###
计算机系统应用英文版:2020,29(8):144-151
本文二维码信息
码上扫一扫!
基于模型的Web应用二阶SQL注入测试用例集生成
(北京化工大学 信息科学与技术学院, 北京 100029)
Model Based Web Application Second-Order SQL Injection Test Suite Generation
(College of Information Science and Technology, Beijing University of Chemical Technology, Beijing 100029, China)
摘要
图/表
参考文献
相似文献
本文已被:浏览 3563次   下载 2351
Received:December 21, 2019    Revised:January 19, 2020
中文摘要: SQL注入漏洞一直以来都是威胁Web应用安全的主要问题之一, 其中二阶SQL注入漏洞相较于一阶SQL注入更加隐蔽且威胁更大, 对其检测通常依赖于测试人员的先验知识与经验. 目前, 在缺乏源码信息的黑盒测试场景下, 还没有针对该漏洞的有效检测手段. 利用基于模型的测试用例生成思想, 提出了一种基于客户端行为模型的测试用例集生成方法(CBMTG), 用于生成检测Web应用二阶SQL注入漏洞的测试用例集. 首先通过初始测试用例集的执行建立迁移与SQL语句的映射关系; 然后通过SQL语句的字段分析建立迁移之间的拓扑关系; 最后通过拓扑关系来指导最终的测试用例集生成. 实验结果表明, 本文方法优于当前主流的二阶SQL注入漏洞检测方法.
Abstract:SQL injection vulnerability has been the one of the most problems that threaten Web application security. Among them, second-order SQL injection vulnerabilities are more subtle and destructive than the first-order one, and the detection usually depends on the tester’s prior knowledge and experience. At present, in the Black-Box Testing scenario, there is no effective detection method for the second-order vulnerability yet. Utilizing the idea of model-based test case generation, in this study, a Test suite Generation method based on a Client Behavior Model (CBMTG) is proposed to get a test suite capable of detecting second-order SQL injection vulnerabilities in Web applications. In the CBMTG, firstly, the mapping relationship between transitions and SQL statements is established through the execution of the initial test suite. Then, the topological relationship between transitions is established through the field analysis of the SQL statements. Finally, the final test suite is generated under the guidance of the topological relationship. The experimental results show that the method in this study performs better in most Web application than the state-of-the-art second-order SQL injection vulnerability detection methods.
文章编号:     中图分类号:    文献标志码:
基金项目:国家自然科学基金(61672085)
引用文本:
尤枫,王维扬,尚颖.基于模型的Web应用二阶SQL注入测试用例集生成.计算机系统应用,2020,29(8):144-151
YOU Feng,WANG Wei-Yang,SHANG Ying.Model Based Web Application Second-Order SQL Injection Test Suite Generation.COMPUTER SYSTEMS APPLICATIONS,2020,29(8):144-151