A second-order SQL injection detection method

摘要

Second-order SQL injection is a serious threat to Web application and it is more difficult to detect than first-order SQL injection. The attack payload of second-order SQL injection is from untrusted user input and stored in database or file system, the SQL statement submitted by web application is usually dynamically assembled by a trusted constant string in the program and untrusted user input, and the DBMS in unable to distinguish the trusted and untrusted part of a SQL statement. The paper presents a method of detecting second-order SQL injection attacks based on ISR (Instruction Set Randomization). The method randomizes the trusted SQL keywords contained in Web applications to dynamically build new SQL instruction sets, and add a proxy server before DBMS, the proxy detects whether the received SQL instruction contains standard SQL keywords to find attack behavior. Experimental results show that this system can effectively detect second-order SQL injection attack and has low processing cost.