基于ISAPI的网站注入攻击防范模型及应用

【作者】 凌云；

【导师】 李景涛；

【作者基本信息】 复旦大学 ， 软件工程， 2011， 硕士

【摘要】 随着互联网时代的到来,大量企业单位、政府机关采用网站的方式对内对外发布信息、提供咨询、设置交易买卖。但是由于程序员的水平和经验各不相同,而且相当大一部分程序员在编写代码的时候,没有对用户输入数据的合法性进行判断,使得很多WEB应用程序存在安全隐患,非常容易遭到黑客的网站注入攻击。因此在如何利用信息化技术提升自身形象、方便企业运营的同时,减少网站漏洞防止黑客攻击是目前企业、政府都普遍关心的问题。本文提出一种基于ISAPI技术防注入攻击的防火墙模型,并实现和应用了该模型。主要工作包括：1.给出了目前常见的两种网站注入攻击方式：SQL注入攻击和跨站脚本攻击,介绍了目前网站常用的网站防范方法,分析了它们在实际使用中的缺点和不足。2.提出了基于ISAPI技术防注入攻击的防火墙模型,并详细阐述了该系统的设计目标、设计方案和开发过程。3.对该模型进行了可行性分析和系统需求分析,然后对具体模型进行设计。在模型设计部分,提出了防火墙系统的设计目标,确定了系统的解析模式、体系结构、流程的框架,对各功能模块进行了详细的设计,对安全策略的响应模式进行了分类和定义。4.在策略引擎设计部分,首先论述了安全策略的各项属性,然后介绍了安全策略的加载方式和调度方法,以及安全策略规则的提取方式。本文编程实现了该模型的防火墙,并在网站服务器上进行安装调试获得成功。在企业网络环境中,对防火墙进行了压力测试取得良好的效果。在实际使用中,因为该防火墙可以对IIS服务器上的所有网站进行统一保护,无需单独设置,所以在提高企业网站安全性的同时,大大降低了网站服务器的防御成本,对提高企业竞争力有着重要的意义。更多还原

【Abstract】 In the internet era, there are a large number of enterprises and government agencies release news and offer consulting services and online business on websites. When writing code, however, there are a large portion of programmers never judge the legitimacy of the data which the users input, thus security risks can arise in a lot of web applications which are vulnerable to hackers’ attack. Therefore, it is generally concerned by the enterprises and government agencies that how to use information technology to enhance their image and to facilitate the business operations while reducing vulnerabilities so as to prevent hackers’attack.This thesis presents an anti-attack firewall model based on ISAPI technology, and was brought into application by the author. The author’s major works include the following details:1. This thesis examines two common ways of injection attacks including SQL injection attack and cross-site scripting attack. Then the author describes the methods usually used for preventing the attacks, and analyzes their shortcomings and deficiencies in practice as well.2. This thesis presents an anti-attack firewall model based on ISAPI technology, and elaborates the objectives, the program and the process of developing as well.3.The author designs the specific model after conducts the feasibility analysis and the system requirement specification. In the part of model design, the article proposes the objectives of the firewall system, chooses the analytical model, the structure and the framework of the process, designs each functional modules in detail, make classification and definition for the response pattern of the security policy.4. In the part of the policy engine design, the article first expounds the different properties of the security policy, then describes the loading and controlling methods and the extraction method of the security policy rules.Through programming, the author builds a firewall of the model and successfully installed and debugged on the web server. A pressure test which was conducted in the production environment showed positive results. In practice, instead of setting respectively, the firewall can protect all the websites on the IIS server altogether, so as to significantly reduce the server’s defense costs while improving security, which is significantly important for the enterprises to improve the competitiveness.更多还原