针对RESTful API的SQL注入漏洞检测工具的设计与实现 |
| |
作者姓名: | 罗启汉 张玉清 刘奇旭 |
| |
作者单位: | 中国科学院研究生院国家计算机网络入侵防范中心,北京 100049 |
| |
基金项目: | 国家自然科学基金(60970140)资助 |
| |
摘 要: | RESTful API作为当前主流Web API,其传参与调用方式具有新特性,传统的Web漏洞检测工具均无法有效对其检测. 本文设计并实现了首款针对RESTful API的SQL注入漏洞检测工具:RASIVD. 实验结果表明,与传统检测工具相比,RASIVD能够检测出更多API SQL注入漏洞,且误报率为零,说明了RASIVD的有效性.
|
关 键 词: | RESTful API SQL注入 漏洞检测 Oauth |
收稿时间: | 2012-01-11 |
修稿时间: | 2012-03-28 |
Design and implementation of a SQL injection vulnerability detection tool on RESTful API |
| |
Authors: | LUO Qi-Han ZHANG Yu-Qing LIU Qi-Xu |
| |
Institution: | National Computer Network Intrusion Protection Center, Graduate University, Chinese Academy of Sciences, Beijing 100049, China |
| |
Abstract: | RESTful APIs have new features in styles of parameter and calling, and typical web flaw scanners perform poorly on these APIs. We designed and implemented the first SQL injection flaw detection tool called RASIVD targeting RESTful APIs. The experiment results show that, compared to traditional tools, RASIVD detects more API SQL injection flaws and has no false positive, which indicates the efficiency of RASIVD. |
| |
Keywords: | RESTful API SQL injection vulnerability detection Oauth |
|
| 点击此处可从《》浏览原始摘要信息 |
| 点击此处可从《》下载免费的PDF全文 |