the syntax of the SQL query based on the diagnosis request is different from the syntax of an SQL query based on a normal request, and determines whether vulnerability exists. In addition, by checking whether the query based on the diagnosis request is a syntax error, said information analysis device (200) determines whether vulnerability exists.

Description

診断装置Diagnostic equipment
 本発明はデータ処理技術に関し、特に、アプリケーションの脆弱性を診断する装置に関する。 The present invention relates to data processing technology, and more particularly to an apparatus for diagnosing application vulnerabilities.
 アプリケーションの脆弱性により発生した情報漏洩事件の中でも、データベースに干渉して情報漏洩・情報改ざんを引き起こすインジェクション攻撃を原因とする事件は、件数も多く、被害も甚大になる傾向が強い。NRIセキュアテクノロジーズ株式会社がまとめた『サイバーセキュリティ傾向分析レポート2010』によれば、Webアプリケーション診断において不正アクセス可能と判断されたもののうち17%でSQLインジェクションの脆弱性が検出されている。また、独立行政法人情報処理推進機構がまとめた『企業における情報セキュリティ事象被害額調査』によれば、SQLインジェクションの脆弱性を悪用した不正アクセスに対する復旧・対応コストは、1社あたり5000万円から1億円超と推計している。このような状況下、アプリケーションの脆弱性を検出するセキュリティ診断は、被害の未然防止のために極めて重要となっている。 Among the information leakage incidents caused by application vulnerabilities, there are many incidents caused by injection attacks that cause information leakage and information falsification by interfering with the database, and there is a strong tendency for damage to occur. According to “Cyber Security Trend Analysis Report 2010” compiled by NRI Secure Technologies, Inc., SQL injection vulnerabilities have been detected in 17% of those judged to be unauthorized access in Web application diagnosis. In addition, according to the “Information Security Event Damage Survey for Enterprises” compiled by the Information-technology Promotion Agency of Japan, the cost of recovery and response to unauthorized access that exploits the vulnerability of SQL injection starts at 50 million yen per company. It is estimated to be over 100 million yen. Under such circumstances, security diagnosis to detect application vulnerabilities is extremely important to prevent damage.
 脆弱性を検出する手法として、アプリケーションへのリクエストに擬似攻撃のデータを埋め込み、そのレスポンスに攻撃が成立したときに発生する既知のパターンが含まれるかどうかで判断する方法が知られている(例えば、特許文献1参照)。 As a technique for detecting vulnerabilities, a method is known in which a pseudo-attack data is embedded in a request to an application, and whether a response includes a known pattern that occurs when the attack is established (for example, , See Patent Document 1).
特開2008-299540号公報JP 2008-299540 A
 しかし、アプリケーションの作りこみによっては、単純にそのレスポンスを確認するだけでは脆弱性を検出できない場合もある。例えば、脆弱性が存在する場合にはデータベースへの問い合わせがエラーとなるような擬似攻撃データを埋め込んだリクエストを送信したときでも、アプリケーションのエラー処理の作りこみによっては、クライアントサイドに脆弱性の存在痕跡が帰らない場合がある。そして、その結果として脆弱性の検出漏れを起こしてしまう場合がある。 However, depending on the application, it may not be possible to detect vulnerabilities by simply checking the response. For example, if there is a vulnerability, even if a request with embedded pseudo-attack data that causes an error to be sent to the database is sent, depending on the application error handling, there is a vulnerability on the client side. Traces may not return. As a result, there may be a case where a vulnerability is not detected.
 本発明はこうした課題に鑑みてなされたものであり、その主な目的は、アプリケーションの脆弱性検出の確実性向上に寄与することができる技術を提供することにある。 The present invention has been made in view of these problems, and a main purpose thereof is to provide a technique that can contribute to improving the reliability of vulnerability detection of applications.
 上記課題を解決するために、本発明のある態様の診断装置は、データベースに対してクエリを発行するアプリケーションの脆弱性を診断する装置であって、データベースで予め定められた特殊文字を含む複数種類のリクエストをアプリケーションに供給する供給部と、それらのリクエストを取得したアプリケーションにより生成されるクエリにおいて、特殊文字がエスケープ処理されずに条件節に設定されている場合に脆弱性が存在すると判定する判定部と、を備える。 In order to solve the above problems, a diagnostic device according to an aspect of the present invention is a device for diagnosing the vulnerability of an application that issues a query to a database, and includes a plurality of types including special characters predetermined in the database Judgment that a vulnerability exists when a special character is set in a conditional clause without escaping in the query generated by the supply unit that supplies the request to the application and the application that acquired the request A section.
 なお、以上の構成要素の任意の組合せ、本発明の表現を方法、システム、プログラム、プログラムを格納した記録媒体などの間で変換したものもまた、本発明の態様として有効である。 It should be noted that any combination of the above-described constituent elements and the expression of the present invention converted between a method, a system, a program, a recording medium storing the program, etc. are also effective as an aspect of the present invention.
 本発明によれば、アプリケーションの脆弱性検出の確実性向上に寄与することができる。 According to the present invention, it is possible to contribute to improving the reliability of application vulnerability detection.
本実施の形態における診断の処理過程を示す図である。It is a figure which shows the process of the diagnosis in this Embodiment. 実施の形態の診断装置の機能および構成を示す図である。It is a figure which shows the function and structure of the diagnostic apparatus of embodiment. 正常リクエストおよび診断リクエストの例を示す図である。It is a figure which shows the example of a normal request and a diagnostic request. 図2のリクエスト保持部のデータ構造を示す図である。It is a figure which shows the data structure of the request holding part of FIG. 図2のクエリ保持部のデータ構造を示す図である。It is a figure which shows the data structure of the query holding | maintenance part of FIG. 正常リクエストに基づくSQLクエリとその構文木を示す図である。It is a figure which shows the SQL query based on a normal request, and its syntax tree. 診断リクエストに基づくSQLクエリとその構文木を示す図である。It is a figure which shows the SQL query based on a diagnostic request, and its syntax tree. 診断リクエストに基づくSQLクエリとその構文木を示す図である。It is a figure which shows the SQL query based on a diagnostic request, and its syntax tree. 診断リクエストに基づくSQLクエリとその構文木を示す図である。It is a figure which shows the SQL query based on a diagnostic request, and its syntax tree. 診断リクエストに基づくSQLクエリとその構文木を示す図である。It is a figure which shows the SQL query based on a diagnostic request, and its syntax tree. 診断リクエストに基づくSQLクエリを示す図である。It is a figure which shows the SQL query based on a diagnostic request. 図2の結果表示部により表示された診断結果を示す図である。It is a figure which shows the diagnostic result displayed by the result display part of FIG. 実施の形態の診断装置の巡回フェーズにおける動作を示すフローチャートである。It is a flowchart which shows the operation | movement in the patrol phase of the diagnostic apparatus of embodiment. 実施の形態の診断装置のテストケース生成フェーズにおける動作を示すフローチャートである。It is a flowchart which shows the operation | movement in the test case production | generation phase of the diagnostic apparatus of embodiment. 実施の形態の診断装置のテストフェーズにおける動作を示すフローチャートである。It is a flowchart which shows the operation | movement in the test phase of the diagnostic apparatus of embodiment. 実施の形態の診断装置の分析フェーズにおける動作を示すフローチャートである。It is a flowchart which shows the operation | movement in the analysis phase of the diagnostic apparatus of embodiment.
 実施の形態に係る診断装置の概要は以下のとおりである。
 本装置は、リクエストに基づいてWebアプリケーションが生成したSQLクエリの内容を確認することにより、Webアプリケーションに脆弱性が存在するか否かを診断する。この目的のために、本装置は、擬似攻撃データ(特殊文字を含む文字列)がパラメータに設定された複数種類のリクエスト(以下「診断リクエスト」ともよぶ)を生成し、診断対象のWebアプリケーションに送信する。本装置は、それらのリクエストに基づいてWebアプリケーションが生成したSQLクエリを取得する。そして、取得したSQLクエリの条件節に設定された特殊文字がエスケープ処理されているかどうかを確認することにより、脆弱性が存在するか否かを判定する(以下「エスケープ判定」ともよぶ)。 The outline of the diagnostic apparatus according to the embodiment is as follows.
This apparatus diagnoses whether or not there is a vulnerability in the Web application by confirming the content of the SQL query generated by the Web application based on the request. For this purpose, this apparatus generates a plurality of types of requests (hereinafter also referred to as “diagnostic requests”) in which pseudo-attack data (character strings including special characters) is set as a parameter, and sends them to the Web application to be diagnosed. Send. This apparatus acquires the SQL query generated by the Web application based on these requests. Then, it is determined whether or not there is a vulnerability by checking whether or not the special character set in the conditional clause of the acquired SQL query has been escaped (hereinafter also referred to as “escape determination”).
 また、本装置は、診断リクエストに基づいてWebアプリケーションが生成したSQLクエリの構文と、その雛形となったリクエストであって通常のデータがパラメータに設定されたリクエスト(以下「正常リクエスト」ともよぶ)に基づきWebアプリケーションが生成したSQLクエリの構文とが異なるかどうかを確認し、脆弱性が存在するか否かを判定する(以下「構文判定」ともよぶ)。また、診断リクエストに基づくSQLクエリが構文エラーであるかどうかを確認することにより、脆弱性が存在する否かを判定する(以下「エラー判定」ともよぶ)。 In addition, this apparatus uses the syntax of the SQL query generated by the Web application based on the diagnostic request, and a request that is a template and has normal data set as a parameter (hereinafter also referred to as “normal request”). Whether or not the syntax of the SQL query generated by the Web application is different, and determines whether or not there is a vulnerability (hereinafter also referred to as “syntax determination”). Further, it is determined whether or not there is a vulnerability by checking whether or not the SQL query based on the diagnosis request is a syntax error (hereinafter also referred to as “error determination”).
 図1は、本実施の形態における診断の処理過程を示す。診断の処理過程は、巡回フェーズ、テストケース生成フェーズ、テストフェーズ、分析フェーズに大別される。以下、順番に説明する。 FIG. 1 shows the process of diagnosis in the present embodiment. The diagnosis process is roughly divided into a cyclic phase, a test case generation phase, a test phase, and an analysis phase. Hereinafter, it demonstrates in order.
 1.巡回フェーズ
 診断リクエストの雛形となる正常リクエストを取得するフェーズである。具体的には、レスポンスに含まれるリンクを次々と辿るときに送信されるリクエストを正常リクエストとして取得する。また、この正常リクエストに基づいてWebアプリケーションが生成したSQLクエリも取得する。このSQLクエリは、分析フェーズの構文判定において使用する。 1. Visiting phase This is the phase in which normal requests that serve as a template for diagnostic requests are acquired. Specifically, the request transmitted when following the links included in the response is acquired as a normal request. Also, an SQL query generated by the Web application based on this normal request is acquired. This SQL query is used in the syntax determination of the analysis phase.
 2.テストケース生成フェーズ
 診断リクエストを生成するフェーズである。具体的には、巡回フェーズで取得した正常リクエストを雛形として様々な診断リクエストを生成する。 2. Test case generation phase This is the phase in which a diagnostic request is generated. Specifically, various diagnostic requests are generated using the normal request acquired in the patrol phase as a template.
 3.テストフェーズ
 擬似攻撃を行うフェーズである。具体的には、テストケース生成フェーズで生成した複数の診断リクエストを診断対象のWebアプリケーションに送信する。そして、診断リクエストに基づいてWebアプリケーションが生成したSQLクエリを取得する。 3. Test phase This is a phase in which a pseudo attack is performed. Specifically, a plurality of diagnosis requests generated in the test case generation phase are transmitted to the diagnosis target Web application. Then, an SQL query generated by the Web application based on the diagnosis request is acquired.
 4.分析フェーズ
 脆弱性が存在するか否かの分析を行うフェーズである。具体的には、テストフェーズおよび巡回フェーズで取得したSQLクエリを用いてエスケープ判定、構文判定、エラー判定を行う。 4). Analysis phase This phase analyzes whether or not there are vulnerabilities. Specifically, escape determination, syntax determination, and error determination are performed using the SQL queries acquired in the test phase and the cyclic phase.
 図2は、本実施の形態に係る診断装置400の機能および構成を示す。これら各ブロックは、ハードウェア的には、コンピュータのCPUをはじめとする素子や機械装置で実現でき、ソフトウェア的にはコンピュータプログラム等によって実現されるが、ここでは、それらの連携によって実現される機能ブロックを描いている。したがって、これらの機能ブロックはハードウェア、ソフトウェアの組合せによっていろいろなかたちで実現できることは、当業者には理解されるところである。 FIG. 2 shows the function and configuration of the diagnostic apparatus 400 according to the present embodiment. Each of these blocks can be realized in hardware by an element such as a CPU of a computer or a mechanical device, and is realized in software by a computer program or the like, but here, functions realized by their cooperation. Draw a block. Therefore, those skilled in the art will understand that these functional blocks can be realized in various forms by a combination of hardware and software.
 診断装置400は、Webアプリケーションの脆弱性を診断する装置であり、診断対象となるWebアプリケーションを本装置内で動作させてその脆弱性を診断する。診断装置400は、情報分析装置200および情報収集装置300を含む。診断装置400は、情報分析装置200および情報収集装置300の各機能を一体として備える単一の装置であっても、2つの装置の集合体であってもよい。操作端末100は、診断を実施する担当者(以下「診断実施者」とよぶ)により操作される情報処理端末であり、診断実施者から所定の情報や指示を受け付ける。そして、その情報を診断装置400へ送信する。 The diagnosis device 400 is a device for diagnosing the vulnerability of the Web application, and operates the Web application to be diagnosed in this device to diagnose the vulnerability. Diagnosis device 400 includes information analysis device 200 and information collection device 300. The diagnosis device 400 may be a single device that integrally includes the functions of the information analysis device 200 and the information collection device 300, or may be a collection of two devices. The operation terminal 100 is an information processing terminal operated by a person in charge of diagnosis (hereinafter referred to as “diagnosis practitioner”), and receives predetermined information and instructions from the diagnosis practitioner. Then, the information is transmitted to the diagnostic apparatus 400.
 情報分析装置200は、巡回部210、擬似攻撃データ保持部220、リクエスト生成部230、リクエスト供給部240、レスポンス受信部250、関連付け部260、構文解析部270、判定部280、結果表示部290を含む。情報収集装置300は、実行環境310、リクエスト取得部320、リクエスト保持部330、クエリ取得部340、クエリ保持部350を含む。 The information analysis apparatus 200 includes a circulation unit 210, a pseudo attack data holding unit 220, a request generation unit 230, a request supply unit 240, a response reception unit 250, an association unit 260, a syntax analysis unit 270, a determination unit 280, and a result display unit 290. Including. The information collection device 300 includes an execution environment 310, a request acquisition unit 320, a request holding unit 330, a query acquisition unit 340, and a query holding unit 350.
 巡回部210は、基点となるリクエストに関する情報を操作端末100から受け付け、それに基づくリクエストをアプリケーション318に送信する。また、アプリケーション318からのレスポンスにリンクが含まれる場合、これを次々と辿るようにリクエストを送信する。そして、この際に送信されたリクエスト(正常リクエスト)と、このリクエスト基づいてアプリケーション318が発行したSQLクエリを情報収集装置300が取得する。 The traveling unit 210 receives information related to a request serving as a base point from the operation terminal 100 and transmits a request based on the information to the application 318. Further, when a link is included in the response from the application 318, a request is transmitted so as to follow this one after another. Then, the information collection apparatus 300 acquires the request (normal request) transmitted at this time and the SQL query issued by the application 318 based on this request.
 擬似攻撃データ保持部220は、診断リクエストを生成するときにパラメータに設定する擬似攻撃データを保持する。ここで「擬似攻撃データ」とは、SQLインジェクションの脆弱性の有無を確認するための既知の攻撃パターンが設定されたデータであり、例えば「'(シングルクォーテーション)」、「%」等の特殊文字を含むデータである。 The pseudo attack data holding unit 220 holds the pseudo attack data set as parameters when generating a diagnosis request. Here, the “pseudo attack data” is data in which a known attack pattern for confirming the presence or absence of SQL injection vulnerability is set. For example, special characters such as “'(single quotation)” and “%” are used. It is data including.
 リクエスト生成部230は、リクエスト保持部330に保持されたリクエストであって、巡回フェーズで取得した複数の正常リクエストに基づいて複数の診断リクエストを生成する。具体的には、取得したリクエストのパラメータに設定されている値を擬似攻撃データに置き換えることにより生成する。脆弱性が存在するかどうか網羅的に確認できるように、複数の擬似攻撃データに基づいて、各正常リクエストから複数の診断リクエストを生成する。図3(a)は診断リクエストの雛形となる正常リクエストの一例を示し、図3(b)~(d)はそれぞれ、図3(a)の正常リクエストをもとに生成した診断リクエストを示す。図3(b)に示す診断リクエストは、図3(a)に示す正常リクエストのパラメータ「user1」を特殊文字「%」に置き換えている。図3(c)では「pass1」を「' or 'a'='a」に、図3(d)では「pass1」を「pass'1」にそれぞれ置き換えている。パラメータ値として、実際には、URLエンコードした結果の文字列を設定してもよいことはもちろんである。図2に戻る。 The request generation unit 230 generates a plurality of diagnosis requests based on a plurality of normal requests that are held in the request holding unit 330 and acquired in the cyclic phase. Specifically, it is generated by replacing the value set in the acquired request parameter with pseudo attack data. A plurality of diagnosis requests are generated from each normal request based on a plurality of pseudo-attack data so that it can be comprehensively checked whether or not there is a vulnerability. FIG. 3A shows an example of a normal request that serves as a template for a diagnostic request, and FIGS. 3B to 3D show diagnostic requests generated based on the normal request of FIG. In the diagnosis request shown in FIG. 3B, the parameter “user1” of the normal request shown in FIG. 3A is replaced with the special character “%”. In FIG. 3C, “pass1” is replaced with “′ or ′ a ′ = ′ a”, and in FIG. 3D, “pass1” is replaced with “pass′1”. Of course, a URL-encoded character string may actually be set as the parameter value. Returning to FIG.
 リクエスト供給部240は、リクエスト生成部230が生成した複数の診断リクエストをアプリケーション318に送信する。レスポンス受信部250は、アプリケーション318からのレスポンスを受信する。 The request supply unit 240 transmits a plurality of diagnosis requests generated by the request generation unit 230 to the application 318. The response receiving unit 250 receives a response from the application 318.
 実行環境310は、診断対象のアプリケーション318を動作させる環境であり、Webサーバ312、アプリケーションサーバ314、データベースサーバ316を含む。Webサーバ312は、クライアントの要求に応じて、Webアプリケーションによる処理結果等を送信する機能を有する。アプリケーションサーバ314は、Webアプリケーションを実行して各種の業務処理を行う機能を有する。データベースサーバ316は、クエリに応じてデータベースに蓄積された情報を検索・出力する機能を有する。ここでは、データベースサーバ316に対するエスケープ文字は「\(バックスラッシュ)」であるとする。アプリケーションサーバ314には、診断対象のアプリケーション318が配置される。この配置は、脆弱性の診断サービスを受ける者が行う。もちろん、その者からアプリケーションを受け取った診断実施者が行うとしてもよい。 The execution environment 310 is an environment for operating the application 318 to be diagnosed, and includes a Web server 312, an application server 314, and a database server 316. The Web server 312 has a function of transmitting a processing result or the like by a Web application in response to a client request. The application server 314 has a function of executing various business processes by executing a Web application. The database server 316 has a function of searching and outputting information stored in the database in response to a query. Here, it is assumed that the escape character for the database server 316 is “\ (backslash)”. In the application server 314, an application 318 to be diagnosed is arranged. This arrangement is performed by a person who receives a vulnerability diagnosis service. Of course, it may be performed by a diagnosis practitioner who has received an application from that person.
 リクエスト取得部320は、いわゆるHTTPプロキシサーバ機能を提供し、情報分析装置200からアプリケーション318に対するリクエストを中継する。その際、リクエスト内容を取得し、リクエスト保持部330に格納する。リクエスト取得部320は、巡回フェーズにおいて巡回部210が送信したリクエストと、テストフェーズにおいてリクエスト供給部240が送信したリクエストのどちらも取得する。 The request acquisition unit 320 provides a so-called HTTP proxy server function, and relays a request for the application 318 from the information analysis apparatus 200. At that time, the request content is acquired and stored in the request holding unit 330. The request acquisition unit 320 acquires both the request transmitted by the traveling unit 210 in the traveling phase and the request transmitted by the request supply unit 240 in the test phase.
 リクエスト保持部330は、リクエスト取得部320が取得したリクエストを保持する。図4は、リクエスト保持部330のデータ構造を示す。リクエスト保持部330は、保持しているリクエストを一意に識別するためのリクエストIDと、リクエストと、その取得時のタイムスタンプとを対応づけて保持する。なお、巡回フェーズにおいて取得したリクエストについては、所定のプロトコル、ホスト名、ディレクトリパスを含むものだけ保持するようにしてもよい。例えば、プロトコルが「http」、ホスト名が「www.example.co.jp」であるリクエスト(ディレクトリパスの指定はなし)だけ保持するようにすれば、テストフェーズにおいて診断リクエストを送信する対象から、診断対象外の外部のサイトを除外することができる。 The request holding unit 330 holds the request acquired by the request acquisition unit 320. FIG. 4 shows the data structure of the request holding unit 330. The request holding unit 330 holds a request ID for uniquely identifying a held request, a request, and a time stamp at the time of acquisition in association with each other. Note that only requests including a predetermined protocol, host name, and directory path may be held for requests acquired in the patrol phase. For example, if only the request with the protocol “http” and the host name “www.example.co.jp” is retained (no directory path is specified), the diagnosis is sent from the target to which the diagnosis request is sent in the test phase. You can exclude external sites that are not eligible.
 クエリ取得部340は、いわゆるSQLプロキシサーバ機能を提供し、アプリケーション318がデータベースに対して発行したSQLクエリを中継する。その際、SQLクエリ内容を取得し、クエリ保持部350に格納する。 The query acquisition unit 340 provides a so-called SQL proxy server function, and relays the SQL query issued by the application 318 to the database. At that time, the contents of the SQL query are acquired and stored in the query holding unit 350.
 クエリ保持部350は、クエリ取得部340が取得したSQLクエリを保持する。図5は、クエリ保持部350のデータ構造を示す。クエリ保持部350は、保持しているSQLクエリを一意に識別するためのSQLクエリIDと、SQLクエリと、その取得時のタイムスタンプとを対応づけて保持する。 The query holding unit 350 holds the SQL query acquired by the query acquisition unit 340. FIG. 5 shows the data structure of the query holding unit 350. The query holding unit 350 holds the SQL query ID for uniquely identifying the held SQL query, the SQL query, and the time stamp at the time of acquisition in association with each other.
 関連付け部260は、SQLクエリがどのリクエストに基づいて生成されたかを特定する。具体的には、SQLクエリのタイムスタンプの直前のタイムスタンプのリクエストを、そのSQLクエリのリクエストとして特定する。例えばリクエスト保持部330とクエリ保持部350に保持されているデータがそれぞれ図4、5の状態であったとする。この場合、SQLクエリID「4」~「5」のSQLクエリの基となったリクエストは、その直前のタイムスタンプを持つリクエストID「2」のリクエストであると特定される。 The associating unit 260 identifies the request based on which request the SQL query was generated. Specifically, the request for the time stamp immediately before the time stamp of the SQL query is specified as the request for the SQL query. For example, assume that the data held in the request holding unit 330 and the query holding unit 350 are in the states shown in FIGS. In this case, the request that is the basis of the SQL query with the SQL query IDs “4” to “5” is identified as the request with the request ID “2” having the immediately preceding time stamp.
 構文解析部270は、クエリ保持部350に保持されたSQLクエリの条件節の構文解析、具体的には構文木の作成を行う。この構文解析部270には、例えば既存の構文解析ソフトウェアなど、任意の構文解析器を用いることができる。図6(a)は、図3(a)の正常リクエストに基づいて生成されたSQLクエリを示し、図6(b)はその構文木を示す。図6(b)において最下層ノード10は最下層のノードを示し、被演算子が割り当てられる。内部ノード20は、最下層以外のノードであってそれぞれ複数の子ノードを有し、演算子が割り当てられる。なお、構文解析対象のSQLクエリが構文エラーである場合、構文解析部270は、その旨を検出する。図2に戻る。 The syntax analysis unit 270 performs syntax analysis of the conditional clause of the SQL query held in the query holding unit 350, specifically, creates a syntax tree. For this syntax analysis unit 270, an arbitrary syntax analyzer such as existing syntax analysis software can be used. FIG. 6A shows an SQL query generated based on the normal request shown in FIG. 3A, and FIG. 6B shows its syntax tree. In FIG. 6B, the lowest layer node 10 indicates the lowest layer node, and an operand is assigned. The internal node 20 is a node other than the lowest layer, has a plurality of child nodes, and is assigned an operator. If the SQL query to be parsed is a syntax error, the syntax analysis unit 270 detects that fact. Returning to FIG.
 判定部280は、構文解析部270が生成した構文木を用いてエスケープ判定を行う。具体的には、構文木の最下層ノードの被演算子を確認し、特殊文字が含まれる場合には、それがエスケープ処理されているか否かを確認する。図7(a)、図8(a)は、図3(b)の診断リクエストに基づいて生成されたSQLクエリであって、それぞれSQLインジェクションの脆弱性が存在しない場合、脆弱性が存在する場合に生成されるSQLクエリである。図7(b)、図8(b)は、それぞれ図7(a)、図8(a)のSQLクエリの構文木を示す。図7(b)のノード40では特殊文字「%」がエスケープ処理され「\%」となっている。一方、図8(b)の対応するノード50では特殊文字「%」がエスケープ処理されずに設定されている。この場合、判定部280は脆弱性が存在すると判定する。図2に戻る。 The determination unit 280 performs escape determination using the syntax tree generated by the syntax analysis unit 270. Specifically, the operand of the lowest node of the syntax tree is checked, and if a special character is included, it is checked whether or not it is escaped. FIGS. 7A and 8A are SQL queries generated based on the diagnostic request of FIG. 3B, and there is no SQL injection vulnerability, and there is a vulnerability. SQL query generated in FIGS. 7B and 8B show the syntax trees of the SQL queries in FIGS. 7A and 8A, respectively. In the node 40 of FIG. 7B, the special character “%” is escaped and becomes “\%”. On the other hand, in the corresponding node 50 in FIG. 8B, the special character “%” is set without being escaped. In this case, the determination unit 280 determines that vulnerability exists. Returning to FIG.
 また、判定部280は、正常リクエストに基づくSQLクエリと、診断リクエストに基づくSQLクエリの構文木を用いて構文判定を行う。具体的には、関連付け部260によってリクエストとリクエストに基づいて生成されたSQLクエリとを対応付けた上で、正常リクエストに基づくSQLクエリの構文木と、その正常リクエストを雛形として生成した診断リクエストに基づくSQLクエリの構文木とを比較し、深さや幅が異なっていないかどうか、対応するノードに割り当てられた演算子が異なっていないかどうかを確認する。 Also, the determination unit 280 performs syntax determination using the SQL query based on the normal request and the syntax tree of the SQL query based on the diagnostic request. Specifically, after associating the request with the SQL query generated based on the request by the associating unit 260, the syntax tree of the SQL query based on the normal request and the diagnostic request generated using the normal request as a template It is compared with the syntax tree of the SQL query based on it to check whether the depth and width are different, and whether the operator assigned to the corresponding node is different.
 図9(a)、 図10(a)は、図3(c)の診断リクエストに基づいて生成されたSQLクエリであって、それぞれSQLインジェクションの脆弱性が存在しない場合、脆弱性が存在する場合に生成されるSQLクエリである。正常リクエストに基づくSQLクエリの構文木である図6(b)と比べると、図9(b)は、構文木の深さおよび幅、すなわち構文木の構造が同じである。また、内部ノードに割り当てられた演算子はすべて同じである。一方、図10(b)は、点線部分の階層が図6(b)と比べ深くなっており、構造が異なる。また、対応する内部ノードである図6(b)のノード30と図10(b)のノード60の演算子は、それぞれ「=」と「or」であり、異なっている。すなわち、図10(b)では、SQLクエリの構文が正常リクエストに基づくSQLクエリと異なっている。この場合、判定部280は脆弱性が存在すると判定する。このように、構文判定も行うことによって、擬似攻撃データにより構文が変更され、被演算子に特殊文字が含まれなくなった場合でも、脆弱性が存在するか否かを判定することができる。図2に戻る。 9 (a) and 10 (a) are the SQL queries generated based on the diagnostic request in FIG. 3 (c), and there are no SQL injection vulnerabilities or vulnerabilities, respectively. SQL query generated in Compared to FIG. 6B which is a syntax tree of an SQL query based on a normal request, FIG. 9B has the same depth and width of the syntax tree, that is, the structure of the syntax tree. All operators assigned to internal nodes are the same. On the other hand, FIG. 10B is different in structure because the hierarchy of the dotted line portion is deeper than that in FIG. Further, the operators of the node 30 in FIG. 6B and the node 60 in FIG. 10B which are corresponding internal nodes are “=” and “or”, respectively, and are different. That is, in FIG. 10B, the syntax of the SQL query is different from the SQL query based on the normal request. In this case, the determination unit 280 determines that vulnerability exists. As described above, by performing syntax determination, it is possible to determine whether or not there is a vulnerability even when the syntax is changed by the pseudo attack data and the special character is not included in the operand. Returning to FIG.
 また、判定部280は、診断リクエストに基づくSQLクエリに構文エラーであるものが含まれるか否かを確認し、エラー判定を行う。図11(a)、(b)は、図3(d)の診断リクエストに基づいて生成されたSQLクエリであって、それぞれSQLインジェクションの脆弱性が存在しない場合、脆弱性が存在する場合に生成されるSQLクエリである。図11(b)では、特殊文字「'」がエスケープ処理されていないため、「pass」がpasswdの検索条件として使用され、後に続く「1'」がSQLとして不適切である。したがって、図11(b)では、構文解析部270により構文解析を行った際にエラーとなる。この場合、判定部280は、脆弱性が存在すると判定する。図2に戻る。 Also, the determination unit 280 confirms whether or not an SQL query based on the diagnosis request includes a syntax error, and performs error determination. 11 (a) and 11 (b) are SQL queries generated based on the diagnostic request in FIG. 3 (d), which are generated when there is no SQL injection vulnerability and when there is a vulnerability, respectively. SQL query to be performed. In FIG. 11B, since the special character “′” is not escaped, “pass” is used as a search condition for passwd, and “1 ′” that follows is inappropriate as SQL. Therefore, in FIG. 11B, an error occurs when the syntax analysis unit 270 performs syntax analysis. In this case, the determination unit 280 determines that vulnerability exists. Returning to FIG.
 結果表示部290は、診断結果を操作端末100に表示する。図12は、結果表示部290が表示した診断結果を示す画面である。結果70は、脆弱性が存在するか否かの診断結果示す。詳細情報80は、診断結果の詳細を示す。具体的には、脆弱性が存在するとの診断結果の根拠となるSQLクエリと、そのSQLクエリに対する各判定の結果を示す。また、関連付け部260が関連付けた結果を受け付け、そのSQLクエリの基となったリクエストも表示する。 The result display unit 290 displays the diagnosis result on the operation terminal 100. FIG. 12 is a screen showing the diagnosis result displayed by the result display unit 290. A result 70 indicates a diagnosis result of whether or not a vulnerability exists. Detailed information 80 indicates details of the diagnosis result. Specifically, an SQL query that is a basis for a diagnosis result that vulnerability exists, and a result of each determination for the SQL query are shown. In addition, the result of association by the association unit 260 is received, and the request that is the basis of the SQL query is also displayed.
 以上の構成による診断装置400の動作を説明する。図13は、診断装置400の動作を示すフローチャートである。図13(a)は巡回フェーズ、図13(b)はテストケース生成フェーズ、図13(c)はテストフェーズ、図13(d)は分析フェーズにおける動作を示す。 The operation of the diagnostic apparatus 400 having the above configuration will be described. FIG. 13 is a flowchart showing the operation of the diagnostic apparatus 400. 13A shows the operation in the cyclic phase, FIG. 13B shows the operation in the test case generation phase, FIG. 13C shows the operation in the test phase, and FIG. 13D shows the operation in the analysis phase.
 図13(a)のごとく、情報分析装置200の巡回部210は、操作端末100から受け付けた基点となるリクエストに関する情報、または、レスポンスに含まれるリンクに基づく正常リクエストをアプリケーション318に対して送信する(S10)。情報収集装置300のリクエスト取得部320は、アプリケーション318へのリクエストを中継し、その際、正常リクエストを取得してリクエスト保持部330に保持する(S20)。アプリケーション318は、リクエストを受け付けるとSQLクエリを生成しデータベースに発行する。クエリ取得部340はそのクエリを中継し、その際、SQLクエリを取得してクエリ保持部350に保持する(S30)。情報分析装置200のレスポンス受信部250は、アプリケーション318からのレスポンスを受信する(S40)。なお、アプリケーション318からのレスポンスにリンクが含まれる場合は、このフローを繰り返し、リンクに基づく正常リクエストをアプリケーション318に送信する。このようにして、正常リクエストおよび正常リクエストに基づくSQLクエリを取得する。 As illustrated in FIG. 13A, the traveling unit 210 of the information analysis device 200 transmits, to the application 318, information related to a base request received from the operation terminal 100 or a normal request based on a link included in the response. (S10). The request acquisition unit 320 of the information collection device 300 relays a request to the application 318, and at that time, acquires a normal request and holds it in the request holding unit 330 (S20). Upon receiving the request, the application 318 generates an SQL query and issues it to the database. The query acquisition unit 340 relays the query, and at that time, acquires the SQL query and holds it in the query holding unit 350 (S30). The response receiving unit 250 of the information analysis apparatus 200 receives a response from the application 318 (S40). When a link is included in the response from the application 318, this flow is repeated and a normal request based on the link is transmitted to the application 318. In this way, the normal request and the SQL query based on the normal request are acquired.
 図13(b)のごとく、情報分析装置200のリクエスト生成部230は、巡回フェーズにおいて取得した複数の正常リクエストをもとに複数の診断リクエストを生成する(S50)。 As shown in FIG. 13B, the request generation unit 230 of the information analysis apparatus 200 generates a plurality of diagnosis requests based on the plurality of normal requests acquired in the cyclic phase (S50).
 図13(c)のごとく、情報分析装置200のリクエスト供給部240は、診断リクエストをアプリケーション318に送信する(S60)。情報収集装置300のリクエスト取得部320は、診断フェーズのときと同様にして、診断リクエストを取得してリクエスト保持部330に保持する(S70)。また、クエリ取得部340は、SQLクエリを取得してクエリ保持部350に保持する(S80)。情報分析装置200のレスポンス受信部250は、アプリケーション318からのレスポンスを受信する(S90)。なお、テストケース生成フェーズで生成した診断リクエストの数だけこのフローを繰り返す。このようにして、診断リクエストおよび診断リクエストに基づくSQLクエリを取得する。 As shown in FIG. 13C, the request supply unit 240 of the information analysis apparatus 200 transmits a diagnosis request to the application 318 (S60). The request acquisition unit 320 of the information collection device 300 acquires the diagnosis request and holds it in the request holding unit 330 in the same manner as in the diagnosis phase (S70). The query acquisition unit 340 acquires the SQL query and stores it in the query storage unit 350 (S80). The response receiving unit 250 of the information analysis apparatus 200 receives a response from the application 318 (S90). This flow is repeated for the number of diagnostic requests generated in the test case generation phase. In this way, the diagnosis request and the SQL query based on the diagnosis request are acquired.
 図13(d)のごとく、情報分析装置200の構文解析部270は、情報収集装置300のクエリ取得部340が取得したSQLクエリを構文解析し、構文木を生成する(S100)。判定部280、その構文木に対して、適切にエスケープ処理されているかどうかのエスケープ判定をする(S110)。次に、正常リクエストに基づくSQLクエリと比較して、構文が変更してしまっていないかどうかの構文判定をする(S120)。そして最後に、SQLクエリが構文エラーを有するかどうかのエラー判定をする(S130)。この3つの判定のいずれか1においてでも脆弱性があると判定された場合は、診断対象のWebアプリケーションには脆弱性が存在することになる。結果表示部290は、診断結果を操作端末100に表示する(S140)。 13D, the syntax analysis unit 270 of the information analysis device 200 parses the SQL query acquired by the query acquisition unit 340 of the information collection device 300, and generates a syntax tree (S100). The determination unit 280 determines whether to escape the syntax tree appropriately (S110). Next, as compared with the SQL query based on the normal request, it is determined whether or not the syntax has changed (S120). Finally, an error determination is made as to whether or not the SQL query has a syntax error (S130). If any one of the three determinations determines that there is a vulnerability, the Web application to be diagnosed has a vulnerability. The result display unit 290 displays the diagnosis result on the operation terminal 100 (S140).
 以上の構成によれば、診断リクエストに基づいてアプリケーションが生成したSQLクエリを確認して、SQLインジェクションの脆弱性が存在するかどうかが判定される。このため、アプリケーションの作りによる影響を受けることなく判定でき、アプリケーションからのレスポンスを確認して判定する場合に比べ、より確実に脆弱性が存在するかどうかを判定できる。また、擬似攻撃データによってSQLクエリが変更されたかどうかも見ているため、構文が変更され、被演算子に特殊文字が含まれなくなった場合でも、脆弱性が存在するか否かを判定することができる。また、SQLクエリがどのリクエストに基づいて生成されたかをタイムスタンプにより特定することができる。そして、リクエストが特定されることにより、アプリケーションのどの箇所に脆弱性が存在するかを容易に特定することができる。 According to the above configuration, the SQL query generated by the application based on the diagnosis request is confirmed, and it is determined whether or not the SQL injection vulnerability exists. Therefore, the determination can be made without being affected by the creation of the application, and it can be determined whether or not the vulnerability exists more reliably than in the case where the determination is made by checking the response from the application. Also, since we are also looking at whether or not the SQL query has been changed by the pseudo attack data, even if the syntax is changed and the special character is not included in the operand, it is determined whether or not the vulnerability exists. Can do. In addition, it is possible to specify the request based on which request the SQL query was generated based on the time stamp. Then, by specifying the request, it is possible to easily specify in which part of the application the vulnerability exists.
 以上、本発明を実施の形態をもとに説明した。この実施の形態は例示であり、それらの各構成要素や各処理プロセスの組合せにいろいろな変形例が可能なこと、またそうした変形例も本発明の範囲にあることは当業者に理解されるところである。 The present invention has been described based on the embodiments. This embodiment is an exemplification, and it will be understood by those skilled in the art that various modifications can be made to combinations of the respective constituent elements and processing processes, and such modifications are also within the scope of the present invention. is there.
 変形例1
 実施の形態では、診断対象はWebアプリケーションである例を示したが、本発明はこれに限らず、ネットワークアプリケーションであればよい。また、本実施の形態では、SQLインジェクションの脆弱性を診断する例、すなわちアプリケーションが発行するクエリがSQLクエリである例を示したが、これに限らず、XQuery等の他のクエリであってもよい。 Modification 1
In the embodiment, an example in which the diagnosis target is a Web application has been described. However, the present invention is not limited thereto, and may be a network application. In this embodiment, an example of diagnosing the vulnerability of SQL injection, that is, an example in which a query issued by an application is an SQL query is shown. However, the present invention is not limited to this, and other queries such as XQuery may be used. Good.
 変形例2
 実施の形態では、情報収集装置300は、Webサーバ、アプリケーションサーバ、データベースサーバの各機能を備える単一の装置である例を示したが、本発明はこれに限らない。したがって、例えば、Webサーバ、アプリケーションサーバ、データベースサーバをそれぞれ物理的に異なる装置に実装し、情報収集装置300はそれらの集合体であるとしてもよい。もちろん、3つのサーバ機能のうちの任意の2つの機能を併せ持つ装置と、残りの機能を持つ装置の集合体であるとしてもよい。また、実施の形態では、Webサーバ、アプリケーションサーバ、データベースサーバを備える3層構造の例を示したが、本発明はこれに限らない。したがって、例えば、Webサーバが存在せず、アプリケーションサーバとデータベースサーバから構成される2層構造であるとしてもよい。この場合も、もちろん、各サーバ機能が物理的に異なる装置に実装されてもよい。 Modification 2
In the embodiment, an example in which the information collection device 300 is a single device having functions of a Web server, an application server, and a database server has been described, but the present invention is not limited to this. Therefore, for example, the Web server, the application server, and the database server may be mounted on physically different devices, and the information collection device 300 may be a collection of them. Of course, it may be an aggregate of a device having any two of the three server functions and a device having the remaining functions. In the embodiment, an example of a three-layer structure including a Web server, an application server, and a database server is shown, but the present invention is not limited to this. Therefore, for example, there is no Web server, and a two-layer structure including an application server and a database server may be used. Also in this case, of course, each server function may be implemented in a physically different device.
 変形例3
 実施の形態では、エスケープ判定、構文判定、エラー判定の順で判定し、脆弱性が存在するか否かを判定する例を示したが、本発明はこれに限らない。したがって、例えば、エラー判定、構文判定、エスケープ判定の順で判定してもよい。 Modification 3
In the embodiment, the example in which the determination is made in the order of the escape determination, the syntax determination, and the error determination to determine whether or not the vulnerability exists is shown, but the present invention is not limited to this. Therefore, for example, determination may be made in the order of error determination, syntax determination, and escape determination.
 請求項に記載の各構成要件が果たすべき機能は、実施の形態および変形例において示された各構成要件の単体もしくはそれらの連係によって実現されることも当業者には理解されるところである。 It should also be understood by those skilled in the art that the functions to be performed by the constituent elements described in the claims are realized by the individual constituent elements shown in the embodiments and the modifications or by linking them.
 100 操作端末、 200 情報分析装置、 210 巡回部、 220 擬似攻撃データ保持部、 230 リクエスト生成部、 240 リクエスト供給部、 250 レスポンス受信部、 260 関連付け部、 270 構文解析部、 280 判定部、300 情報収集装置、 310 実行環境、 320 リクエスト取得部、 330 リクエスト保持部、 340 クエリ取得部、 350 クエリ保持部、 400 診断装置。 100 operation terminal, 200 information analysis device, 210 patrol unit, 220 pseudo attack data holding unit, 230 request generation unit, 240 request supply unit, 250 response reception unit, 260 association unit, 270 syntax analysis unit, 280 determination unit, 300 information Collection device, 310 execution environment, 320 request acquisition unit, 330 request holding unit, 340 query acquisition unit, 350 query holding unit, 400 diagnostic device.
 本発明は、アプリケーションの脆弱性を診断する装置に利用できる。 The present invention can be used for an apparatus for diagnosing application vulnerabilities.

Claims (6)

  1.  データベースに対してクエリを発行するアプリケーションの脆弱性を診断する装置であって、
     データベースで予め定められた特殊文字を含む複数種類のリクエストをアプリケーションに供給するリクエスト供給部と、
     それらのリクエストを取得したアプリケーションにより生成されるクエリにおいて、特殊文字がエスケープ処理されずに条件節に設定されている場合に脆弱性が存在すると判定する判定部と、
     を備えることを特徴とする診断装置。     A device for diagnosing vulnerabilities in applications that issue queries to databases,
    A request supply unit that supplies a plurality of types of requests including special characters predetermined in the database to the application;
    In the query generated by the application that acquired those requests, a determination unit that determines that a vulnerability exists when a special character is set in a conditional clause without being escaped,
    A diagnostic apparatus comprising:
  2.  前記判定部は、擬似攻撃データがパラメータに設定されたリクエストに基づきアプリケーションが生成するクエリの構文と、通常のデータがパラメータに設定されたリクエストに基づきアプリケーションが生成するクエリの構文とが異なっている場合にも、脆弱性が存在すると判定することを特徴とする請求項1に記載の診断装置。 In the determination unit, the syntax of a query generated by an application based on a request in which pseudo attack data is set as a parameter is different from the syntax of a query generated by the application based on a request in which normal data is set as a parameter. The diagnosis apparatus according to claim 1, wherein the diagnosis apparatus determines that the vulnerability exists.
  3.  クエリを解析して、その条件節の構文木を生成する構文解析部を更に備え、
     前記判定部は、擬似攻撃データに基づくクエリの構文木と通常のデータに基づくクエリの構文木の対応するノードであって、複数の子ノードを有するノードに割り当てられる演算子が異なる場合に、クエリの構文が異なると判断し、脆弱性が存在すると判定することを特徴とする請求項2に記載の診断装置。     A parsing unit that parses the query and generates a syntax tree of the conditional clause;
    The determination unit is a query corresponding to a query syntax tree based on pseudo attack data and a query corresponding to a query syntax tree based on normal data, and different operators assigned to nodes having a plurality of child nodes. The diagnosis apparatus according to claim 2, wherein the syntaxes are determined to be different and it is determined that the vulnerability exists.
  4.  前記判定部は、擬似攻撃データがパラメータに設定されたリクエストに基づきアプリケーションが生成するクエリから、構文エラーであるクエリが検出された場合にも脆弱性が存在すると判定することを特徴とする請求項1から3のいずれかに記載の診断装置。 The determination unit may determine that a vulnerability exists even when a query that is a syntax error is detected from a query generated by an application based on a request in which pseudo attack data is set as a parameter. The diagnostic device according to any one of 1 to 3.
  5.  アプリケーションに送信されたリクエストを取得するリクエスト取得部と、
     前記リクエスト取得部が取得したリクエストを、その取得時のタイムスタンプと対応づけて保持するリクエスト保持部と、
     アプリケーションが発行したクエリを取得するクエリ取得部と、
     前記クエリ取得部が取得したクエリを、その取得時のタイムスタンプと対応づけて保持するクエリ保持部と、
     それぞれのタイムスタンプをもとに、脆弱性ありと判定されたときのクエリに対応するリクエストを特定して提供する関連付け部を
     さらに備えることを特徴する請求項1から4のいずれかに記載の診断装置。     A request acquisition unit for acquiring a request sent to the application;
    A request holding unit that holds the request acquired by the request acquisition unit in association with a time stamp at the time of acquisition;
    A query acquisition unit for acquiring a query issued by the application;
    A query holding unit that holds the query acquired by the query acquisition unit in association with a timestamp at the time of acquisition;
    The diagnosis according to any one of claims 1 to 4, further comprising an associating unit that specifies and provides a request corresponding to a query when it is determined that there is a vulnerability based on each time stamp. apparatus.
  6.  データベースに対してクエリを発行するアプリケーションの脆弱性を診断するプログラムであって、
     データベースで予め定められた特殊文字を含む複数種類のリクエストをアプリケーションに供給する機能と、
     それらのリクエストを取得したアプリケーションにより生成されるクエリにおいて、特殊文字がエスケープ処理されずに条件節に設定されている場合に脆弱性が存在すると判定する機能と、
     をコンピュータに実現させることを特徴とするコンピュータプログラム。     A program that diagnoses vulnerabilities in applications that issue queries against databases,
    A function for supplying multiple types of requests including special characters predetermined in the database to the application,
    In the query generated by the application that acquired those requests, a function that determines that there is a vulnerability when special characters are set in the conditional clause without being escaped,
    A computer program for causing a computer to realize the above.
PCT/JP2011/006137 2011-11-02 2011-11-02 Diagnostic device WO2013065087A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2011/006137 WO2013065087A1 (en) 2011-11-02 2011-11-02 Diagnostic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2011/006137 WO2013065087A1 (en) 2011-11-02 2011-11-02 Diagnostic device

Publications (1)

Publication Number Publication Date
WO2013065087A1 true WO2013065087A1 (en) 2013-05-10

Family

ID=48191485

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2011/006137 WO2013065087A1 (en) 2011-11-02 2011-11-02 Diagnostic device

Country Status (1)

Country Link
WO (1) WO2013065087A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11895138B1 (en) * 2015-02-02 2024-02-06 F5, Inc. Methods for improving web scanner accuracy and devices thereof

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000181759A (en) * 1998-12-15 2000-06-30 Hitachi Information Systems Ltd Time sequential data retrieval system/method and recording medium storing its program

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000181759A (en) * 1998-12-15 2000-06-30 Hitachi Information Systems Ltd Time sequential data retrieval system/method and recording medium storing its program

Non-Patent Citations (6)

* Cited by examiner, † Cited by third party
Title
CYRUS PEIKARI: "Security Warrior", 18 October 2004, O'REILLY JAPAN, INC., pages: 388 *
GREG BUEHRER: "Using Parse Tree Validation toPrevent SQL Injection Attacks", COMPUTER SCIENCE & ENGINEERING THE OHIO STATE UNIVERSITY, 26 May 2007 (2007-05-26), Retrieved from the Internet <URL:http://www.cse.ohio-state.edu/-paolo/research/publications/sem05talk.pdf> [retrieved on 20111215] *
TATSUNORI HOAN: "An Injection Vulnerability Analysis of Web Applications using String-Taint Analysis", IEICE TECHNICAL REPORT, vol. 110, no. 336, 7 December 2010 (2010-12-07), pages 39 - 41 *
TATSUYA YAGI: "Unknown SQL Injection Attack Detection System", DAI 72 KAI (HEISEI 22 NEN) ZENKOKU TAIKAI KOEN RONBUNSHU (5), 8 March 2010 (2010-03-08), pages 5 - 227 *
YOSHIHISA SHIMOKAWA: "Detection method by Testing Framework for SQL Injection", PROCEEDINGS OF THE 2009 IEICE GENERAL CONFERENCE TSUSHIN 2, 4 March 2009 (2009-03-04), pages 568 *
YUJI KOSUGA: "Effective Automated Testing for Detecting SQL Injection vulnerabilities", IPSJ SIG NOTES, vol. 2008, no. 45, 15 May 2008 (2008-05-15), pages 104 - 106 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11895138B1 (en) * 2015-02-02 2024-02-06 F5, Inc. Methods for improving web scanner accuracy and devices thereof

Similar Documents

Publication Publication Date Title
JP5063258B2 (en) System, method and computer program for recording operation log
Le Goues et al. Genprog: A generic method for automatic software repair
US9268945B2 (en) Detection of vulnerabilities in computer systems
US7792049B2 (en) Techniques for modeling and evaluating protocol interactions
US7818338B2 (en) Problem determination service
US9170873B2 (en) Diagnosing distributed applications using application logs and request processing paths
Antunes et al. Vulnerability discovery with attack injection
KR20180120157A (en) Data set extraction based pattern matching
US20060064598A1 (en) Illegal access preventing program, apparatus, and method
CN104718533A (en) Robust hardware fault management system, method and framework for enterprise devices
US20200117587A1 (en) Log File Analysis
CN103095693B (en) The method of location database access user&#39;s host information and device
US20170034200A1 (en) Flaw Remediation Management
CN108337266B (en) Efficient protocol client vulnerability discovery method and system
JP6524789B2 (en) Network monitoring method, network monitoring program and network monitoring device
US20220207140A1 (en) Automated threat model generation
CN108259202A (en) A kind of CA monitoring and pre-alarming methods and CA monitoring and warning systems
CN110138731B (en) Network anti-attack method based on big data
CN105637488A (en) Tracing source code for end user monitoring
Hummer et al. Testing of data‐centric and event‐based dynamic service compositions
CN109190412A (en) The detection method and device of webpage tamper
WO2013065087A1 (en) Diagnostic device
Rosenthal et al. Enhancing the LOCKSS digital preservation technology
US7653742B1 (en) Defining and detecting network application business activities
JP2017211806A (en) Communication monitoring method, security management system, and program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11875153

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11875153

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP