SQL INJECTION MONITORING SECURITY VULNERABILITIES IN WEB APPLICATIONS

Transcription

1 SQL INJECTION MONITORING SECURITY VULNERABILITIES IN WEB APPLICATIONS Manas Kumar 1, S. Senthil kumar 2 and D. Sarvanan 3 1 M.C.A. (Final Year) Abstract Sql injection: a recently discovered application vulnerability became a major attack that target the web applications. This vulnerability is widely recognized as the most common source of security vulnerabilities in the web applications. The security of web applications has become increasingly important in the last decades and the main reason for security is from sql injection. Web applications are popular targets of security attacks. One major type of such attacks is SQL injection, where an attacker tries to exploit faulty application code by executing maliciously crafted database queries. The attackers are allowed to obtain unauthorized access to the backend database by submitting the malicious sql query segments to change the intended application generated sql queries because of it. We propose a static analysis approach based on a scalable and precise point-to-point analysis. Keywords: SQL rand, Sql injection vulnerabilities, Sql injection attack prevention. 1. INTRODUCTION Web applications enable much of today s online business including online banking, online shopping, online university admissions and various online governmental activities. Anyone can use a web browser and can access them, and the data they manage typically has significant value both to the users and to the service providers. The standard language for accessing database servers including MySQL, Oracle, and SQL Server is SQL(Standard Query Language). Web programming languages such as java and asp.net provide various methods for constructing and executing SQL statements, but developers often misuse these methods due to lack of training and development experience and resultant occurs as SQL injection vulnerabilities. To construct SQL statement the developers usually use the dynamic query building with string concatenation. The system forms queries with inputs directly received from the external sources, during runtime. This method makes it possible to build different queries based on varying conditions set by the user. However, as this is the cause of many sql injection vulnerabilities. Consequently, vulnerabilities that allow an attacker to compromise a web application s control of its data pose a significant threat. SQL command injection vulnerabilities comprise most of this class. A sql injection attack occurs when a malicious user, through specially crafted input causes a web application to generate and send a query that send a query that functions differently than the intended programmer. For example, if a database contains user names and passwords, the application might have code such as the following: query = "select * from accnt where name='" + request.getparameter("name") + "' and password='" + request.getparameter("pass") + "'"; This code generates a query intended to be used to authenticate a user who tries to login to a web site. However, if a malicious user enters guy into the name field and.'or' a'='a. into the password, the query string becomes: select * from accnt where name='guy' and password='' or 'a'='a' this condition always evaluates to true. 2. EXISTING SYSTEM Defensive coding practices This is used for strong code building for developer s insecure coding practices as a result of the direct solution to defeat SQL injection vulnerabilities. Volume 2, Issue 3, March 2014 Page 1

2 Parameterized queries Dynamic queries are generally replaced by parameterized query where queries are properly coded that force the developers to define the structure of SQL codes before the parameters are included to the query. The injection of additional SQL code is not possible because parameters are bound to the defined SQL structure first. Escaping user supplied parameters The best option is to escape all user supplied parameters if dynamic queries cannot be avoided. Escaping all usersupplied parameters is the best option. However, the common practices are insufficient or improper escaping, all input sources should be identified by the developers to realize the parameters that need escaping, instead of using custom escaping the developer should follow database specific escaping procedures and standard escaping libraries and standard methods. Data type validation In addition to escaping, data type validation should be used by developers, the validation of an input whether that is string or numeric can be rejected if the inputs are mismatched. After validation there is no need of further cleansing action and can be safely used in queries. Filtering Developers often use black list filtering to reject known bad special characters such as and ; from the parameters to avoid SQL injection. However, accepting only inputs known to be legitimate is safer. 2.1 Existing system protocol Music Mutation analysis generates mutants for the device (music) mutation-based SQL Injection vulnerabilities checking. We have five open sources web-based applications written in JSP validate the proposed operators. We test the proposed operators are effective for SQLIV. 3. PROPOSED SYSTEM An SQL injection attack targets interactive web applications that employ database services. As SQL injection has become a major type of attacks that allows attackers to obtain unauthorized access to the back-end database by submitting malicious SQL query segments to change the intended application-generated SQL queries. Researchers have proposed various solutions to address SQL injection problems. However, many of them have limitations and often cannot address all kinds of injection problems. What s more, new types of SQL injection attacks have arisen over the years. To better counter these attacks, identifying and understanding the types of SQL injections and existing countermeasures are very important. In this project, we have presented a review of different types of SQL injections and illustrated how to use them to perform attacks. we also surveyed existing techniques against SQL injection attacks and analyzed their advantages and disadvantages. In addition, we identified techniques for building secure systems and applied them to our applications and database system, and illustrated how they were performed and the effect of them. 3.1 Terms under proposed System Runtime attack prevention There are lots of tools and techniques developed by the many researchers that are able to prevent all SQLIAs by checking actual runtime against legitimate queries. Randomization The proposed mechanism is [20] SQL rand that forces developers to construct queries using randomized SQL keywords instead of using normal keywords. Learning-based prevention This type of approach uses a runtime monitoring system deployed between the application server and database server. It intercepts all queries and checks SQL keywords to determine whether the queries syntactic structures are legitimate (programmer intended) before the application sends them to the database. Specification of users Specification-based methods require developers to specify legitimate query structures using pop formal language expressions such as Extended Backus- Naur Form. Volume 2, Issue 3, March 2014 Page 2

3 Static analysis Analysis for Monitoring and Neutralizing SQL Injection Attacks uses static analysis to deduce valid queries that might appear at each database access point in Web programs via isolation of tainted and untainted data. Dynamic analysis Statically inferred legitimate query structures might not be accurate, and attackers could exploit this weakness to conduct SQLIAs. Researchers have thus proposed dynamic-analysis-based approaches to provide more accuracy. 3.2 Proposed System Model Explanation Definition: Testing based on code The various test strategies to detect SQL injection vulnerabilities is used. However, it clearly felt the need for manual inspection is not vulnerable points program. Both devices showed injection mutants / weaknesses based on the application under test to assess the effectiveness of implemented security mechanisms. Attack generation An execution technique to automatically expose vulnerabilities to SQL injection in a web application that is used to generate test input. Using symbolic execution along the path by solving the constraints imposed on inputs generates test inputs. Traditionally, symbolic - performance-based approach to handle only numeric operations that uses constraint solvers.can be used to detect both symbolic execution. EXPERIMENTAL STEPS In experimental we have tried to find the new type of sql injection attacks that is a set of special characters usually used by the hackers to access the back-end database and we have tried to defeat them. In our experiment we tried to avoid using all the special keywords. If the special keywords are being entered the website will not permit the user to log in, it will remain on its home page. This procedure has been followed in whole website whether it is normal user or a representative staff. Back-end database can be accessed by only the representative staffs and each representative staff can be logged in using their secrete key. The secret key plays a vital role with the password key in the security of the website. Only those staff or representatives can be logged in who is a registered member of the website. Step-1: Step-2: Step-3: Volume 2, Issue 3, March 2014 Page 3

4 Step-4: Step-5: Step-6: Step-7: Volume 2, Issue 3, March 2014 Page 4

5 Step-8: Step-9: Future Work As part of future work, we plan to extend our prototype to develop a complete implementation of the proposed architecture. This would then be used as a test bed to evaluate the different web application scripts available in the public domain. We are currently exploring the security implications of incorporating well known randomization algorithms into our model in case the session id which is used to separate the user inputs from the SQL statement might be guessed by the attacker. We are also exploring the possibility of implementing this functionality as a middleware to the database engine, to avoid explicit instrumentation of source code. Conclusion Web application developers need more extensive training to raise their awareness about SQL injection and to become familiar with state-of-the-art defenses. At the same time, they need sufficient time and resources to implement security measures. Too often, project managers pay less attention to security than to functional requirements. Second, researchers should implement their proposed approaches and make such implementations, along with comprehensive user manuals, available either commercially or as open source. Too many existing techniques are either not publicly available or are difficult to adopt. Readily available tools would motivate more developers to combat SQL injection. References: [1] C. Anley, Advanced SQL Injection in SQL Server Applications, white paper, Next Generation Security Software Ltd., 2002; [2] W.G.J. Halfond, J. Viegas and A. Orso, A Classification of SQL Injection Attacks and Countermeasures., Proc. Int l Symp. Secure Software Eng. (ISSSE 06), IEEE CS, 2006; [3] D. Saravanan and Dr. S. Srinivasan, Matrix Based Indexing Technique for Video Data., International journal of Computer Science, 9 (5): , 2013,pp [4] R.A. McClure and I.H. Krüger, SQL DOM: Compile Time Checking of Dynamic SQL Statements, Proc. 27th Int l Conf. Software Eng. (ICSE 05), ACM, 2005, pp [5] S. Thomas, L. Williams, and T. Xie, On Automated Prepared Statement Generation to Remove SQL Injection Vulnerabilities, Information and Software Technology, Mar. 2009, pp [6] Y. Shin, L. Williams, and T. Xie, SQLUnitGen: Test Case Generation for SQL Injection Detection., tech. report TR , Computer Science Dept., North Carolina State Univ., [7] H. Shahriar and M. Zulkernine, MUSIC: Mutation-Based SQL Injection Vulnerability Checking, Proc. 8th Int l Conf. Quality Software (QSIC 08), IEEE CS, 2008, pp Volume 2, Issue 3, March 2014 Page 5

6 [8] D. Saravanan and Dr. S. Srinivasan, A proposed New Algorithm for Hierarchical Clustering suitable for Video Data mining., International journal of Data Mining and Knowledge Engineering, Volume 3, Number 9, July 2011.Pages [9] J. Fonseca, M. Vieira, and H. Madeira, Vulnerability &Attack Injection for Web Applications, Proc. 39th Ann. IEEE/IFIP Int l Conf. Dependable Systems and Networks (DSN 09), IEEE, 2009, pp [10] X. Fu and C. C. Li, A String Constraint Solver for Detecting Web Application Vulnerability., Proc. 22nd Int l Conf. Software Eng. and Knowledge Eng. (SEKE 10), Knowledge Systems Institute Graduate School, 2010, pp [11] A. Kiezun et al., Automatic Creation of SQL Injection and Cross-Site Scripting Attacks, Proc. 31st Int l Conf. Software Eng. (ICSE 09), IEEE CS, 2009, pp [12] D. Saravanan and Dr. S. Srinivasan, Data Mining Framework for Video Data, In the Proc. of International Conference on Recent Advances in Space Technology Services & Climate Change (RSTS&CC-2010), held at Sathyabama University, Chennai, November 13-15, 2010.Pages [13] N. Alshahwan and M. Harman, Automated Web Application Testing Using Search Based Software Engineering, Proc. 26th IEEE/ACM Int l Conference Automated Software Eng. (ASE 11), IEEE, 2011, pp [14] K.J. Biba, Integrity Considerations for Secure Computing Systems., tech. report ESD-TR , Electronic Systems Division, US Air Force, [15] V.B. Livshits and M.S. Lam, Finding Security Vulnerabilities in Java Programs with Static Analysis, Proc. 14th Conf. Usenix Security Symp. (Usenix-SS 05), Usenix, 2005; [16] Y. Xie and A. Aiken, Static Detection of Security Vulnerabilities in Scripting Languages., Proc. 15th Conf Usenix Security Symp. (Usenix-SS 06), Usenix, 2006; [17] G. Wassermann and Z. Su, Sound and recise Analysis of Web Applications for Injection Vulnerabilities., Proc. ACM SIGPLAN Conf. Programming Language Design and Implementation (PLDI 07), ACM, 2007, pp [18] L.K. Shar and H.B.K. Tan, Mining Input Sanitization Patterns for Predicting SQL Injection and Cross Site Scripting Vulnerabilities, Proc. 34th Int l Conf. Software Eng. (ICSE 12), IEEE, 2012, pp [19] D. Saravanan and Dr. S. Srinivasan, Video Image Retrieval Using Data Mining Techniques Journal of Computer Applications, Volume V, Issue No.1. Jan-Mar Page ISSN: [20] S.W. Boyd and A.D. Keromytis, SQL rand: Preventing SQL Injection Attacks, Proc. 2nd Conf. Applied Cryptography and Network Security (ACNS 04), LNCS 3089, Springer, 2004, pp Volume 2, Issue 3, March 2014 Page 6