摘要 |
An information analysis device (200) generates and sends a diagnosis request to an application to be diagnosed (318). On the basis of said request, an information gathering device (300) acquires a generated SQL query. The information analysis device (200) checks whether a special character set in an SQL query conditional clause has been escape-processed, thereby determining whether vulnerability exists. Moreover, the information analysis device (200) checks whether the syntax of the SQL query based on the diagnosis request is different from the syntax of an SQL query based on a normal request, and determines whether vulnerability exists. In addition, by checking whether the query based on the diagnosis request is a syntax error, said information analysis device (200) determines whether vulnerability exists.
|