欢迎访问中国科学院大学学报,今天是

中国科学院大学学报 ›› 2013, Vol. 30 ›› Issue (3): 417-424.DOI: 10.7523/j.issn.1002-1175.2013.03.021

• 计算机科学 • 上一篇    下一篇

针对RESTful API的SQL注入漏洞检测工具的设计与实现

罗启汉, 张玉清, 刘奇旭   

  1. 中国科学院研究生院国家计算机网络入侵防范中心,北京 100049
  • 收稿日期:2012-01-11 修回日期:2012-03-28 发布日期:2013-05-15
  • 通讯作者: 罗启汉, luoqh@nipc.org.cn
  • 基金资助:

    国家自然科学基金(60970140)资助 

Design and implementation of a SQL injection vulnerability detection tool on RESTful API

LUO Qi-Han, ZHANG Yu-Qing, LIU Qi-Xu   

  1. National Computer Network Intrusion Protection Center, Graduate University, Chinese Academy of Sciences, Beijing 100049, China
  • Received:2012-01-11 Revised:2012-03-28 Published:2013-05-15

摘要:

RESTful API作为当前主流Web API,其传参与调用方式具有新特性,传统的Web漏洞检测工具均无法有效对其检测. 本文设计并实现了首款针对RESTful API的SQL注入漏洞检测工具:RASIVD. 实验结果表明,与传统检测工具相比,RASIVD能够检测出更多API SQL注入漏洞,且误报率为零,说明了RASIVD的有效性.

关键词: RESTful API, SQL注入, 漏洞检测, Oauth

Abstract:

RESTful APIs have new features in styles of parameter and calling, and typical web flaw scanners perform poorly on these APIs. We designed and implemented the first SQL injection flaw detection tool called RASIVD targeting RESTful APIs. The experiment results show that, compared to traditional tools, RASIVD detects more API SQL injection flaws and has no false positive, which indicates the efficiency of RASIVD.

Key words: RESTful API, SQL injection, vulnerability detection, Oauth

中图分类号: