ACKNOWLEDGMENT. I would like to thank Allah for giving me the patience to work hard and overcome all the

Transcription

1

2 ACKNOWLEDGMENT I would like to thank Allah for giving me the patience to work hard and overcome all the research obstacles. My full gratitude is to Dr. Mohammed Al-Jarrah and Dr. Izzat Alsmadi for their supervision, and precious advice. Without their support this work would not have been possible. My deep thanks go to my thesis committee. My thanks are also to my friends for their honest friendship, care, and for being kind to provide help and support. Appreciation is also extended to my family, which has been always by my side, my father, my mother, my brothers and sister: Adel, Hasan, Mohammad, and Hussam who have always been near me. Hussein AlNabulsi May 22,

3 TABLE OF CONTENTS Contents Page AKNOWLEDGEMENT 1 TABLE OF CONTENTS 2 LIST OF FIGURES 6 LIST OF TABLES 9 LIST OF ABBREVIATIONS 10 ABSTRACT 11 CHAPTER 1: Introduction Problem Statement Purpose of the Study Methodology Contribution Scope and Limitation Thesis Structure 16 CHAPTER 2: Background and Literature Review Introduction Background SNORT Structure 17 2

4 2.2.2 SNORT Under Windows Using SNORT for SQL Injection Attacks Examples of SQL Injection Attacks SNORT Rules Description Hackers Web Attacking Mode Drawbacks of Intrusion Detection System (IDS) Literature Review SQL Injections Attacks SNORT Usage Evaluation SNORT Utilization for Detecting and Preventing SQL Injection Attacks 33 CHAPTER 3: Methodology and Approaches Methodology Steps of SQL Injection Attacks Perl Regular Expressions for SQL Injection Using SNORT Tool for Detecting SQL Injection Attacks SNORT Network Topology 50 CHAPTER 4: Experimental Results and Discussion Methods of Writing SQL Injection 52 3

5 4.1.1 Poorly Filtered Strings Different Encoding Issues White Space Multiplicity Arbitrary String Patterns Bypass Techniques Grouping Concatenate Supplied Strings Information Gathering Techniques Server Hostname Server MAC Address Database Data Directory Experimental Results for discussed SNORT Rules Proposed Set of SNORT Rules for SQL injection Detection SNORT Rules Case Study Applying the SQL Injection Attacks on 92 Damn Vulnerable Web Application (DVWA) 4.3 A Comparison Study Summary Table for Comparing Study 109 4

6 4.3.2 Conclusion of the Comparison Study 109 CHAPTER 5: CONCLUSIONS AND FUTURE WORKS Conclusion Future Work 112 CHAPTER 6: REFERENCES 114 CHAPTER 7: Appendix 118 5

7 LIST OF FIGURES Figures Title Page Figure 2.1 SNORT Architecture 19 Figure 2.2 A simple PHP login page with possible injection attack 21 Figure 2.3 An example of an SQL injection attack 22 Figure 3.1 An example of a vulnerable webpage 44 Figure 3.2 SNORT Network Topology 50 Figure 4.1 Retrieving the password of the admin 53 Figure 4.2 Result of SQL injection 55 Figure Figure Figure Figure Figure

8 Figure Figure Figure Figure 4.11 Retrieving a user name and password 69 Figure 4.12 Retrieving the password of admin 71 Figure 4.13 Retrieve the version of server 72 Figure 4.14 Retrieve the hostname of server 74 Figure 4.15 Retrieve the MAC Address of server 75 Figure 4.16 Retrieve the data directory of server 77 Figure 4.17 SNORT 87 Figure 4.18 SNORT 94 Figure 4.19 SNORT rules detect the SQL injection attack 95 Figure 4.20 SNORT rules detect the SQL injection attack 98 Figure 4.21 SNORT 98 Figure 4.22 SNORT rules that were not able to detect the SQL injection attack 102 Figure 4.23 SNORT rules detect the SQL injection attack 102 7

9 Figure 4.24 SNORT rule 104 Figure 4.25 SNORT rules detect the SQL injection attack 105 Figure 4.26 SNORT rules detect the SQL injection attack 108 Figure 4.27 SNORT 108 8

10 LIST OF TABLES Tables Title Page Table 2.1 The description of SNORT rule content 24 Table 2.2 Comparisons of the illustrated approaches that focus in SQL injection Attacks which is similar to our contributions approaches 37 Table 4.1 General SQL injection symbols or keywords which can be used by attackers 52 Table 4.2 Summary Table of SQL injections and SNORT rules 78 Table 4.3 The normal websites examples 90 Table 4.4 Summary Table for Comparing Study 109 9

11 LIST OF ABBREVIATIONS IDS DVWA NIDS WAN LAN SQL TCP UDP ICMP GUI IP XSS, CSS SQLIA HTTP ACK SYN Intrusion Detection System Damn Vulnerable Web Application Network Intrusion Detection System Wide Area Network Local Area Network Structured Query Language Transmission Control Protocol User Datagram Protocol Internet Control Message Protocol Graphical User Interface Internet Protocol Cross-Site Scripting Structured Query Language Injection Attack Hypertext Transfer Protocol Acknowledge Synchronize 10

12 Abstract Hussein Azmi AlNabulsi, Developing SNORT Rules for Detection and Protection Against SQL Injection Attacks, Department of Computer Engineering, Yarmouk University, (Supervisor: Dr. Mohammed Al-Jarrah, CO-Advisor: Dr. Izzat AlSmadi) An Intrusion Detection System (IDS) for computer networks is capable of alerting the systems administrators on potential attacks. By using SQL injection attacks, attackers could retrieve important information from s of web servers. We studied and proposed effective methods to detect possible attacks against web applications specially SQL injection. In this research we discussed techniques for detecting SQL Injection attacks in the networks, and how to detect these attacks using SNORT tool. SNORT which is open source IDS, is used to compose regular expression-based rules for detecting attacks. We evaluated several techniques to show how SQL injection attacks can be conducted and accomplished. We also demonstrated using different examples how such attacks can be detected using SNORT tool. A case study of several websites is evaluated to demonstrate how SQL injection attacks can be conducted and how hackers can use methods of SQL injection to attack web applications. The increase in size and types of SQL injection attacks conducted and detected recently proved the importance of this research. We evaluated several alternatives for SNORT rules that can detect and alert users or system administrators about those attacks. Different experiments with different methods of SQL injection attacks are evaluated as part of an assessment study in this thesis. 11