Enhanced Model of SQL Injection Detecting and Prevention

Transcription

1 Enhanced Model of SQL Injection Detecting and Prevention Srinivas Baggam, Assistant Professor, Department of Computer Science and Engineering, MVGR College of Engineering, Vizianagaram, India. G.Anil Kumar, Department of Computer Science and Engineering, MVGR College of Engineering. Vizianagaram, India. Abstract In this rapidly increasing of the usage of the internet and web applications, providing the security from the attackers is necessary. Now a days the major issue of the security in the web applications are SQL security injections, which are creating a serious issues regarding the attacks of web applications and acquiring the secret information s (ID and passwords) and accessing the databases through the SQL injections. Mainly this paper with the reorganization of the SQL injections that are mostly worrying aspect and will be identified and then it allow such type of formats used by the attacker to hack the information/databases from the web applications. By using the two methods like signature based and auditing method we can protect web applications from the attack by using SQL injections. The two methods are used to find the parameters that are used to attack by the SQL injections and analyzed by the transactions which cause illegal access. By this methods we can totally protect the web applications without any hacking of the database and completely condemned the attacks and it will not generate any wrong transactions as a correct one. Keywords Index terms - Security, SQL Injection, 1. INTRODUCTION Now a day s providing the security for the web applications is a challenging issue from the attackers by the SQL attacks which are used to read and modify the data in the database. In this paper We propose a technique which will prevent the SQL attacks from the attackers with some predefined key words which are store in the database which can easily identify at the time of input validations by the attackers. This approach mainly focuses on signature, which can easily detect and prevent the SQL injection from the attackers. In our approach to prevent SQL injections from the attackers, we used a concept of recognizing the suspicious activities which cause attacks by SQL injections. The performance will be measured in module wise to check the SQL injections. At first a checking module checks the incoming query from the web applications as input [6]. From this module the details of the input query will send for analysing the query by the analysis module which is used to find out the area from the input query is occurred in the web applications and it compare with some predefined key words to clarify the given input whether wrong or correct. For example to find the area of occurrence of the input from the web applications through any programming language as shown below SQL injection techniques are an increasingly dangerous threat to the security of information stored upon Oracle Databases. These techniques are being discussed with greater regularity on security mailing lists, forums, and at conferences. There have been many good papers written about SQL Injection and a few about the security of Oracle 71

2 databases and software. In this paper we have two sections. First article in a two-part series that will examine SQL injection attacks against Oracle databases. The objective of this series is to introduce Oracle users to some of the dangers of SQL injection and to suggest some simple ways of protecting against these types of attack. Many database servers, including Microsoft SQL Server 2000, allow multiple SQL statements separated by semicolons to be executed at once. While this attack string results in an error in Oracle and other database servers that do not allow the batch-execution of statements separated by semicolons, in databases that do allow batch execution, this type of attack allows the attacker to execute arbitrary commands against the database. One traditional approach to prevent SQL injection attacks is to handle them as an input validation problem and either accepts only characters from a white list of safe values or identified and escapes a blacklist of potentially malicious values [1]. White listing can be a very effective means of enforcing strict input validation rules, but parameterized SQL statements require less maintenance and can offer more guarantees with respect to security. As is almost always the case, blacklisting is riddled with loopholes that make it ineffective at preventing SQL injection attacks. For example, attackers can: Target fields that are not quoted Find ways to bypass the need for certain escaped meta-characters Use stored procedures to hide the injected meta-characters Manually escaping characters in input to SQL queries can help, but it will not make your application secure from SQL injection attacks. Another solution commonly proposed for dealing with SQL injection attacks is to use stored procedures. Although stored procedures prevent some types of SQL injection attacks, they fail to protect against many others. SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. 2. APPROACHING METHODS In our proposed system to identify the vulnerable input from the web applications, we can provide some default and predefined words. In the checking module we can check the SQL query which was entered at the input validations area. The next process is to analyses the given input query and decides to send the query to the database for execution. If the input query does not contain any error entries or miscellaneous words then it execute the query and process the database without any interruption and report a successful transaction. In case of any vulnerable entries are attached with the query or any SQL injection input validation occurs, then the analysis module detects the injections and create an alert that shows that an error message was found at an input validation[2]. In our system the SQL query will be stored in the format of table which was used for tracking the SQL injections and any error messages if any. For example SQL= "SELECT * FROM table WHERE Userid= "&tusemame&"' AND Pswd = "'&tpswd&""'; From the above query analysis module can find out the area of input in the web applications. To prevent the SQL injections like Select *from table where userid="anil" and pswd=" anything"or '1=1' 72

3 The analysis module [2] can easily find out the input validations with the predefined words and detects which is placed after anything in the above query. By finding the malicious user injects in the terms like anything or '1=1' will be detected in our system. This example examines the effects of a different malicious [7] value passed to the query constructed and executed in Example 1. If an attacker with the user name hacker enters the string "hacker'); DELETE FROM items; --" for itemname, then the query becomes the following two queries: SELECT *FROM items WHERE owner = hacker AND itemname= name ; DELETE FROM items; -- A Method for preventing web application SQL injections Figure 1: Pictorial representation: A Method for preventing web application SQL injections Some of the characteristics that we have to follow while preventing the security attacks. A. Monitoring Module: In Monitoring Module, it gets an input and sends it to analysis module for further checking. If analysis module find any suspicious activity, it generate error message to monitoring module to block. B. Specifications: Specifications comprise the predefined keywords and send it to analysis module for comparisons[3].these modules have all predefined keywords which is stored in the database. C. Analysis module: Analysis module gets an input from the monitoring module and it finds a hot spot from the application and it uses Hirschberg algorithm for string comparison. SQL Injection code: Select *from prod where usr="bala" and pss=" anything" or '1=1'; Code Injection is the general name for a lot of types of attacks which depend on inserting code, which is interpreted by the application. Such an attack may be performed by adding strings of characters into a cookie or argument values in the URI. This attack makes use of lack of accurate input output data validation, for example: Class of allowed characters (standard regular expressions classes or custom), data format, amount of expected data for numerical input, its values Code Injection and Command Injection are measures used to achieve similar goals. The concept of Code Injection is to add malicious code into an application[7], which then will be executed. Added code is a part of the application itself. It's not external code which is executed, like it would be in Command Injection. In this paper we used an a real time application with the SQL injections on a bank website and as a normal user input is given to the host, a consumer which was not existed in the accounts of the bank and we try to remove the loan accounts to reduce and delete the debited amount to the bank. Most of the web applications are developed in three tier architecture, the Application tier at the user side, Middle tier which converts the user queries into the SQL format, and the backend database server which stores the user data as well as the user s authentication table[3]. Whenever a user wants to enter into the web database through application tier, the user inputs his/her authentication information from a login form as shown in figure 2. The below figure is an interface 73

4 that we create to show the clear idea about how the all SQL injections will work in an bank web application. Login: Password: Login Login reset Figure 3: login form of the authentication query. For example the hacker enters the expression in the Username field like '' ' OR 1=1 ' ''. So, the middle tier will convert it into SQL query format as shown in figure 3. This deceives the authentication server. Below eexample of SQL query having input violation Figure 2: Screen shot of SQL Injection Operations Normally, web applications is a three tier architecture, the Application tier at the user side, Middle tier which converts the user queries into the SQL format, and the backend database server which stores the user data as well as the user s authentication table[4]. Whenever a user wants to enter into the web database through application tier, the user inputs his/her authentication information from a login form as shown in figure 3. The middle tier server will convert the input values of user name and password from user entry form into the format as shown below: Query_result = "SELECT * FROM User_account WHERE username = 'Username' AND password='password' If result of the query is true then the user is authenticated otherwise, denied. But, there are some malicious attacks which can deceive the database server by entering malicious code through SQL injection which always return true results Query_result = "SELECT * FROM User_account WHERE name = ' ' OR 1=1 ' ' AND password= ' Password' Analysing the above query, the result is always true for variable Query result. It is because malicious code has been used in the query. Here, in this query the mark ( ' ) tells the SQL parser that the user name string is finished and " OR 1=1 " statement is appended to the statement which always results in true. The ( ) is comment mark in the SQL which tells the parser that the statement is finished and the password will not be checked. So, the result of the whole query will return true for Query result variable which authenticates the user without checking password. In this paper we presents a new technique for protecting database against SQL injection which uses stored procedures of DBMS for the authentication of users to the database. Here, the hash values for user name and password along with user name and password are used for authentication. These hash values for user name and password are generated automatically when the user enters into database[5]. A user is authenticated by using user name, password and hash values for user name and password. 74

5 3. PROCESS OF ATTACKING: First of all we have to enter the account no. and pin no of the customer, after giving the account no. and pin no. Properly then we will enter into the web page. After entering in to the webpage we can go in to the loan holders by giving a simple query Select * from loan where amount between null and null To select the range of the amount we can use Select * from loan where amount between 11 and In this page we will give the amount some range to some range. Then it displays the names of the customers in that range. Now we can perform some of the operation by the data like applying some of the injections. By using the minus injections here we can remove the customer details from the above query result. The minus injection query is shown below SQL injection by using this OR injection we can enter into an web application easily by simply entering the Account Nimber and the pin number in some format. We can see the format as below Account Number : 11 OR 1=1 Pin number : ***** By providing the above details for the web page applications, then the work will be done for attacking a application will be successful. So, by using these types of SQL injections, in our paper we show and discussed about the occurrence of attacks in an bank web application by registering and savings miscellaneous details and getting beneficiary in the various accounts and withdrawing of the loan accounts. 5. CONCLUSION This paper presented an approach for protecting Web applications against SQL Injection, and our approach consists of Select * from loan where amount between 11 and MINUS Select * from loan where lno= L2345 Now by using the Union injections we can add customer details for the results that which can operate by the normal accounts belong to the non presented range of the customers. This injection is as follows Identifying trusted data sources and marking data coming from these sources as trusted. Using dynamic tainting to track trusted data at runtime. Allowing only trusted data to form the semantically relevant parts of queries such as SQL keywords and operators. Select from saving where amount between 11 and UNION select from loan where lno= L2345 Now we are going to deal with the main attack of the web pages and applications by using a powerful Injection OR. Web applications use database at backend for storing data and SQL for insertion and retrieval of data. There are some malicious attacks[7] which can deceive this SQL and one of these attacks that we are going to discuss is OR. Unlike some approaches which are based on dynamic tainting, our technique is based on positive tainting, which explicitly identifies trusted (rather than untrusted) data in a program. This way, we eliminate the problem of false negatives that may result from the incomplete identification of all untrusted data sources. False positives, although possible in some cases, can typically be easily eliminated during testing. Our approach also provides practical advantages over the many 75

6 existing techniques whose application requires customized and complex runtime environments: It is defined at the application level, requires no modification of the runtime system, and imposes a low execution overhead. 4. FUTURE ENHANCEMENT: In this paper we find the SQL injection only in the login process, they don t care about other process in the application after he/she sign in to application they can inject anywhere in the application so we want to check the full application by using wasp, before the data going to query we want to check the each data by use of WASP and find the injected query before going to the database for the full application, so our future work is to check the full application with WASP. REFERENCES: [1]R.Ezumalai, G.Aghila Combinatorial Approach for preventing SQL Injection Attacks in International Advance Computing Conference (IACC) IEEE AUTHOR PROFILES: Srinivas Baggam Pursuing Ph.D in the area of network security and cryptography from JNTU Kakinada, received the M.Tech (Computer Science & Engineering) from R.V.R & J.C college of Engineering, Guntur, Affiliated to Acharya Nagarjuna University. Currently working as an Assistant Professor in M.V.G.R. College of Engineering. He got two and half years of Industrial and Three and half years of teaching Experience. G.Anil Kumar received the B.Tech in (Computer Science & Engineering) from Gayatri Vidhya Parishad. His area of interest is Network security and cryptography [2]Xiang Fu,Xin Lu,Boris Pelts verger, Shijun chen A static Analysis framework of Detecting SQL Injection Vulnerabilities IEEE Transaction of computer software and application conference [3]Kontantinos kemalis and Theodoros Tzouramanis Specification Based approach on SQL Injection Detection ACM [4]Shaukat Ali, Azhar Raut SQLIPA: An Authentication Mechanism against SQL Injection in European Journal of Scientific Research 2009 vol-38 pg [5]Stephen Thomas and Laurie Williams Using Automated Fix generation to secure sql statements. International workshop on software engineering and secure system IEEE 06. [6] Christopher kregel,giovanni Vigna Anomaly Detection of web based attacks, CCS 03. [7] jin-cherng li and jan-min chen The Automatic Defence Mechanism for Malicious Injection Attack. Seventh international conference on computer and information technology