Loading...
| Friend's email | |
| Your name | |
| Your email | |
| enter code | |
This page was sent successfuly
- Type of Document: M.Sc. Thesis
- Language: Farsi
- Document No: 46049 (19)
- University: Sharif University of Technology
- Department: Computer Engineering
- Advisor(s): Amini, Morteza
- Abstract:
- SQL injection is one of the most important security threats in web applications with backend SQLbased database. An attacker can abuse an application’s vulnerability to change the queries sent from the application to the database. Many techniques and frameworks have been proposed for detecting and preventing SQL injection. But most of them cannot detect all types of SQL injection such as second-order attacks. In this thesis, we propose a new method to detect and prevent all types of this attack. The proposed method is a kind of anomaly-based intrusion detection methods and could be considered as a proxy between the application server and the database server. The proposed method, can detect and prevent attacks without needing to change the application source code. This method consists of three phases: learning,detection and prevention. Detection phase is performed with respect to the query’s syntax. Thus the majority of attacks, which led to change the query’s syntax will be identified. But it is still possible to carry out some other attacks such as second-order attacks and attacks that try to generate a data type mismatch error. We propose prevention phase to detect and prevent all types of other known and unknown attacks.In the prevention phase, we convert query to a parameterized query and send it to the database. So we can prevent all types of SQL injection attacks and also can detect data type mismatch error raising attack in this stage, without needing to execute the query. Another advantage of the proposed method is its effect on performance of the application. This method imposes negligible performance overhead in initial execution of the queries, but in overall, it improves the performance of the application
- Keywords:
- Database Security ; Intrusion Detection System ; Structured Query Language (SQL) ; Intrusion Detecticn and Prevention ; Parameterized Query ; Query Profile
Digital Object List-
محتواي کتاب - view
Bookmark- 1 مقدمه
- 2 تشخیص و مقابله با حملات تزریق SQL
- 3 راه حل پیشنهادی
- 4 پیادهسازی و ارزیابی روش پیشنهادی
- 5 نتیجهگیری و سوی کارهای آتی
- کتابنامه
- واژهنامه فارسی به انگلیسی
- واژهنامه انگلیسی به فارسی