English  |  正體中文  |  简体中文  |  Post-Print筆數 : 27 |  Items with full text/Total items : 113648/144635 (79%)
Visitors : 51679892      Online Users : 575
RC Version 6.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
Scope Tips:
  • please add "double quotation mark" for query phrases to get precise results
  • please goto advance search for comprehansive author search
    •  Adv. Search
    HomeLoginUploadHelpAboutAdminister Goto mobile version
    政大機構典藏 > 資訊學院 > 資訊科學系 > 學位論文 >  Item 140.119/52635


    Please use this identifier to cite or link to this item: https://nccur.lib.nccu.edu.tw/handle/140.119/52635


    Title: 以SQL語句剖析結合剖面技術設計實作資料隱碼攻擊之防禦工具
    An Anti-SQLIA tool based on SQL parsing and aspect technology
    Authors: 王瑛瑛
    Wang, Ying Ying
    Contributors: 陳恭
    Chen, Kung
    王瑛瑛
    Wang, Ying Ying
    Keywords: 剖面導向程式設計
    剖面
    資料隱碼攻擊
    AOP
    Aspect
    SQLIA
    Date: 2011
    Issue Date: 2012-04-12 14:12:13 (UTC+8)
    Abstract: 資料隱碼攻擊(SQLIA)是一種Web應用程式弱點,這個弱點為Web客戶端輸入值隱藏攻擊字串而改變了動態產生的SQL語句結構。根據OWASP(Open Web Application Security Project)2010年的網站風險評鑑報告,資料隱碼攻擊被列為最嚴重的Web應用程式風險。資料隱碼攻擊的弱點可能讓攻擊者能夠直接存取資料庫,導致敏感性資料遭到修改或竊取,有經驗的攻擊者,甚至可以利用一個資料隱碼攻擊的漏洞,而接管整個應用系統。
    在本篇論文中,我們基於資料隱碼攻擊的原理實作一個自動化的防禦工具。我們的工具以SQL語句剖析結合剖面技術實作,利用窮舉法,動態分析及動態監控應用程式所執行的SQL語句,毋須開發者學習新的程式寫法或修改應用程式,即能將防禦機制套用於應用程式(原始碼及中間碼),並透過使用者介面設定可動態調整防禦監控的範圍,提供一個有效保護WEB應用程式的資料隱碼攻擊防禦機制。
    SQL injection attack (SQLIA) is a type of attack on web applications that exploits the fact that input provided by web clients may be directly included in the dynamically generated SQL statements. According to the WASP Foundation, injection attacks, particularly SQL injection, were the most serious web application vulnerability type in 2010. By using SQLIA, an attacker may directly access the database underlying a web application and modify or expose sensitive information. A proficient attacker can even use an SQLIA to completely compromise the host system.
    In this thesis, we study SQL injection attacks and develop a fully automated, configurable tool for protecting web applications against SQLIA. Our tool uses a heuristic method that combines runtime learning and runtime monitoring of valid/legal SQL statements, by parsing them to calculate and verify MD5 represented patterns (called SQL fingerprints) respectively, and is implemented in Java and AspectJ in order to achieve the goal that requires no training of developers and no modification of the legacy applications. Our evaluation results have shown this tool to be highly effective at protecting web applications from all types of SQL injection attacks.
    Reference: 【1】 陳恭,「剖面導向程式設計(AOP/AOSD)簡介」,民國96年
    【2】 Dave Wichers, Jim Manico. SQL Injection Prevention Cheat Sheet. https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
    【3】 Gregory T. Buehrer, Bruce W. Weide, and Paolo A. G. Sivilotti.(2005). Using Parse Tree Validation to Prevent SQL Injection Attacks.
    【4】 William G.J. Halfond and Alessandro Orso.(2005). Combining Static Analysis and Runtime Monitoring to Counter SQLInjection Attacks.
    【5】 胡百敬,「SQL Injection (資料隱碼)– 駭客的 SQL填空遊戲(上)(下) 」。民國91年6月28日,http://www.microsoft.com/taiwan/sql/SQL_Injection_G1.htm,http://www.microsoft.com/taiwan/sql/SQL_Injection_G2.htm
    【6】 R. McClure and I. Kruger. (2005). SQL DOM: Compile Time Checking of Dynamic SQL Statements. In Proceedings of the 27th International Conference on Software Engineering (ICSE 2005), pages 88-96.
    【7】 W. R. Cook and S. Rai. (2005). Safe Query Objects: Statically Typed Objects as Remotely Executable Queries. In Proceedings of the 27th International Conference on Software Engineering (ICSE 2005).
    【8】 『資料隱碼』SQL Injection的源由與防範之道。http://www.microsoft.com/taiwan/sql/SQL_Injection.htm,2002年6月28日
    【9】 MD5,http://zh.wikipedia.org/zh-tw/MD5
    【10】 JSQLParser,http://jsqlparser.sourceforge.net/home.php
    【11】 SQL資料隱碼攻擊維基百科,自由的百科全書, http://zh.wikipedia.org/zh-tw/SQL%E8%B3%87%E6%96%99%E9%9A%B1%E7%A2%BC%E6%94%BB%E6%93%8A
    【12】 Ramnivas Laddad. (2003). AspectJ in Action. Practical Aspect-Oriented Programming Second edition.
    【13】 OWASP台灣分會,https://www.owasp.org/index.php/Taiwan
    【14】 Gabriel Hermosillo Roberto Gomez. and Lionel Seinturier Laurence Duchien.(2007). Using Aspect Programming to Secure Web Applications. JOURNAL OF SOFTWARE, VOL. 2, NO. 6, DECEMBER 2007.
    【15】 OWASP Top Ten Project,https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
    【16】 Persistent Hash Map,https://github.com/reines/persistenthashmap
    Description: 碩士
    國立政治大學
    資訊科學學系
    97971015
    100
    Source URI: http://thesis.lib.nccu.edu.tw/record/#G0097971015
    Data Type: thesis
    Appears in Collections:[資訊科學系] 學位論文

    Files in This Item:

    File SizeFormat
    index.html0KbHTML2402View/Open


    All items in 政大典藏 are protected by copyright, with all rights reserved.


    社群 sharing

    著作權政策宣告 Copyright Announcement
    1.本網站之數位內容為國立政治大學所收錄之機構典藏,無償提供學術研究與公眾教育等公益性使用,惟仍請適度,合理使用本網站之內容,以尊重著作權人之權益。商業上之利用,則請先取得著作權人之授權。
    The digital content of this website is part of National Chengchi University Institutional Repository. It provides free access to academic research and public education for non-commercial use. Please utilize it in a proper and reasonable manner and respect the rights of copyright owners. For commercial use, please obtain authorization from the copyright owner in advance.

    2.本網站之製作,已盡力防止侵害著作權人之權益,如仍發現本網站之數位內容有侵害著作權人權益情事者,請權利人通知本網站維護人員(nccur@nccu.edu.tw),維護人員將立即採取移除該數位著作等補救措施。
    NCCU Institutional Repository is made to protect the interests of copyright owners. If you believe that any material on the website infringes copyright, please contact our staff(nccur@nccu.edu.tw). We will remove the work from the repository and investigate your claim.
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - Feedback