政大機構典藏-National Chengchi University Institutional Repository(NCCUR):Item 140.119/94853
English  |  正體中文  |  简体中文  |  Post-Print筆數 : 27 |  全文笔数/总笔数 : 113392/144379 (79%)
造访人次 : 51228116      在线人数 : 874
RC Version 6.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
搜寻范围 查询小技巧:
  • 您可在西文检索词汇前后加上"双引号",以获取较精准的检索结果
  • 若欲以作者姓名搜寻,建议至进阶搜寻限定作者字段,可获得较完整数据
  • 进阶搜寻
    政大機構典藏 > 資訊學院 > 資訊科學系 > 學位論文 >  Item 140.119/94853


    请使用永久网址来引用或连结此文件: https://nccur.lib.nccu.edu.tw/handle/140.119/94853


    题名: 運用使用者輸入欄位屬性偵測防禦資料隱碼攻擊
    Preventing SQL Injection Attacks Using the Field Attributes of User Input
    作者: 賴淑美
    Lai, Shu Mei
    贡献者: 陳恭
    賴淑美
    Lai, Shu Mei
    关键词: 跨站腳本攻擊
    注入弱點
    網站攻擊
    動態攔截檢核
    檢查網頁輸入資料
    Injection Flaws
    Cross Site Scripting
    website attack
    website dynamic captures technique
    check the input data of data fields
    日期: 2009
    上传时间: 2016-05-09 12:02:16 (UTC+8)
    摘要: 在網路的應用蓬勃發展與上網使用人口不斷遞增的情況之下,透過網路提供客戶服務及從事商業行為已經是趨勢與熱潮,而伴隨而來的風險也逐步顯現。在一個無國界的網路世界,威脅來自四面八方,隨著科技進步,攻擊手法也隨之加速且廣泛。網頁攻擊防範作法的演進似乎也只能一直追隨著攻擊手法而不斷改進。但最根本的方法應為回歸原始的程式設計,網頁欄位輸入資料的檢核。確實做好欄位內容檢核並遵守網頁安全設計原則,嚴謹的資料庫存取授權才能安心杜絕不斷變化的攻擊。但因既有系統對於輸入欄位內容,並無確切根據應輸入的欄位長度及屬性或是特殊表示式進行檢核,以致造成類似Injection Flaws[1]及部分XSS(Cross Site Scripting)[2]攻擊的形成。
    面對不斷變化的網站攻擊,大都以系統原始碼重覆修改、透過滲透測試服務檢視漏洞及購買偵測防禦設備防堵威脅。因原始碼重覆修改工作繁重,滲透測試也不能經常施行,購買偵測防禦設備也相當昂貴。
    本研究回歸網頁資料輸入檢核,根據輸入資料的長度及屬性或是特殊的表示式進行檢核,若能堅守此項原則應可抵禦大部分的攻擊。但因既有系統程式龐大,若要重新檢視所有輸入欄位屬性及進行修改恐為曠日費時。本文中研究以側錄分析、資料庫SCHEMA的結合及方便的欄位屬性定義等功能,自動化的處理流程,快速產生輸入欄位的檢核依據。再以網站動態欄位檢核的方式,於網站接收使用者需求,且應用程式尚未處理前攔截網頁輸入資料,根據事先明確定義的網站欄位屬性及長度進行資料檢核,如此既有系統即無須修改,能在最低的成本下達到有效防禦的目的。
    With the dynamic development of network application and the increasing population of using internet, providing customer service and making business through network has been a prevalent trend recently.

    However, the risk appears with this trend. In a borderless net world, threaten comes from all directions. With the progress of information technology, the technique of network attack becomes timeless and widespread. It seems that defense methods have to develop against these attack techniques. But the root of all should regress on the original program design – check the input data of data fields. The prevention of unceasing network attack is precisely check the content of data field and adhere to the webpage security design on principle, furthermore, the authority to access database is essential. Since most existing systems do not have exactly checkpoints of those data fields such as the length, the data type, and the data format, as a result, those conditions resulted in several network attacks like Injection Flaws and XSS.

    In response to various website attack constantly, the majority remodify the system source code, inspect vulnerabilities by the service of penetration test, and purchase the equipment of Intrusion Prevention Systems(IPS). However, several limitations influence the performance, such as the massive workload of remodify source code, the difficulty to implement the daily penetration test, and the costly expenses of IPS equipment.

    The fundamental method of this research is to check the input data of data fields which bases on the length, the data type and the data format to check input data. The hypothesis is that to implement the original design principle should prevent most website attacks. Unfortunately, most legacy system programs are massive and numerous. It is time-consuming to review and remodify all the data fields. This research investigates the analysis of network interception, integrates with the database schema and the easy-defined data type, to automatically process these procedures and rapidly generates the checklist of input data. Then, using the method of website dynamic captures technique to receive user request first and webpage input data before the system application commences to process it.

    According to those input data can be checked by the predefined data filed type and the length, there is no necessary to modify existing systems and can achieve the goal to prevent web attack with the minimum cost.
    參考文獻: 1. Injection Flaws
    http://www.owasp.org/index.php/Injection_Flaws
    2. XSS
    http://en.wikipedia.org/wiki/Cross-site_scripting
    3. Google_hacking
    http://en.wikipedia.org/wiki/Google_hacking
    4. 阿碼科技 2008.05.20新聞「台灣網站遭受有史以來最大規模SQL Injection 攻擊
    新型態的Mass SQL Injection在台上演」
    http://www.armorize.com.tw/news/shownews.php?news=22
    5. 林玉美,「基於資料探勘技術之網站應用型入侵防禦系統」,國立台灣科技大學資訊工程系研碩士學位論文
    6. OWASP公布最新2007年版十大Web安全漏洞---OWASP介紹與近期發展
    http://owasp.org.tw/blog/2007/05/owasp2007webowasp.html
    7. The Open Web Application Security Project (OWASP) http://www.owasp.org/index.php/Main_Page
    8. SQL Injection (資料隱碼)– 駭客的 SQL填空遊戲(上)
    http://www.microsoft.com/taiwan/sql/SQL_Injection_G1.htm
    9. 黃彥棻 2008-06-13SQL Injection機器人來襲
    10. 淺談網路應用程式安全(一) 中央研究院計算中心通訊電子報
    http://newsletter.ascc.sinica.edu.tw/news/read_news.php?nid=1288
    11. ISAPI
    http://www.oreilly.com.tw/sample_chap/a053_01.pdf
    12. Regular Expressions - User guide
    http://www.zytrax.com/tech/web/regex.htm#intro
    13. SQL Injection攻擊常見惡意字串,行政院研究發展考核委員提供之「Web應用程式安全指引草案修訂版_附件檔_970229.pdf」中(附件6 )
    描述: 碩士
    國立政治大學
    資訊科學學系
    93971007
    資料來源: http://thesis.lib.nccu.edu.tw/record/#G0093971007
    数据类型: thesis
    显示于类别:[資訊科學系] 學位論文

    文件中的档案:

    档案 大小格式浏览次数
    index.html0KbHTML2281检视/开启


    在政大典藏中所有的数据项都受到原著作权保护.


    社群 sharing

    著作權政策宣告 Copyright Announcement
    1.本網站之數位內容為國立政治大學所收錄之機構典藏,無償提供學術研究與公眾教育等公益性使用,惟仍請適度,合理使用本網站之內容,以尊重著作權人之權益。商業上之利用,則請先取得著作權人之授權。
    The digital content of this website is part of National Chengchi University Institutional Repository. It provides free access to academic research and public education for non-commercial use. Please utilize it in a proper and reasonable manner and respect the rights of copyright owners. For commercial use, please obtain authorization from the copyright owner in advance.

    2.本網站之製作,已盡力防止侵害著作權人之權益,如仍發現本網站之數位內容有侵害著作權人權益情事者,請權利人通知本網站維護人員(nccur@nccu.edu.tw),維護人員將立即採取移除該數位著作等補救措施。
    NCCU Institutional Repository is made to protect the interests of copyright owners. If you believe that any material on the website infringes copyright, please contact our staff(nccur@nccu.edu.tw). We will remove the work from the repository and investigate your claim.
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - 回馈