طراحي و پياده سازي يك ابزار تحليل پوياي بدون مثبت كاذب براي آزمون آسيب پذيري تزريق SQL

چكيده انگليسي :

Design and Implementation of a Dynamic and Zero False Positive Tool for SQL Injection Vulnerability Assessment Ehsan Aerabi e aerabi@ec iut ac ir Date of Submission 2010 06 06 Department of Electrical and Computer Engineering Isfahan University of Technology Isfahan 84156 83111 Iran Degree M Sc Language Farsi Supervisor Mehdi Berenjkoub Mohammad Ali Montazeri brnjkb@cc iut ac ir montazer@cc iut ac ir Abstract SQL Injection SQLi vulnerability is one of the most frequent and harmful threats in web applications SQL Injection occurs when the structure of issued SQL query is modified by crafted inputs entered by a malicious user SQL Injection may result in information disclosure data manipulation and denial of service This vulnerability has stayed between top three web vulnerabilities in recent years Although new methods were introduced to discover detect or prevent it in recent years these approaches had several drawbacks Some approaches do not have accurate results and usually engage with false positives or negatives or do not cover all categories of SQLi Some others should pass training period A large group of them needs to parse or modify source code and the other ones are not capable with dynamic generated queries This thesis begins with a comprehensive categorized introduction to SQLi attack methods These categories include authentication bypass error based information disclosure union based data projection and blind SQL injection Then we express major prevention approaches in three general classes Detection Discovery and Elimination This continues with comparative analysis for these prevention classes and their methods This analysis has introduced some measures for considering weaknesses and advantages of each method To overcome the mentioned weakness this dissertation proposes a general method to detect SQLi incident with no false positive that can be used to discover SQLi vulnerabilities or detect and prevent SQLi attacks We call this method PARS because it is based on a parameter scrambling approach PARS is composed of two proxies Web Proxy and Database proxy The first one scrambles all parameters in http requests with a particular approach then replay new scrambled requests toward web server The second proxy then can detect SQLi incident in front of database by the received scrambled values in SQL query PARS doesn t need to modify source code or even read it and covers all categories of SQLi It doesn t need to be trained and can deal with dynamic or static queries We used PARS method for developing a tool to discover SQLi Vulnerability and called it PARSgen PARSgen is composed of three modules web crawler html parser and attack generator Web crawler finds all pages at a web application under a vulnerability assessment Html parser then parses those pages and generates multiple attack points regarding their methods parameters and values Attack generator then uses this file and crafts SQL Injection attacks PARSgen generates dynamic attack vectors and applies them to the target web application For each attack PARS proxies can determine SQLi successful incident PARSgen receives responses from PARS and log each successful attack We have applied this tool in few web applications and found some flaws on them Some of these flaws have been reported as exploitable vulnerabilities in related well known websites Keywords SQL Injection Vulnerability Assessment Web Security Command Injection

اعرابي،احسان

طراحي و پياده سازي يك ابزار تحليل پوياي بدون مثبت كاذب براي آزمون آسيب پذيري تزريق SQL

امنيت وب , تزريق فرمان , ارزيابي امنيتي