SQL資料庫攻擊程式碼之產生自動化

Abstract

近年來利用自動化靜態分析工具來偵測SQL資料庫攻擊日益普遍。然而這些工具可能會產生誤報，且弱點的可信度難以檢驗。檢驗弱點的方式，就是模擬駭客或者是黑箱工具的手法，實際送出攻擊程式碼來攻擊網站並觀察攻擊是否成功。在這篇論文中，我們提出一種方法來檢驗自動化分析工具所偵測到的弱點。我們產生實際的攻擊程式碼來攻擊網站，並且監控網站運作中所執行的SQL指令，藉此判斷弱點的可信度。我們以數個真實案例來進行實驗，結果證明此方法可有效檢驗弱點。

Automated static analysis tools are widely used today for finding input manipulation vulnerabilities in web applications, such as SQL injection. However, these tools may produce many false positives and these reported vulnerabilities cannot be verified easily. To verify these reported vulnerabilities, concrete attack requests need to be constructed and to be submitted to the target application, just like what hackers or black-box tools will do. Our approach is to send concrete exploits and to inspect SQL queries that are executed at run-time. Thus, it is possible to declare the reported vulnerability valid (along with true exploitable SQL commands) or bogus (i.e., false positive). Our technique is proved to be effective after the evaluation against several real-world examples.