A Study of Step-by-step Countermeasures Model through Analysis of SQL Injection Attacks Code

공격코드 사례분석을 기반으로 한 SQL Injection에 대한 단계적 대응모델 연구

  • 김점구 (남서울대학교 컴퓨터학과) ;
  • 노시춘 (남서울대학교 컴퓨터학과)
  • Received : 2012.02.24
  • Accepted : 2012.03.19
  • Published : 2012.03.30

Abstract

SQL Injection techniques disclosed web hacking years passed, but these are classified the most dangerous attac ks. Recent web programming data for efficient storage and retrieval using a DBMS is essential. Mainly PHP, JSP, A SP, and scripting language used to interact with the DBMS. In this web environments application does not validate the client's invalid entry may cause abnormal SQL query. These unusual queries to bypass user authentication or da ta that is stored in the database can be exposed. SQL Injection vulnerability environment, an attacker can pass the web-based authentication using username and password and data stored in the database. Measures against SQL Inj ection on has been announced as a number of methods. But if you rely on any one method of many security hole ca n occur. The proposal of four levels leverage is composed with the source code, operational phases, database, server management side and the user input validation. This is a way to apply the measures in terms of why the accident preventive steps for creating a phased step-by-step response nodel, through the process of management measures, if applied, there is the possibility of SQL Injection attacks can be.

Acknowledgement

Supported by : 산학협동재단

References

  1. OWASP, CSRF Guard, http://www.owasp.org/index.php/CSRF_Guard
  2. David Gourley and Brian Totty, "HTTP: The Definitive Guide", O'Reilly Media, 2002.
  3. http://www.owasp.org/index.php/Cross- Site_Request_Forgery
  4. 이미정,노시춘, SQL Injection 취약점 진단 프로그램,2005.6
  5. Stepen Cost, An Introduction to SQL Injection Attacks,for Oracle develops, 2007.3
  6. http://redsea23.egloos.com/243019 SQL Injection 공격과 방어 방법
  7. 박상옥, 웹 관리자를 위한 응급처치법-SQL Injection 해킹 보안,2011.11
  8. http://www.krcert.or.kr/unim
  9. http://www.krcert.or.kr/index.jsp
  10. http://www.superuser.biz/tag/sql
  11. http://support.oullim.co.kr/portal/Tec hletter/200 80615/news4.htm
  12. http://dev.mysql.com/downloads/gui-tools/ 5.0.html
  13. http://kline03.egloos.com/445826
  14. http://www.google.co.kr/imgres?imgurl= http://blog.outsider.ne.kr/attach/1/1154314780
  15. http://database.sarang.net/database/postgres/ tutorial/lecture/c89.htm