隨著網際網路的快速發展,許多Web應用程式提供學習、教育、娛樂、資訊交換、商業交易等服務,這類型Web應用程式通常將各式各樣資料儲存在資料庫中,這些資料可能包含使用者帳戶資訊、私人檔案、交易明細等。因此,攻擊者透過SQL Injection的方式攻擊Web應用程式,這樣的攻擊方式可能會執行破壞或竊取資料的行為,更甚者可奪取伺服器的控制權。過去許多防止SQL Injection攻擊的研究與產品常因為配置過於繁瑣、需要修改當前應用程式原始碼或無法涵蓋所有漏洞等因素而無法徹底防禦SQL Injection攻擊。基於以上的理由,如果有效且便利的防止SQL Injection攻擊,成為一件很重要的事。 本篇論文,我們提出一個嶄新的防禦機制,將每一即將送達資料庫的請求翻譯為相等的請求送往LDAP,利用LDAP的特性及一些額外的防禦措施來驗證該請求是否合法。我們將這個防禦機制命名為TransSQL,TransSQL包含了兩個步驟,第一個步驟是前置作業,我們使用sqldump來擷取資料庫中的資料,並且複製一份到LDAP中。第二個步驟是運作監控,我們監控所有送到資料庫的請求來防止SQL Injection攻擊。我們的防禦機制布置在Web應用程式和資料庫之間並且從實驗結果來看,TransSQL能有效的防禦SQL Injection攻擊Web-based applications have become the major means of providing services by web servers and databases. These applications are the frequent target for attacks be-cause the databases underlying Web applications often contain private information (e.g., user accounts and financial records). In particular, SQL injection attacks, a class of injection flaw in which specially crafted input strings leads to illegal queries to da-tabases, are one of the topmost threats to web applications. A number of research pro-totypes and commercial products that maintain the queries structure in web applica-tions have been developed but these techniques fail to address the full scope of the problem or have limitations. In this paper, we propose a novel and effective mechanism for automatically translating SQL requests to LDAP-equivalent requests to render them secure against SQL injection attacks. After queries are executed on SQL database and LDAP, our technique checks the difference in responses from SQL database and LDAP to prevent SQL injection attacks. We implemented our technique in a tool, TransSQL, consists of two steps. In the preprocessing step, Database Duplicating process, we adopt sqldump program to extract entire information of SQL database that could be used to produce LDAP schema and LDAP Data Interchange Format file. In the runtime step, Request Translation process, the technique intercepts SQL queries for translation and checks the results from LDAP against SQL database. TransSQL has been implemented in Java and deployed between web applications and databases. Our empirical evaluation has shown that TransSQL is both effectiveness and efficiency against SQL injection attacks.
