针对RESTful API的SQL注入漏洞检测工具的设计与实现

doi:10.7523/j.issn.1002-1175.2013.03.021

中国科学院大学学报 ›› 2013, Vol. 30 ›› Issue (3): 417-424.DOI: 10.7523/j.issn.1002-1175.2013.03.021

针对RESTful API的SQL注入漏洞检测工具的设计与实现

罗启汉, 张玉清, 刘奇旭

中国科学院研究生院国家计算机网络入侵防范中心,北京 100049

收稿日期:2012-01-11 修回日期:2012-03-28 发布日期:2013-05-15
通讯作者: 罗启汉, luoqh@nipc.org.cn
基金资助:
国家自然科学基金(60970140)资助 

Design and implementation of a SQL injection vulnerability detection tool on RESTful API

LUO Qi-Han, ZHANG Yu-Qing, LIU Qi-Xu

National Computer Network Intrusion Protection Center, Graduate University, Chinese Academy of Sciences, Beijing 100049, China

Received:2012-01-11 Revised:2012-03-28 Published:2013-05-15

摘要/Abstract

摘要：

RESTful API作为当前主流Web API,其传参与调用方式具有新特性,传统的Web漏洞检测工具均无法有效对其检测. 本文设计并实现了首款针对RESTful API的SQL注入漏洞检测工具:RASIVD. 实验结果表明,与传统检测工具相比,RASIVD能够检测出更多API SQL注入漏洞,且误报率为零,说明了RASIVD的有效性.

关键词: RESTful API, SQL注入, 漏洞检测, Oauth

Abstract:

RESTful APIs have new features in styles of parameter and calling, and typical web flaw scanners perform poorly on these APIs. We designed and implemented the first SQL injection flaw detection tool called RASIVD targeting RESTful APIs. The experiment results show that, compared to traditional tools, RASIVD detects more API SQL injection flaws and has no false positive, which indicates the efficiency of RASIVD.

Key words: RESTful API, SQL injection, vulnerability detection, Oauth

中图分类号:

TP393

罗启汉, 张玉清, 刘奇旭. 针对RESTful API的SQL注入漏洞检测工具的设计与实现[J]. 中国科学院大学学报, 2013, 30(3): 417-424.

LUO Qi-Han, ZHANG Yu-Qing, LIU Qi-Xu. Design and implementation of a SQL injection vulnerability detection tool on RESTful API[J]. , 2013, 30(3): 417-424.

参考文献

[1] Wikipedia. Amazon Web services[EB/OL].[2011-12-30]. http://en.wikipedia.org/wiki/Amazon_Web_Services.

[2] Mitra N, Ericsson, Lafon Y, W3C. SOAP protocol[S/OL]. (2007-04-27)[2012-03-03]. http://www.w3.org/TR/soap/.

[3] Wikipedia. Representational state transfer[EB/OL].(2011-12-30)[2012-03-03]. http://en.wikipedia.org/wiki/Representational_state _transfer.

[4] Vieira M, Antunes N, Madeira H. Using Web security scanners to detect vulnerabilities in web services[C]//The 40th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. Piscataway: IEEE Computer Society, 2010: 566-571.

[5] Antunes N, Vieira M. Detecting SQL injection vulnerabilities in Web services[C]//The 4th Latin-American Symposium on Dependable Computing. Piscataway: IEEE Computer Society, 2009: 17-24.

[6] Antunes N, Laranjeiro, Vieira M, et al. Effective detection of SQL/XPath injection vulnerabilities in Web services[C]//2009 IEEE International Conference on Services Computing. Piscataway: IEEE Computer Society, 2009: 260-267.

[7] OWASP. WSFuzzer[CP/OL].(2010-09-13)[2012-03-03]. https://www.owasp.org/index.php/Category:OWASP_WSFuzzer_ Project.

[8] MeiJunjin. An approach for SQL injection vulnerability detection[C]//The Sixth International Conference on Information Technology: New Generations. Piscataway: IEEE Computer Society, 2009: 1411-1414.

[9] Martin M, Lam M S. Automatic generation of XSS and SQL injection attacks with goal-directed model checking[C]//The 17th USENIX Security Symposium. California: USENIX Association Berkeley, 2008: 31-43.

[10] Fu X,Lu X,Peltsverger B,et al.A static analysis framework for detecting SQL injection vulnerabilities[C]//The 31st Annual International Computer Software and Applications Conference.Piscataway:IEEE Computer Society,2007:87-94.

[11] Kosuga Y, Kono K, Hanaoka M, et al. Sania: Syntactic and semantic analysis for automated testing against SQL injection[C]//The 23rd Annual Computer Security Applications Conference. Los Alamitos: IEEE Computer Society, 2007: 107-116.

[12] Fielding R T. Architectural styles and the design of network-based software architectures[D]. Irvine: University of California, Irvine, 2000.

[13] Atwood M, Balfanz D, Bounds D, et al. OAuth core 1.0 revision A[S/OL].(2009-06-24)[2012-01-03]. http://oauth.net/core/1.0a/.

[14] Hammer-Lahav E. RFC 5849, The OAuth 1.0 protocol[S/OL].(2010-04-30)[2012-01-03]. http://tools.ietf.org/html/rfc5849.

[15] Hammer-Lahav E. The OAuth 2.0 protocol[S/OL].(2011-09-22)[2012-01-03]. http://tools.ietf.org/html/draft-ietf-oauth-v2-22.

[16] Acunetix. Acunetix Web vulnerability scanner[CP/OL].(2011-12-27)[2012-01-03]. http://www.acunetix.com/vulnerability-scanner/.

[17] IBM. IBM rational AppScan[CP/OL].(2011-12-27)[2012-01-03]. http://www-01.ibm.com/software/awdtools/appscan/.

[18] Chinotec Technologies Company. Paros[CP/OL].(2006-08-08)[2012-01-03]. http://www.parosproxy.org/.

针对RESTful API的SQL注入漏洞检测工具的设计与实现

Design and implementation of a SQL injection vulnerability detection tool on RESTful API

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

本文评价

访问统计

联系我们

[1]	戴志明, 周明拓, 杨旸, 李剑, 刘军. 智能工厂中的雾计算资源调度[J]. 中国科学院大学学报, 2021, 38(5): 702-711.
[2]	刘婷, 罗喜良. 移动边缘计算中的在线任务卸载方法[J]. 中国科学院大学学报, 0, (): 21542-21542.
[3]	朱兆伟, 刘婷, 钱骅, 罗喜良. 非稳态雾赋能网络中的在线任务卸载方法[J]. 中国科学院大学学报, 2020, 37(5): 699-707.
[4]	赖训飞, 梁旭文, 谢卓辰, 李宗旺. 基于实体嵌入和长短时记忆网络的入侵检测方法[J]. 中国科学院大学学报, 2020, 37(4): 553-561.
[5]	赵择, 徐佑宇, 唐亮, 卜智勇. 基于改进一对一算法的网络流量分类[J]. 中国科学院大学学报, 2020, 37(4): 570-576.
[6]	薛开平, 柳彬, 李威, 洪佩琳. 一种面向未知链路帧的格式特征提取与分类算法[J]. 中国科学院大学学报, 2018, 35(4): 521-528.
[7]	田洁, 王伟强, 孙翼. 一种免除二值化的视频叠加中文字符识别方法[J]. 中国科学院大学学报, 2018, 35(3): 402-408.
[8]	叶延玲, 傅晓彤, 张玉清, 乐洪舟. 一种自动化的Android应用定向行为测试方法[J]. 中国科学院大学学报, 2018, 35(3): 409-416.
[9]	严志涛, 方滨兴, 刘奇旭, 崔翔. 一种基于无线路由器的IoT设备轻量级防御框架[J]. 中国科学院大学学报, 2017, 34(6): 759-770.
[10]	王开泳, 邓羽. 基于微博数据的中原城市群空间联系强度测度[J]. 中国科学院大学学报, 2016, 33(6): 775-782.
[11]	闫淑筠, 王文杰, 张玉清. 一种有效的Web指纹识别方法[J]. 中国科学院大学学报, 2016, 33(5): 679-685.
[12]	侯金钟, 张立波, 罗铁坚. 一种均衡视频资源的分布存储方法[J]. 中国科学院大学学报, 2016, 33(5): 686-692.
[13]	曹来成, 赵建军, 崔翔, 李可. 基于余弦测度下K-means的网络空间终端设备识别[J]. 中国科学院大学学报, 2016, 33(4): 562-569.
[14]	吴敬征, 武延军, 武志飞, 杨牧天, 罗天悦, 王永吉. 基于有向信息流的Android隐私泄露类恶意应用检测方法[J]. 中国科学院大学学报, 2015, 32(6): 807-815.
[15]	董颖, 张玉清, 乐洪舟. Joomla内容管理系统漏洞利用技术[J]. 中国科学院大学学报, 2015, 32(6): 825-835.