ACKNOWLEDGMENT. I would like to thank Allah for giving me the patience to work hard and overcome all the

Similar documents
Textual Manipulation for SQL Injection Attacks

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Transformation of honeypot raw data into structured data

Check list for web developers

REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL

What is Web Security? Motivation

Network Monitoring using MMT:

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

Wharf T&T Limited DDoS Mitigation Service Customer Portal User Guide

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Penetration testing: exposure of fallacies 1-14

Linux Network Security

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Multi-Homing Dual WAN Firewall Router

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Multi-Homing Security Gateway

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

Web Application Attacks And WAF Evasion

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

1. Building Testing Environment

General Network Security

Pre Sales Communications

Unit 3 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D.

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Intrusion Detection in AlienVault

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City

Network Security Testing using MMT: A case study in IDOLE project

CYBER ATTACKS EXPLAINED: THE MAN IN THE MIDDLE

SAVMDS: A Software Application Vulnerability Management Dashboard System

WebCruiser Web Vulnerability Scanner User Guide

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Learn Ethical Hacking, Become a Pentester

Offensive Security. Advanced Web Attacks and Exploitation. Mati Aharoni Devon Kearns. v. 1.0

Web Application Security

5 Mistakes to Avoid on Your Drupal Website

Preprocessing Web Logs for Web Intrusion Detection

Lab VI Capturing and monitoring the network traffic

Detailed Description about course module wise:

Course Content: Session 1. Ethics & Hacking

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Network Based Intrusion Detection Using Honey pot Deception

Webapps Vulnerability Report

Security Advisory. Some IPS systems can be easily fingerprinted using simple techniques.

WEB APPLICATION FIREWALL

Network Security Exercise #8

Firewall Defaults and Some Basic Rules

Application Security Testing. Generic Test Strategy

Attacks and Defense. Phase 1: Reconnaissance

CIT 380: Securing Computer Systems

IP Application Security Manager and. VMware vcloud Air

Network Concepts. IT 4823 Information Security Concepts and Administration. The Network Environment. Resilience. Network Topology. Transmission Media

Web Application Guidelines

nmap, nessus, and snort Vulnerability Analysis & Intrusion Detection

Chapter 8 Router and Network Management

Penetration Testing. Types Black Box. Methods Automated Manual Hybrid. oless productive, more difficult White Box

Guidelines for Web applications protection with dedicated Web Application Firewall

INTRUSION PROTECTION AGAINST SQL INJECTION ATTACKS USING REVERSE PROXY

Firewalls, IDS and IPS

FortiWeb 5.0, Web Application Firewall Course #251

Scan Report Executive Summary. Part 2. Component Compliance Summary IP Address :

Firewall Firewall August, 2003

Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1

Introduction Installation firewall analyzer step by step installation Startup Syslog and SNMP setup on firewall side firewall analyzer startup

Computer Security. Introduction to. Michael T. Goodrich Department of Computer Science University of California, Irvine. Roberto Tamassia PEARSON

External Network & Web Application Assessment. For The XXX Group LLC October 2012

Introduction to Computer Security

Testing Network Security Using OPNET

CS5008: Internet Computing

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Snort Installation - Ubuntu FEUP. SSI - ProDEI Paulo Neto and Rui Chilro. December 7, 2010

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard (PCI / DSS)

Keywords Vulnerability Scanner, Vulnerability assessment, computer security, host security, network security, detecting security flaws, port scanning.

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

BASIC ANALYSIS OF TCP/IP NETWORKS

Using Nessus In Web Application Vulnerability Assessments

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Securing Cisco Network Devices (SND)

REDCap General Security Overview

SANDCAT THE WEB APPLICATION SECURITY ASSESSMENT SUITE WHAT IS SANDCAT? MAIN COMPONENTS. Web Application Security

CS 356 Lecture 16 Denial of Service. Spring 2013

April 11, (Revision 2)

Web Vulnerability Scanner by Using HTTP Method

Chapter 4 Managing Your Network

Grandstream Networks, Inc. UCM6100 Security Manual


(WAPT) Web Application Penetration Testing

Detect and Sanitise Encoded Cross-Site Scripting and SQL Injection Attack Strings Using a Hash Map

Intrusion detection for web applications

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Cyber Security Workshop Ethical Web Hacking

AUTOMATE CRAWLER TOWARDS VULNERABILITY SCAN REPORT GENERATOR

CYBERTRON NETWORK SOLUTIONS

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Attack and Penetration Testing 101

WordPress Security Scan Configuration

Transcription:

ACKNOWLEDGMENT I would like to thank Allah for giving me the patience to work hard and overcome all the research obstacles. My full gratitude is to Dr. Mohammed Al-Jarrah and Dr. Izzat Alsmadi for their supervision, and precious advice. Without their support this work would not have been possible. My deep thanks go to my thesis committee. My thanks are also to my friends for their honest friendship, care, and for being kind to provide help and support. Appreciation is also extended to my family, which has been always by my side, my father, my mother, my brothers and sister: Adel, Hasan, Mohammad, and Hussam who have always been near me. Hussein AlNabulsi May 22, 2013 1

TABLE OF CONTENTS Contents Page AKNOWLEDGEMENT 1 TABLE OF CONTENTS 2 LIST OF FIGURES 6 LIST OF TABLES 9 LIST OF ABBREVIATIONS 10 ABSTRACT 11 CHAPTER 1: Introduction 12 1.1 Problem Statement 13 1.2 Purpose of the Study 14 1.3 Methodology 15 1.4 Contribution 15 1.5 Scope and Limitation 15 1.6 Thesis Structure 16 CHAPTER 2: Background and Literature Review 17 2.1 Introduction 17 2.2 Background 17 2.2.1 SNORT Structure 17 2

2.2.2 SNORT Under Windows 19 2.2.3 Using SNORT for SQL Injection Attacks 20 2.2.4 Examples of SQL Injection Attacks 21 2.2.5 SNORT Rules Description 23 2.2.6 Hackers Web Attacking Mode 25 2.2.7 Drawbacks of Intrusion Detection System (IDS) 27 2.3 Literature Review 28 2.3.1 SQL Injections Attacks 28 2.3.2 SNORT Usage Evaluation 32 2.3.3 SNORT Utilization for Detecting and Preventing SQL Injection Attacks 33 CHAPTER 3: Methodology and Approaches 42 3.1 Methodology 42 3.2 Steps of SQL Injection Attacks 43 3.3 Perl Regular Expressions for SQL Injection 47 3.4 Using SNORT Tool for Detecting SQL Injection Attacks 49 3.5 SNORT Network Topology 50 CHAPTER 4: Experimental Results and Discussion 51 4.1 Methods of Writing SQL Injection 52 3

4.1.1 Poorly Filtered Strings 52 4.1.2 Different Encoding Issues 54 4.1.3 White Space Multiplicity 57 4.1.4 Arbitrary String Patterns 58 4.1.5 Bypass Techniques 59 4.1.6 Grouping Concatenate Supplied Strings 62 4.1.7 Information Gathering Techniques 71 4.1.7.1 @@version 71 4.1.7.2 Server Hostname 73 4.1.7.3 Server MAC Address 75 4.1.7.4 Database Data Directory 76 4.1.8 Experimental Results for discussed SNORT Rules 78 4.2 Proposed Set of SNORT Rules for SQL injection Detection 81 4.2.2 SNORT Rules Case Study 90 4.2.3 Applying the SQL Injection Attacks on 92 Damn Vulnerable Web Application (DVWA) 4.3 A Comparison Study 92 4.3.1 Summary Table for Comparing Study 109 4

4.3.2 Conclusion of the Comparison Study 109 CHAPTER 5: CONCLUSIONS AND FUTURE WORKS 111 5.1 Conclusion 111 5.2 Future Work 112 CHAPTER 6: REFERENCES 114 CHAPTER 7: Appendix 118 5

LIST OF FIGURES Figures Title Page Figure 2.1 SNORT Architecture 19 Figure 2.2 A simple PHP login page with possible injection attack 21 Figure 2.3 An example of an SQL injection attack 22 Figure 3.1 An example of a vulnerable webpage 44 Figure 3.2 SNORT Network Topology 50 Figure 4.1 Retrieving the password of the admin 53 Figure 4.2 Result of SQL injection 55 Figure 4.3 63 Figure 4.4 64 Figure 4.5 64 Figure 4.6 65 Figure 4.7 66 6

Figure 4.8 67 Figure 4.9 68 Figure 4.10 68 Figure 4.11 Retrieving a user name and password 69 Figure 4.12 Retrieving the password of admin 71 Figure 4.13 Retrieve the version of server 72 Figure 4.14 Retrieve the hostname of server 74 Figure 4.15 Retrieve the MAC Address of server 75 Figure 4.16 Retrieve the data directory of server 77 Figure 4.17 SNORT 87 Figure 4.18 SNORT 94 Figure 4.19 SNORT rules detect the SQL injection attack 95 Figure 4.20 SNORT rules detect the SQL injection attack 98 Figure 4.21 SNORT 98 Figure 4.22 SNORT rules that were not able to detect the SQL injection attack 102 Figure 4.23 SNORT rules detect the SQL injection attack 102 7

Figure 4.24 SNORT rule 104 Figure 4.25 SNORT rules detect the SQL injection attack 105 Figure 4.26 SNORT rules detect the SQL injection attack 108 Figure 4.27 SNORT 108 8

LIST OF TABLES Tables Title Page Table 2.1 The description of SNORT rule content 24 Table 2.2 Comparisons of the illustrated approaches that focus in SQL injection Attacks which is similar to our contributions approaches 37 Table 4.1 General SQL injection symbols or keywords which can be used by attackers 52 Table 4.2 Summary Table of SQL injections and SNORT rules 78 Table 4.3 The normal websites examples 90 Table 4.4 Summary Table for Comparing Study 109 9

LIST OF ABBREVIATIONS IDS DVWA NIDS WAN LAN SQL TCP UDP ICMP GUI IP XSS, CSS SQLIA HTTP ACK SYN Intrusion Detection System Damn Vulnerable Web Application Network Intrusion Detection System Wide Area Network Local Area Network Structured Query Language Transmission Control Protocol User Datagram Protocol Internet Control Message Protocol Graphical User Interface Internet Protocol Cross-Site Scripting Structured Query Language Injection Attack Hypertext Transfer Protocol Acknowledge Synchronize 10

Abstract Hussein Azmi AlNabulsi, Developing SNORT Rules for Detection and Protection Against SQL Injection Attacks, Department of Computer Engineering, Yarmouk University, 2013. (Supervisor: Dr. Mohammed Al-Jarrah, CO-Advisor: Dr. Izzat AlSmadi) An Intrusion Detection System (IDS) for computer networks is capable of alerting the systems administrators on potential attacks. By using SQL injection attacks, attackers could retrieve important information from s of web servers. We studied and proposed effective methods to detect possible attacks against web applications specially SQL injection. In this research we discussed techniques for detecting SQL Injection attacks in the networks, and how to detect these attacks using SNORT tool. SNORT which is open source IDS, is used to compose regular expression-based rules for detecting attacks. We evaluated several techniques to show how SQL injection attacks can be conducted and accomplished. We also demonstrated using different examples how such attacks can be detected using SNORT tool. A case study of several websites is evaluated to demonstrate how SQL injection attacks can be conducted and how hackers can use methods of SQL injection to attack web applications. The increase in size and types of SQL injection attacks conducted and detected recently proved the importance of this research. We evaluated several alternatives for SNORT rules that can detect and alert users or system administrators about those attacks. Different experiments with different methods of SQL injection attacks are evaluated as part of an assessment study in this thesis. 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information