Detection and prevention for SQL injection attacks in stored procedures using real time web application
At present, web applications have been used for most of our activities in our life. Web applications are affected by the attacks of SQL injection. SQL injection is a prevalent technique that attackers appoint to impose the database in the most of web applications, by manipulate the SQL queries that...
Saved in:
Main Author: | |
---|---|
Format: | Thesis |
Language: | English English |
Published: |
2015
|
Subjects: | |
Online Access: | http://eprints.utem.edu.my/id/eprint/15891/1/DETECTION%20AND%20PREVENTION%20FOR%20SQL%20INJECTION%20ATTACKS%20IN%20STORED%20PROCEDURES%20USING%20REAL%20TIME%20WEB%20APPLICATION%20%2824%20pgs%29.pdf http://eprints.utem.edu.my/id/eprint/15891/2/Detection%20and%20prevention%20for%20SQL%20injection%20attacks%20in%20stored%20procedures%20using%20real%20time%20web%20application.pdf |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
id |
my-utem-ep.15891 |
---|---|
record_format |
uketd_dc |
institution |
Universiti Teknikal Malaysia Melaka |
collection |
UTeM Repository |
language |
English English |
advisor |
Shibghatullah, Abdul Samad |
topic |
Q Science (General) QA Mathematics |
spellingShingle |
Q Science (General) QA Mathematics Salih Ali, Nabeel Detection and prevention for SQL injection attacks in stored procedures using real time web application |
description |
At present, web applications have been used for most of our activities in our life. Web applications are affected by the attacks of SQL injection. SQL injection is a prevalent technique that attackers appoint to impose the database in the most of web applications, by manipulate the SQL queries that send to RDBMS. Hence, change the behavior of the application. Stored procedures SQL injection attack is one of the serious attacks that posed database threats in the underlying database that underlie web applications. Whereas, the attack can be crafted to execute stored procedures that provided by a particular database, encompasses procedures that deal with the operating system. In this research, three major objectives can be organized to direct the work study are: Firstly, to investigate the attacks of SQL injection, and study what has been done to detect and prevent SQLIA in stored procedures in order to, eliminate the lack of their approaches and highlight their weakness, secondly, to identify the various obstacles and factors that would be encountered will be led to be successful to build an appropriate defensive approach to detect and prevent SQLIAs, and the third objective is, to develop WASP tool to build a real-time web application tool (RT-WASP) to detect the SQLIAs, and propose a suitable protective approach to prevent stored procedures SQLIAs. Our methodology encompassed, four phases, primary study or investigation phase, modeling phase, development and proposing phase, evaluations and discussion phase. Investigation phase will study current approaches to counter SQLIAs. Background study, highlight problems and weakness in order to address the gap in detection and prevention SQLIA domain. In modeling phase, evaluate the performance of the existing techniques to identify the factors that would be encountered will be led to get better and efficient results in our work study. In developing and proposing phase, a suitable tool will be developed, and effective preventive approach will be proposed. Evaluations and discussion phase will take a place in order to finalize our work research. The main contributions of this research study are: First, Summarized and analysis of a detailed review of various SQLI attacks and investigation of previous approaches that detected and prevented these attacks in Web applications. Second, developed WASP tool that has been proposed by Halfond.2008 to detect the attacks of SQLI in real-time web applications. Third, proposed a protective approach that includes three preventive mechanisms that are: parameterized stored procedures, customized error messages, and encryption stored procedures in the SQL server. In order to, prevent the danger of SQLIA in stored procedures, and the last contribution is, conducted a comparison analysis of the developed technique and proposed protective approach based on the evaluations respect to efficiency and effectiveness of the technique, and effectiveness of the proposed protective approach. RT-WASP was efficient due to able to stop all SQLIAs and did not generate any false negative, a few false positive values in the results, and pose, low overhead and minimal deploy requirements. Whilst, our protective approach was effectiveness due to, capable to prevent the attacks of stored procedures SQLIAs. Finally, identify and focus on the future scope. |
format |
Thesis |
qualification_name |
Master of Philosophy (M.Phil.) |
qualification_level |
Master's degree |
author |
Salih Ali, Nabeel |
author_facet |
Salih Ali, Nabeel |
author_sort |
Salih Ali, Nabeel |
title |
Detection and prevention for SQL injection attacks in stored procedures using real time web application |
title_short |
Detection and prevention for SQL injection attacks in stored procedures using real time web application |
title_full |
Detection and prevention for SQL injection attacks in stored procedures using real time web application |
title_fullStr |
Detection and prevention for SQL injection attacks in stored procedures using real time web application |
title_full_unstemmed |
Detection and prevention for SQL injection attacks in stored procedures using real time web application |
title_sort |
detection and prevention for sql injection attacks in stored procedures using real time web application |
granting_institution |
Universiti Teknikal Malaysia Melaka |
granting_department |
Faculty of Information and Communication Technology |
publishDate |
2015 |
url |
http://eprints.utem.edu.my/id/eprint/15891/1/DETECTION%20AND%20PREVENTION%20FOR%20SQL%20INJECTION%20ATTACKS%20IN%20STORED%20PROCEDURES%20USING%20REAL%20TIME%20WEB%20APPLICATION%20%2824%20pgs%29.pdf http://eprints.utem.edu.my/id/eprint/15891/2/Detection%20and%20prevention%20for%20SQL%20injection%20attacks%20in%20stored%20procedures%20using%20real%20time%20web%20application.pdf |
_version_ |
1747833882044006400 |
spelling |
my-utem-ep.158912022-09-20T13:07:34Z Detection and prevention for SQL injection attacks in stored procedures using real time web application 2015 Salih Ali, Nabeel Q Science (General) QA Mathematics At present, web applications have been used for most of our activities in our life. Web applications are affected by the attacks of SQL injection. SQL injection is a prevalent technique that attackers appoint to impose the database in the most of web applications, by manipulate the SQL queries that send to RDBMS. Hence, change the behavior of the application. Stored procedures SQL injection attack is one of the serious attacks that posed database threats in the underlying database that underlie web applications. Whereas, the attack can be crafted to execute stored procedures that provided by a particular database, encompasses procedures that deal with the operating system. In this research, three major objectives can be organized to direct the work study are: Firstly, to investigate the attacks of SQL injection, and study what has been done to detect and prevent SQLIA in stored procedures in order to, eliminate the lack of their approaches and highlight their weakness, secondly, to identify the various obstacles and factors that would be encountered will be led to be successful to build an appropriate defensive approach to detect and prevent SQLIAs, and the third objective is, to develop WASP tool to build a real-time web application tool (RT-WASP) to detect the SQLIAs, and propose a suitable protective approach to prevent stored procedures SQLIAs. Our methodology encompassed, four phases, primary study or investigation phase, modeling phase, development and proposing phase, evaluations and discussion phase. Investigation phase will study current approaches to counter SQLIAs. Background study, highlight problems and weakness in order to address the gap in detection and prevention SQLIA domain. In modeling phase, evaluate the performance of the existing techniques to identify the factors that would be encountered will be led to get better and efficient results in our work study. In developing and proposing phase, a suitable tool will be developed, and effective preventive approach will be proposed. Evaluations and discussion phase will take a place in order to finalize our work research. The main contributions of this research study are: First, Summarized and analysis of a detailed review of various SQLI attacks and investigation of previous approaches that detected and prevented these attacks in Web applications. Second, developed WASP tool that has been proposed by Halfond.2008 to detect the attacks of SQLI in real-time web applications. Third, proposed a protective approach that includes three preventive mechanisms that are: parameterized stored procedures, customized error messages, and encryption stored procedures in the SQL server. In order to, prevent the danger of SQLIA in stored procedures, and the last contribution is, conducted a comparison analysis of the developed technique and proposed protective approach based on the evaluations respect to efficiency and effectiveness of the technique, and effectiveness of the proposed protective approach. RT-WASP was efficient due to able to stop all SQLIAs and did not generate any false negative, a few false positive values in the results, and pose, low overhead and minimal deploy requirements. Whilst, our protective approach was effectiveness due to, capable to prevent the attacks of stored procedures SQLIAs. Finally, identify and focus on the future scope. 2015 Thesis http://eprints.utem.edu.my/id/eprint/15891/ http://eprints.utem.edu.my/id/eprint/15891/1/DETECTION%20AND%20PREVENTION%20FOR%20SQL%20INJECTION%20ATTACKS%20IN%20STORED%20PROCEDURES%20USING%20REAL%20TIME%20WEB%20APPLICATION%20%2824%20pgs%29.pdf text en public http://eprints.utem.edu.my/id/eprint/15891/2/Detection%20and%20prevention%20for%20SQL%20injection%20attacks%20in%20stored%20procedures%20using%20real%20time%20web%20application.pdf text en validuser https://plh.utem.edu.my/cgi-bin/koha/opac-detail.pl?biblionumber=96202 mphil masters Universiti Teknikal Malaysia Melaka Faculty of Information and Communication Technology Shibghatullah, Abdul Samad 1. F. Alserhani, A.Akhlaq, I. U. Awan and A. J. Cullen, 2011. Event-Based Alert Correlation System to Detect SQLI Activities. 2011 IEEE International Conference on Advanced Information Networking and Applications, pp.175–182. Available at: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=5763386 [Accessed October 6, 2014]. 2. Alvarez, G. & Petrovic, S., 2002. Encoding a Taxonomy of Web Attacks with Different-Length Vectors. , pp.1–22. Available at: http://arxiv.org/abs/cs/0210026v1 [Accessed October 19, 2014]. 3. Álvarez, G. & Petrović, S., 2003. A new taxonomy of Web attacks suitable for efficient encoding. Computers & Security, 22(5), pp.435–449. Available at: http://linkinghub.elsevier.com/retrieve/pii/S0167404803005121. 4. Ankush, S.D., 2014. XSS Attack Prevention Using DOM based filtering API XSS Attack Prevention Using DOM based fitering API. Department of Computer Science and Engineering National Institute of Technology Rourkela Rourkela –769 008, India. 5. Prabakar, 2013. AN EFFICIENT TECHNIQUE FOR PREVENTING SQL INJECTION ATTACK USING PATTERN. 2013 IEEE International Conference on Emerging Trends in Computing, Communication and Nanotechnology (ICECCN 2013) AN, 978-1-4673(Iceccn), pp.503–506.Gustavo, 2010. ANOMALY DETECTION OF WEB-BASED ATTACKS 6. Gustavo Miguel Barroso Assis do Nascimento. , (November). 7. N. Ashitah,A. Othman, S. Alam, F. Hani, M. Ali, M.Binti, and M. noh, 2014. Secured Web Application Using Combination of Query Tokenization and Adaptive Method in Preventing SQL Injection Attacks. , (l4CT), pp.472–476. 8. Athanasopoulos, E., Krithinakis, A. & Markatos, E.P., 2011. An Architecture for Enforcing JavaScript Randomization in Web2 . 0 Applications. Springer-Verlag Berlin Heidelberg 2011, M. Burmest(ISC 2010, LNCS 6531, pp. 203–209, 2011), pp.203–209. 9. Balasundaram, I. & Ramaraj, E., 2012. An efficient technique for detection and prevention of SQL injection attack using ASCII based string matching. Procedia Engineering, 30(2011), pp.183–190. Available at: http://dx.doi.org/10.1016/j.proeng.2012.01.850.Baranwal, A.K., 2012. Approaches to detect SQL injection and XSS in web applications. EECE 571B, TERM SURVEY PAPER, APRIL 2012, (April). 10. J. Bau, E. Bursztein, D. Gupta, and J. Mitchell, 2010. State of the Art: Automated Black-Box Web Application Vulnerability Testing. 2010 IEEE Symposium on Security and Privacy, pp.332–345. Available at: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=5504795 [Accessed October 6, 2014]. 11. Bisht, 2006, CANDID : Dynamic Candidate Evaluations for Automatic Prevention of SQL Injection Attacks. , V, pp.1–38. 12. Buehrer, G.T., Weide, B.W. & Sivilotti, P.A.G., 2005. Using Parse Tree Validation to Prevent SQL Injection Attacks. , (September), pp.106–113. 13. C.R.Kothari, 2004. Research Methodology Methods and Techniques, 14. Clarke, J. & Alvarez, R.M., 2009. SQL Injection Attacks and Defense, 15. S. Diego, G.Drive, L. Jolla, R. A. Mcclure, and I. H. Krunger, 2005. SQL DOM : Compile Time Checking of Dynamic SQL Statements. , pp.88–96. 16. Florin, C. Ştefan cel Mare, Mihai Eminescu, Mihai Eminescu , Web Security Platform ( W . S . P ) Teachers : 17. Gadgikar, a. S., 2013. Preventing SQL injection attacks using negative tainting approach. 2013 IEEE International Conference on Computational Intelligence and Computing Research, pp.1–5. Available at: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=6724140. 18. Gadgil, S., 2013. SQL Injection Prevention in Banking. , 4(2), pp.345–349. 19. Halfond, W.G.J., Choudhary, S.R. & Orso, A., 2011. Improving penetration testing through static and dynamic analysis. Software Testing, Verification and Reliability, 21(3), pp.195–214. Available at: http://doi.wiley.com/10.1002/stvr.450. 20. Halfond, W.G.J. & Orso, 2008, AMNESIA : Analysis and Monitoring for NEutralizing SQL-Injection Attacks. 21. Halfond, W.G.J. & Orso, A., 2005. Combining static analysis and runtime monitoring to counter SQL-injection attacks. Proceedings of the third international workshop on Dynamic analysis -WODA ’05, pp.1–7. Available at: http://portal.acm.org/citation.cfm?doid=1083246.1083250. 22. Halfond, W.G.J., Orso, A. & Manolios, P., 2006. Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering -SIGSOFT ’06/FSE-14, p.175. Available at: http://portal.acm.org/citation.cfm?doid=1181775.1181797. 23. Halfond, W.G.J., Orso, A. & Society, I.C., 2008. WASP : Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation. , 34(1), pp.65–81. 24. Uzi & Donald, 2003. Web Application Security : A Survey of Prevention Techniques. , (June).Janot, E. & Zavarsky, 2008. Preventing SQL Injections in Online Applications : Study , Recommendations and Java Solution Prototype Based on the SQL DOM. 25. Kemalis, K. & Tzouramanis, T., 2008. SQL-IDS : A Specification-based Approach for SQL-Injection Detection. , pp.2153–2158. 26. Khoury, N. ,P. Zavarsky, D. Lindskog, and R.Ruhl , 2011. An Analysis of Black-Box Web Application Security Scanners against Stored SQL Injection. 2011 IEEE Third Int’l Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third Int'l Conference on Social Computing, pp.1095–1101. Available at: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=6113264. 27. Kie, A., Guo, P.J. & Ernst, M.D., 2009. Automatic Creation of SQL Injection and Cross-Site Scripting Attacks. , pp.199–209. 28. Kiezun, A., Philip J. Guo, Karthick Jayaraman, Michael D. Ernst, 2008. Computer Science and Artificial Intelligence Laboratory Technical Report Automatic Creation of SQL Injection and Cross-Site Scripting Attacks.Kim, J., 2011. Injection Attack Detection Using the Removal of SQL Query Attribute Values. 2011International Conference on Information Science and Applications, pp.1–7. Available at: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=5772411. 29. Kindy, D.A. & Pathan, A.K., 2012. A Detailed Survey on Various Aspects of SQL Injection in Web Applications : Vulnerabilities , Innovative Attacks , and Remedies. , pp.1–13. 30. Kindy, D.A. & Pathan, A.-S.K., 2011. A survey on SQL injection: Vulnerabilities, attacks, and prevention techniques. 2011 IEEE 15th International Symposium on Consumer Electronics (ISCE), pp.468–471. Available at: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=5973873. 31. Kosuga, Y., Kenji Kono, Miyuki Hanaoka, Miho Hishiyama, Yu Takahama, 2007. Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection. Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), pp.107–117. Available at: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=4412981 [Accessed October 9, 2014]. 32. Lee, I., Soonki Jeong, Sangsoo Yeo, Jongsub Moon, 2012. A novel method for SQL injection attack detection based on removing SQL query attribute values. Mathematical and Computer Modelling, 55(1-2), pp.58–68. Available at: http://dx.doi.org/10.1016/j.mcm.2011.01.050. 33. Lu, X., Boris Peltsverger, Shijun Chen, Xiang Fu, Kai Qian, Lixin Tao, A Static Analysis Framework For Detecting SQL Injection Vulnerabilities. , pp.1–8. 34. Mamadhan, S., Manesh, T. & Paul, V., 2012. SQLStor: Blockage of stored procedure SQL injection attack using dynamic query structure validation. 2012 12th International Conference on Intelligent Systems Design and Applications (ISDA), pp.240–245. Available at: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=6416544. 35. Martin, M., Livshits, B. & Lam, M.S., 2005. Finding application errors and security flaws using PQL. ACM SIGPLAN Notices, 40, p.365. 36. Medhane, M.H.A.S.P., 2013. Efficient Solution for SQL Injection Attack Detection and Prevention. , (1), pp.395–398. 37. Medhane, M.H.A.S.P., 2013b. R-WASP : Real Time-Web Application SQL Injection Detector and Preventer. , (5), pp.327–330. 38. Mishra, N. & Gond, S., 2013. Defenses To Protect Against SQL Injection Attacks. , 2(10), pp.3829–3833. 39. Mule, T.S., Aakash S. Mahajan, Sangharatna Kamble, Omkar Khatavkar, 2014. Intrusion Protection againstSQL Injection And Cross Site Scripting Attacks Using a Reverse Proxy. , 5(3), pp.2846–2850. 40. Natarajan, K. & Subramani, S., 2012. Generation of Sql-injection Free Secure Algorithm to Detect and Prevent Sql-Injection Attacks. Procedia Technology, 4, pp.790–796. Available at: http://dx.doi.org/10.1016/j.protcy.2012.05.129. 41. Pietraszek, T. & Berghe, C. Vanden, 2006. Context-Sensitive String Evaluation. , pp.124–145. 42. Scholte, T., W. Robertson, D. Balzarotti, and E. Kirda,, 2012. Preventing Input Validation Vulnerabilities in Web Applications through Automated Type Analysis. 2012 IEEE 36th Annual Computer Software and Applications Conference, pp.233–243. Available at: 43. 119http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=6340148 [Accessed November 5, 2014]. 44. Ezumalai & Aghila, 2009. Combinatorial Approach for Preventing SQL Injection Attacks accaeds . In view , ritopreses am. , (March), pp.6–7. 45. Aich, D., 2009. Secure Query Processing By Blocking SQL injection Master of Technology Secure Query Processing By Blocking SQL Injection Master of Technology. , (May). 46. Servers, A.W.S., 2014. WEB APPLICATION ATTACK REPORT # 5. , (October). 47. Shahriar, H., K. Weldemariam, T. Lutellier, M. Zulkernine, 2013. A Model-Based Detection of Vulnerable and Malicious Browser Extensions. 2013 IEEE 7th International Conference on Software Security and Reliability, pp.198–207. Available at: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=6571710 [Accessed October 6, 2014]. 48. Shan, L., Province, J. & Xiaorui, D., 2010. An Adaptive Method Preventing Database from SQL Injection Attacks. , (2), pp.352–355. 49. Shar, L.K., Beng Kuan Tan, H. & Briand, L.C., 2013. Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis. 2013 35th International Conference on Software Engineering (ICSE), pp.642–651. Available at: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=6606610. 50. Shar, L.K. & Tan, H.B.K., 2012. Predicting common web application vulnerabilities from input validation and sanitization code patterns. Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering -ASE 2012, p.310. Available at: http://dl.acm.org/citation.cfm?doid=2351676.2351733. 51. Shrivastava, R., Bhattacharyji, J. & Soni, R., 2012. SQL INJECTION ATTACKS IN DATABASE USING WEB SERVICE : DETECTION AND PREVENTION –REVIEW. , 6, pp.162–165. 52. Srivastava, S., 2012. A Survey On : Attacks due to SQL injection and their prevention method for web application. , 3(1), pp.3225–3228.Wei, K. & Muthuprasanna, M., 2006. Preventing SQL injection attacks in stored procedures. Australian Software Engineering Conference (ASWEC’06), p.8 pp.–198. Available at: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=1615052. 53. Wei, K., Muthuprasanna, M. & Kothari, S., 2005. Preventing SQL Injection Attacks in Stored Procedures.Xin-hua, Z. & Zhi-jian, 2010, Notice of Retraction A Static Analysis Tool for Detecting Web Application Injection Vulnerabilities for ASP Program. 54. Yan, Y., Zhengyuan, S. & Zucheng, D., 2011. The database protection system against SQL attacks. 2011 3rd International Conference on Computer Research and Development, pp.99–102. Available at: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=5764254. 55. Zheng, Y. & Zhang, X., 2013. Path sensitive static analysis of web applications for remote code execution vulnerability detection. 2013 35th International Conference on Software Engineering (ICSE), pp.652–661. Available at: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=6606611.OWASP (2013) Top 10 Risks .2013, [Online], Available: https://www.owasp.org/index.php/Top_10_2013-Top_10 |