Automated Technique for detecting and preventing SQL Injection in stored procedure

Transcription

1 Automated Technique for detecting and preventing SQL Injection in stored procedure Mr.K.Kodeswaran II Year M.E(CSE) Shree Venkateshwara Hi-Tech Engg College, Gobi Dr.T.Senthil Prakash Professor & HOD Shree Venkateshwara Hi-Tech Engg College, Gobi Mrs.P.V.Jothikantham Assistant Professor Shree Venkateshwara Hi-Tech Engg College, Gobi ABSTRACT-Nowadays, Internet is not just like sending and browsing web sites. The Internet has also become the business medium, powering a growing of revenue-generating business in the form of e-commerce and e-supply chain.securing the data in database against hacking is a big challenge in recent days especially for SQL injections. SQL Injection is an attack and code injection technique that targets the data-driven applications (e.g. database) which is mainly used for web applications. SQL Injection adds malicious code in the form of SQL queries, passed into a string that reaches the application on to the database and causes it to execute against the database.sql injection came with a bang and caused revolution in database attacking. In recent years, databases have been drawing ever closer to the network and it is critical part of network security to apply with. In most cases, the hacker is able to obtain unauthorized information off of the database. A hacked data is the source of obtaining unrestricted access to the databases underlying the applications and to retrieve sensitive informations like Passwords credit card number, bank account number and every important thing that are forbidden.in this paper, we have implemented many methods and suitable technologies to detect and prevent data from theft. Keywords: Internet,Web applications, SQL Injection, detection, prevention 1 INTRODUCTION Internet today is what people would not have even predicted in the past. Internet evolved fast that one cannot imagine a life without internet today. The internet is a way in which once can acquire a vast set of knowledge, and it can be used for variety of things. We can bank and shop online from home or work without wasting our time in visiting to each place. With the advancing technology, one must keep up with it, as knowledge is power. A Database is the heart of many, web-applications, on-line transactions, e-commerce, e-supply chain,etc. is used to store information needed by the application such as, ATM PIN, secret passwords, credit card information, customer orders, client preferences, etc. A database is not at all very secure now a days and it is vulnerable to SQL injections when user input is either incorrectly filtered for string literal escape characters embedded built-in SQL statements or user input is not strongly typed. This allow an attacker to alter SQL statements that are passed to the database as parameters and enable the intruder to not only steal data from your database, but also modify and delete the data s that are stored in databases. SQL injection attacks are also known as SQL insertion attacks. In recent days, databases have become more attractive and very lucrative targets for hackers to hack data easily using some scripts and tools. A SQL injection attack makes the alteration of SQL statements that are used in a web application through the use of attacker-supplied data. No sufficient input validation and improper construction of SQL statements can expose it to SQL injection attacks. SQL injection is such a prevalent and potentially destructive attack that surrounds globally in stealing protected data s.a SQL injection attack contains the additional code of insertion or "injection" of a SQL query via the input data from the client to the application.the effects of a successful SQL injection attack is based on the targeted applications and how the application processes user-supplied data.any program or user developed application may be vulnerable to SQL injections which includes stored procedures that is executed with a direct database connection, Forms applications, web applications, etc. There are some ways to enter into the database without the administrative knowledge. Some ways are Authentication Bypass which allows an hacker to log on to an application, having administrative privileges, without supplying a valid/normal username and password, Information Disclosure which allows an attacker to obtain sensitive information through either directly or indirectly modes, Compromised Data Integrity which allowshackerto do alteration of the contents in a database,attacker could use this technique to deface a web page or more likely to insert malicious content into the databases. Remote Command Execution which is highly used by SQL injection hackers 236

2 to Perform command execution through a database and allows an attacker to compromise the user s operating system. Commonly used attack uses the xp_cmdshell stored procedure in Microsoft SQL Server. 2 RELATED WORK In [4] the authors used AMNESIA technique to secure vulnerable statement by combining static analysis with statement generation and runtime monitoring. They used static analysis of Java programs to compute a finite-state machine model that captures the lexical structure of SQL queries issued by a program. They analyzed the vulnerable SQL statement, then generate a general acceptable SQL statement model, and allow or deny each statement based on how it compares to the model at runtime. In the study they conducted, they used five real world Web applications and applied AMNESIA to each of the applications. SQL injection attacks cause SQL queries issued by the program to deviate from this model and were detected. Although the technique is effective because it detects injection attacks and it avoids runtime taint-tracking, it suffers some drawbacks. Their solution uses exceptions to indicate potential attacks which could cause overhead on the part of the developers. Also, the conservative nature of its static analysis and its inability to distinguish different courses of inputs can lead to a higher rate of false positives. In [3], the authors proposed SQLGuard technique for detecting injection attacks. They use SQLGuard to secure vulnerable SQL statements by comparing the parse tree of an SQL statement before and after user input and only allow SQL statements to execute if the parse trees match. In their study, they used one real-world Web application for each application. They technique was able to stop all the SQLIAs after testing it and it generated no false positives. However, their technique had some overheads. First, the developer must rewrite all the SQL codes to use their custom libraries. This is quite a difficult time, consuming and costly task on the part of the application developers. There is also the problem of computational overhead due to dynamic statement validation by removing vulnerability and allowing all inputs.therefore, SQLGuard is not flexible enough, because the source code of the application must be modified in many positions. This is a very tedious task on the part of the programmer which may be very difficult to achieve. SQL Document Object Model (SQL DOM) technique was proposed by [5]. This is an API dependent stored procedure technique for detecting injection attacks. SQL DOM analyzes the database schema at compile time and writes codes to customize the SQL query construction classes. The resulting DOM is a tree-like structure based on a generic template, mapping the possible variations of SQL queries according to tables and column definitions. They used three (1) main classes, SQL statements, table columns and where conditions. These classes have strong-typed methods mapping the data types in the database schema. This enables them to validate data types automatically. The constructor of column classes escape strings (i.e., replace each quote by a double quote) at runtime to sanitize them. Although the approach was able to prevent application layer injection attacks, it however had some limitations. It has some overheads for developer training and code rewriting, as querygenerating code needs to be rewritten. Its full-object criterion lead to additional cost. Also, sincethe technique uses stored procedures, it remains unprotected. The technique does not execute queries (it only generates them). While this could improve database integration and perhaps further reduce the attack surface, the technique neither describes its string sanitization strategy nor elaborates on exception handling and thus did not address how the SQL DOM would behave if a null value is passed on as a criterion. In [6] the authors proposed SQLCHECK technique to prevent SQLIAs. Their approach employs context-free grammars for data validation. Data that is dynamically added to foreign code statements has to fulfill specifically constructed grammars. By tracking dynamically added values through the application s processes, SQLCHECK can identify un-trusted values before the query is parsed to the database. These values are parsed by the constructed grammar to validate their correctness. They analyzed the parse tree of the query, generated customs validation code, and then wrap the vulnerable statement in the validation code. They used five real-world Web applications in their study and applied their technique to each of the applications. Their wrapper stopped all of the SQLIAs in their attack set without generating false positives. However, the technique assumes the client will not be able to produce the magic marker symbol. This is very dangerous to assume since Webapplications can echo SQL queries to the user if an error occurs, the user may trick the Web application into revealing its markers [2]. Also, the technique is still subject to denial-of-service attack. This is because, at runtime, it can only flag errors and prevents them from escalating into a full security compromise. Over years, many tools for detection and prevention of SQL Injection attacks have been developed. AMNESIA developed by Halfond and 237

3 Orso in [4] is a detection and prevention tool for SQL injection attack. It uses static analysis and runtime monitoring for the purpose. The tool builds a model of the legitimate queries at each hotspot i.e. where SQL queries are issued to database engine and monitors the application at runtime to ensure that all generated queries match the statically-generated model. In [5], a tool named CANDID is proposed for detecting SQL injection. The tool dynamically infers the programmer-intended query structure on any input, and detects attacks by comparing them against the intended query structure. In [6], SQLRand uses instruction set randomization to detect and abort queries with injected code and every SQL keyword is joined with a random integer to mislead the attacker. The proposed technique in [7] prevents SQLIA in stored procedures by combining static application code analysis with runtime validation. In the static part, a stored procedure parser is designed and it instruments the necessary statements in order to compare the original SQL statement structure to that including user inputs for every SQL statement which depends on user inputs. The technique abstracts the intended SQL query behavior in an application in the form of an SQL-graph and this graph is then validated against all the different user inputs at runtime to capture all malicious SQL queries, before they are sent for execution. An efficient technique is presented in [2] for detecting and preventing SQL Injection attack using pattern matching algorithm. Pattern matching identifies or detects any anomaly packet from a sequential action, as the malicious code includes many anomaly packets or strings. The technique proposed in [3] uses a new middle-warebased prevention mechanism: SQLIMW. The SQLIMW avoids SQL-Injection attack from the programmer to the server. Hash function is used to replace encryption for better security. Furthermore, by combining the hash with XOR, it protects username,password and private key of SQLIMW. The proposal provides better security and efficiency. [7] Although the mechanism of SQLIA is the same for both storedprocedure and application layer program, the same detection technique could not be applied to stored procedures,because of limited programmability of stored procedures and the technique s usability and deployability. Many existing techniques, such as filtering, informationflow analysis, penetration testing, and defensive coding, can detect and prevent a subset not all of the vulnerabilities that lead to SQLIAs.Some other analysis on SQL injections are listed below, 2.1 Static Analysis These techniques can be used in the application s development and debugging phases (before deployment) and also in protecting existing web applications therefore, they do not have any runtime overhead. They help developers to identify the weaknesses and vulnerabilities that invite attackers so as to reduce and/or remove them in order to make applications more reliable. Despite their advantages their shortcomings are: developer needs to manually alter the vulnerable parts, which is tedious and time consuming [13], not being successful in identifying stored procedure attacks [14] and not paying attention to dynamic queries because their structures are not specified till runtime.sql DOM [15] and Safe Query Objects [16] change the process of creating a query from an irregular concatenation process to a systematic process that uses a type checking API in order to make the database access secure and reliable. On the other hand they have disadvantages such as the need of learning a new API by the developer and being expensive for legacy codes [17]. Penetration testing tools such as MySQLInjector [18], V1p3R (Viper) [19] and Sania [20] also lye in the static group. At first these tools gather information from the web application and after that inject attacks according to the information gathered in order to analyze the application s response. V1p3R uses the stored patterns in its error pattern library and Sania uses SQL parse tree comparison for SQLIA detection while in MySQLInjector the output is the results of the attacks. Success in these tools depends on the completeness of the injected attacks and this is a shortcoming but, their advantage is identifying vulnerabilities without any modifications to the web application Dynamic Analysis 2.2 Dynamic Analysis These kinds of techniques use a model for SQLIA detection. They generate the model at runtime and because of that they are called dynamic techniques. Due to runtime generation of the model they do pay attention to dynamic queries which are generated at runtime but on the other hand they have the overhead of generating the model at runtime. SQLGuard [21] and CANDID [22] are based on the runtime comparison of the parse tree intended by the programmer with the runtime parse tree. So that whenever they do not match the query would not be sent to the database for execution and therefore SQLIA is prevented. The runtime comparison of parse trees has an overhead which is a disadvantage for them both. On the other hand its shortcomings are not being capable of identifying stored procedure attacks [14] and the need for the developer to change the code. But the advantage of CANDID is no need for changing the code manually, but its disadvantage 238

4 is partial (not complete) detection of different kinds of attacks [14]. 2.3 Combinational Analysis Combinational techniques have two phases: static analysis and dynamic analysis. Due to fulfilling part of the operations in the static phase there is no overhead at runtime for them and this is the benefit of these techniques. In the static phase first of all the hotspots are identified, after that a model is created indicating all the valid queries that can be made at that hotspot. Finally at runtime, the runtime queries are examined to see whether they match their model or not. If not, the query would not be sent to the database for execution and therefore SQLIA is prevented. None of the techniques mentioned below are capable of identifying stored procedure attacks except [6] that can identify them partially, and because of generating the model at the first phase none of them pay total attention to dynamic queries.amnesia [23] creates an NDFA for each hotspot. After that the web application is adjusted so that the call to the runtime monitor is added before the query execution. At runtime, the runtime query is compared against the static model and if the automaton does not accept the query, it would not be executed. SQLCHECK [24] marks the input with a key. The query made with such an input is called augment query. In order to prevent SQLCIAs in these queries an augment grammar is generated therefore, only the queries that are parsed by this grammar are valid. Valid queries are then sent to the database without the keys for execution. The security of SQLCHECK dependents on the attacker not being able to discover the key, and need to manually alter the code in order to insert the keys in SQL queries which has the problem of incompleteness [25]. 3 SQL Injection Discovery Technique It is not compulsory for an attacker to visit the web pages using a browser to find if SQL injection is possible on the site. Generally attackers build a web crawler to collect all URLs available on each and every web page of the site. Web crawler is also used to insert illegal characters into the query string of a URL and check for any error result sent by the server. If the server sends any error message as a result, it is a strong positive indication that the illegal special meta character will pass as a part of the SQL query, and hence the site is open to SQL Injection attack. For example Microsoft Internet Information Server by default shows an ODBC error message if an any meta character or an unescaped single quote is passed to SQL Server. The Web crawler only searches the response text for the ODBC messages. 4 SQL PARSE TREE VALIDATION A Parse tree is nothing but the data structure built by the developer for the parsed representation of a statement. To parse the statement, the grammar of that parse statement s language is needed. In this method, by parsing two statements and comparing their parse trees, we can check if the two queries are equal. When attacker successfully injects SQL into a database query, the parse tree of the intended SQL query and the 10resulting SQL query generated after attacker input do not match. The following figure shows the representation of a parse tree. [26] In the above parse tree the programmer-supplied portion is hard-coded, and the user supplied portion is represented as a vacant leaf node in the above parse tree. A leaf node must be the value of a literal, and it must be in the position where vacant space is located. The SQL query for the above parse tree is as below. SELECT * FROM users WHERE username=? AND password=?. 5 Vulnerability Reinstatement To achieve perfect secrecy, we either append the secured SQL statement to the vulnerable statement or reinstate the whole vulnerable statement. If the database Connection object is out of scope of execution call then the vulnerable statements are in a 239

5 method signature. If the vulnerable statement is in the state of any detectable signature method then we do not require replacement of the statement. In some cases, if we change the statements, then we have to change the API too. We can achieve secrecy without changing or modifying the statement creation code, but to eliminate redundancy in object we require complete replacement of the plain text SQL statements. In above cases, we will replace the execution call as PreparedStatement preparedstmt = Statement.getConnection().prepareStatement(ps SQL); this is the prepared statement formation call. Statement: Actual Statement objects in Java code. PSsql: Generated SQL query with bind variables. 17 The formation call helps to prevent SQL injection attack by bypassing the statement and create the secure Prepared Statement- based on the SQL statement. In this way we can achieve the perfect secrecy, prevent the SQL injection vulnerability, and the SQL injection attack. [27] 6 Preventing SQL injection method Stephen Thomas and Laurie Williams explained in detail about the methods which are used to prevent an SQL injection attacks. [28] 1) Static analysis 2) Run time analysis These techniques are based on the stored procedures, Authors has used control flow graph that notifies what user inputs to the dynamic built SQL statement. Control flow graphs are very useful to minimize the set of SQL statements to verify users input. In run time analysis we access information about stored statement from Finite State Automaton to narrow the verification procedure and to indicate the user s inputs true or false. [28] 7 SQLiX Sql Injection Scanner SQLiX Scanner can be found at the Open Web Application Security Project (OWASP) site. OWASP is a worldwide free and open community focused on improving the security of application software. SQLiX is coded in Perl, able to crawl, detect an SQL injection and identify the back-end database vulnerability. SQLiX uses various Perl modules from CPAN- CPAN is nothing but the Comprehensive Perl Archive Network. On CPAN, you can find large amount of Perl software and their documentation so that any coder can use these libraries and Perl modules in their projects. We will see in more detail about the Perl modules which are used by SQLiX in Perl module section. Following are the methods which are used in the original SQLiX: 1) Error Generation: Error generation method is a very simple and is typically depends on meta characters like single quotes and double quotes. 2) Method blind injection: In Blind SQL injection methods, the web application which are vulnerable to SQL injection are not visible to an attacker. These attacks are display differently depending upon the results of a logical statement injected in to the database 3) Statement injection: From the following example you can get clear understanding about the statement injection method. The original URL: 0) is localhost/acu/indexacu.php/news.php?id=25. SQLiX tries to compare the html content of the original request with the following URLs. 0or%201=1 8 Enhancements in SQLiX Three major challenging enhancements that I have completed successfully in this project i) Enhanced the crawler to handle HTTP post method and fills forms automatically. ii) Created Graphical User Interface (GUI) for SQLiX. iii) Added a Module to Detect Cross Site Scripting (XSS) attacks. 9CONCLUSION Mostly all the web applications running today uses intermediate layer to accept a input from user and retrieve very sensitive information from the database. The intermediate layer is build using scripting languages.basically attacker tries to confuse the intermediate layer by reshaping the SQL statements. But, attacker can able to change the normal activities of the programmer for their benefits. Lot more methods are used to secure SQL injection attack at application level itself, but no accurate solution is available yet. This paper covered some powerful techniques that can be used for SQL injection preventions. From my analysis it concludes that automated technique for preventing, detecting and also for logging the SQL injection attack in stored procedure' is commonly used. Graph control method is a very good for small databases systems. Leading 240

6 SQLiX is one of the best web security scanner for finding SQL injection vulnerabilities from the web site. REFERENCES [1] Barnum, S. and McGraw, G. (2005). Knowledge for Software Security, Security and Privacy Magazine, IEEE, Vol. 3, No. 2, pp [2] Bravenboer, M., Dolstra, E. and Visser, E. (2007). Preventing Injection Attacks With Syntax West African Journal of Industrial & Academic Research Vol.6 No.1 March 2013 rch Vol.6 No.1 March Embeddings. In Proceedings of the 6th International Conference on Generative Programming and Component Engineering, GPCE 07. [3] Buehrer, G. T., Weide, B. W. and Sivilotti, P. A. G. (2005). SQLGuard: Using Parse Tree Validation to Prevent SQL Injection Attacks. In Proceedings of the 5th International Workshop on Software Engineering and Middleware, Lisbon, Portugal, pp [4] Halfond, W. G. J. and Orso, A. (2005). AMNESIA: Analysis and Monitoring for Neutralizing SQL Injection Attacks. In Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, California, USA, pp [5] McClure, R. A., Kruger, I. H. (2005). SQLDOM: Compile Time Checking of Dynamic SQL Statements, ICSE 05, St. Louis, Missouri, USA, ACM, pp [6] Su, Z. and Wassermann, G. (2006). The Essence of Command Injection Attacks in Web Applications. In Conference Record of the 33rd ACM SIGPLAN SIGACT Symposium on Principles of Programming Language POPL 06, New York, NY, pp [7] Gao Jiao, Chang-Ming XU and Jing Maohua, SQLIMW: a new mechanism against SQL- Injection, in Proc. of CSSS, [8] Sruthi Bandhakavi, Bisht, P. Madhusudan, V.N. Venkatakrishnan, CANDID: Preventing SQL Injection Attacks using Dynamic Candidate Evaluations, in Proc. of CCS 07, [9] S. W. Boyd and A. D. Keromytis, SQLRand: Preventing SQL injection attacks, in Proc. of ACNS, [10] Ke Wei, M. Muthuprasanna and Suraj Kothari, Preventing SQL Injection attacks in stored procedures, in proceedings of ASWEC, [11] Dr. M. Amutha Prabakar, M.KarthiKeyan, Prof.K. Marimuthu, An Efficient Technique for Preventing SQL Injection Attack Using Pattern Matching Algorithm, in Proc. of ICECCN, [12] Gao Jiao, Chang-Ming XU and Jing Maohua, SQLIMW: a new mechanism against SQL- Injection, in Proc. of CSSS, [13] I. Lee, S. Jeong, S. Yeo and J. Moon, J. Mathematical and Computer Modelling, vol. 55, no. 58, (2011). [14] A. Tajpour, S. Ibrahim and M. Sharifi, International Journal of Computer Science Issues, vol. 9, no. 332, (2012). [15] R. A. McClure and I. H. Kruger, SQL DOM: compile time checking of dynamic SQL statements, Paper presented at the Proceedings of the 27th international conference on Software engineering. IEEE, St. Louis, Missouri, USA, (2005) May [16] W. R. Cook and S. Rai, Safe Query Objects: Statically Typed Objects as Remotely Executable Queries, Paper presented at the Proceedings of the 27th International Conference on Software Engineering, IEEE, St. Louis, Missouri, USA, (2005) May [17] W. G. J. Halfond, J. Viegas and A. Orso, A Classification of SQL Injection Attacks and Countermeasures, Paper presented at the Proceeding on International Symposium on Secure Software Engineering, Arlington, VA, USA, (2006) March. [18] A. B. M. Ali, A.Y. I. Shakhatreh, M. S. Abdullah and J. Alostad, J. Procedia Computer Science, vol. 3, no. 453, (2011). [19] W. Jie, R. C. W. Phan, J. N. Whitley and D. J. Parish, Augmented attack tree modeling of SQL injection attacks, Paper presented at the Information Management and Engineering (ICIME), The 2nd IEEE International Conference on. IEEE, Chengdu, (2010) April [20]Y. Kosuga, K. Kernel, M. Hanaoka, M. Hishiyama and Y. Takahama, Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection, Paper presented at the Computer Security Applications Conference, ACSAC, Twenty-Third Annual, Miami Beach, FL, (2007) December [21] G. Buehrer, B. W. Weide and P. A. G. Sivilotti, Using parse tree validation to prevent SQL injection attacks, Paper presented at the Proceedings of the 5th international workshop on Software engineering and middleware, Lisbon, Portugal, (2005) September. [22] P. Bisht, P. Madhusudan and V. N. 241

7 Venkatakrishnan, J. ACM Trans. Inf. Syst. Secur, vol. 13, (2010). [23] W. G. Halfond and A. Orso, AMNESIA: analysis and monitoring for neutralizing SQLinjection attacks, Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, Long Beach, California, USA, (2005) November [24] Z. Su and G. Wassermann, The essence of command injection attacks in web applications, SIGPLAN Not, Charleston, South Carolina, USA, vol. 41, no. 1, (2006) January [25] W. G. J. Halfond, A. Orso and P. Manolios, J. Software Engineering, IEEE Transactions on, Software Engineering, vol. 34, no. 65, (2008). [26] Wassermann Gary, Zhendong Su. (2007, June). Sound and precise analysis of web applications for injection vulnerabilities. ACM SIGPLAN conference on Programming language design and implementation PLDI, 42 (6). Retrieved November 7, 2007, from [27] William G.J. Halfond and Alessandro Orso. College of Computing Georgia Institute of Technology. Preventing SQL Injection Attacks Using AMNESIA. Retrieved May 28, 2007, from [28] Thomas, Stephen, Williams, & Laurie. (2007, May 20). Using Automated Fix Generation to Secure SQL Statements. Software Engineering for Secure Systems IEEE CNF. Retrieved November 6, 2007, from Stud. Mr. K.Kodeswaran received the B.Tech (IT) degree from the Sri Shakthi Institure Of Engineering And Technology,Coimbatore, India in and pursuing ME (CSE) degree in Shree Venkateshwara Hi-Tech Engineering College, Erode, India in , His research interests includes network security and cryptography. Dr.T.Senthil Prakash received the Ph.D. degree from the PRIST University, Thanjavur, India in 2013 and M.E(CSE) degree from Vinayaka Mission s University, Salem, India in 2007 and M.Phil.,MCA.,B.Sc(CS) degrees from Bharathiyar University, Coimbatore India, in 2000,2003 and 2006 respectively, all in Computer Science and Engineering. He is a Member in ISTE New Delhi, India, IAENG, Hong Kong..IACSIT, Singapore SDIWC, USA. He has the experience in Teaching of 10+Years and in Industry 2 Years. Now He is currently working as a Professor and Head of the Department of Computer Science and Engineering in Shree Venkateshwara Hi-Tech Engineering College, Gobi, Tamil Nadu, and India. His research interests include Data Mining, Data Bases, Artificial Intelligence, Software Engineering etc.,he has published several papers in 17 International Journals, 43 International and National Conferences. Mrs.P.V.Jothikantham received M.E.(CSE) degree from Velalar College of Engineering and Technology, Erode in 2010 and MCA degree from Bharathiar University,Coimbatore in 2000 and B.Sc(CS) degree from P.K.R. Arts and Science College, Gobi in Her research interess include Data Mining, Network Security. 242