Detection and prevention for SQL injection attacks in stored procedures using real time web application

Detection and prevention for SQL injection attacks in stored procedures using real time web application

At present, web applications have been used for most of our activities in our life. Web applications are affected by the attacks of SQL injection. SQL injection is a prevalent technique that attackers appoint to impose the database in the most of web applications, by manipulate the SQL queries that...

Full description

Saved in:
Bibliographic Details
Main Author: Salih Ali, Nabeel
Format: Thesis
Language:English
English
Published: 2015
Subjects:
Q Science (General)
QA Mathematics
Online Access:http://eprints.utem.edu.my/id/eprint/15891/1/DETECTION%20AND%20PREVENTION%20FOR%20SQL%20INJECTION%20ATTACKS%20IN%20STORED%20PROCEDURES%20USING%20REAL%20TIME%20WEB%20APPLICATION%20%2824%20pgs%29.pdf
http://eprints.utem.edu.my/id/eprint/15891/2/Detection%20and%20prevention%20for%20SQL%20injection%20attacks%20in%20stored%20procedures%20using%20real%20time%20web%20application.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
id my-utem-ep.15891
record_format uketd_dc
institution Universiti Teknikal Malaysia Melaka
collection UTeM Repository
language English
English
advisor Shibghatullah, Abdul Samad
topic Q Science (General)
QA Mathematics
spellingShingle Q Science (General)
QA Mathematics
Salih Ali, Nabeel
Detection and prevention for SQL injection attacks in stored procedures using real time web application
description At present, web applications have been used for most of our activities in our life. Web applications are affected by the attacks of SQL injection. SQL injection is a prevalent technique that attackers appoint to impose the database in the most of web applications, by manipulate the SQL queries that send to RDBMS. Hence, change the behavior of the application. Stored procedures SQL injection attack is one of the serious attacks that posed database threats in the underlying database that underlie web applications. Whereas, the attack can be crafted to execute stored procedures that provided by a particular database, encompasses procedures that deal with the operating system. In this research, three major objectives can be organized to direct the work study are: Firstly, to investigate the attacks of SQL injection, and study what has been done to detect and prevent SQLIA in stored procedures in order to, eliminate the lack of their approaches and highlight their weakness, secondly, to identify the various obstacles and factors that would be encountered will be led to be successful to build an appropriate defensive approach to detect and prevent SQLIAs, and the third objective is, to develop WASP tool to build a real-time web application tool (RT-WASP) to detect the SQLIAs, and propose a suitable protective approach to prevent stored procedures SQLIAs. Our methodology encompassed, four phases, primary study or investigation phase, modeling phase, development and proposing phase, evaluations and discussion phase. Investigation phase will study current approaches to counter SQLIAs. Background study, highlight problems and weakness in order to address the gap in detection and prevention SQLIA domain. In modeling phase, evaluate the performance of the existing techniques to identify the factors that would be encountered will be led to get better and efficient results in our work study. In developing and proposing phase, a suitable tool will be developed, and effective preventive approach will be proposed. Evaluations and discussion phase will take a place in order to finalize our work research. The main contributions of this research study are: First, Summarized and analysis of a detailed review of various SQLI attacks and investigation of previous approaches that detected and prevented these attacks in Web applications. Second, developed WASP tool that has been proposed by Halfond.2008 to detect the attacks of SQLI in real-time web applications. Third, proposed a protective approach that includes three preventive mechanisms that are: parameterized stored procedures, customized error messages, and encryption stored procedures in the SQL server. In order to, prevent the danger of SQLIA in stored procedures, and the last contribution is, conducted a comparison analysis of the developed technique and proposed protective approach based on the evaluations respect to efficiency and effectiveness of the technique, and effectiveness of the proposed protective approach. RT-WASP was efficient due to able to stop all SQLIAs and did not generate any false negative, a few false positive values in the results, and pose, low overhead and minimal deploy requirements. Whilst, our protective approach was effectiveness due to, capable to prevent the attacks of stored procedures SQLIAs. Finally, identify and focus on the future scope.
format Thesis
qualification_name Master of Philosophy (M.Phil.)
qualification_level Master's degree
author Salih Ali, Nabeel
author_facet Salih Ali, Nabeel
author_sort Salih Ali, Nabeel
title Detection and prevention for SQL injection attacks in stored procedures using real time web application
title_short Detection and prevention for SQL injection attacks in stored procedures using real time web application
title_full Detection and prevention for SQL injection attacks in stored procedures using real time web application
title_fullStr Detection and prevention for SQL injection attacks in stored procedures using real time web application
title_full_unstemmed Detection and prevention for SQL injection attacks in stored procedures using real time web application
title_sort detection and prevention for sql injection attacks in stored procedures using real time web application
granting_institution Universiti Teknikal Malaysia Melaka
granting_department Faculty of Information and Communication Technology
publishDate 2015
url http://eprints.utem.edu.my/id/eprint/15891/1/DETECTION%20AND%20PREVENTION%20FOR%20SQL%20INJECTION%20ATTACKS%20IN%20STORED%20PROCEDURES%20USING%20REAL%20TIME%20WEB%20APPLICATION%20%2824%20pgs%29.pdf
http://eprints.utem.edu.my/id/eprint/15891/2/Detection%20and%20prevention%20for%20SQL%20injection%20attacks%20in%20stored%20procedures%20using%20real%20time%20web%20application.pdf
_version_ 1747833882044006400
spelling my-utem-ep.158912022-09-20T13:07:34Z Detection and prevention for SQL injection attacks in stored procedures using real time web application 2015 Salih Ali, Nabeel Q Science (General) QA Mathematics At present, web applications have been used for most of our activities in our life. Web applications are affected by the attacks of SQL injection. SQL injection is a prevalent technique that attackers appoint to impose the database in the most of web applications, by manipulate the SQL queries that send to RDBMS. Hence, change the behavior of the application. Stored procedures SQL injection attack is one of the serious attacks that posed database threats in the underlying database that underlie web applications. Whereas, the attack can be crafted to execute stored procedures that provided by a particular database, encompasses procedures that deal with the operating system. In this research, three major objectives can be organized to direct the work study are: Firstly, to investigate the attacks of SQL injection, and study what has been done to detect and prevent SQLIA in stored procedures in order to, eliminate the lack of their approaches and highlight their weakness, secondly, to identify the various obstacles and factors that would be encountered will be led to be successful to build an appropriate defensive approach to detect and prevent SQLIAs, and the third objective is, to develop WASP tool to build a real-time web application tool (RT-WASP) to detect the SQLIAs, and propose a suitable protective approach to prevent stored procedures SQLIAs. Our methodology encompassed, four phases, primary study or investigation phase, modeling phase, development and proposing phase, evaluations and discussion phase. Investigation phase will study current approaches to counter SQLIAs. Background study, highlight problems and weakness in order to address the gap in detection and prevention SQLIA domain. In modeling phase, evaluate the performance of the existing techniques to identify the factors that would be encountered will be led to get better and efficient results in our work study. In developing and proposing phase, a suitable tool will be developed, and effective preventive approach will be proposed. Evaluations and discussion phase will take a place in order to finalize our work research. The main contributions of this research study are: First, Summarized and analysis of a detailed review of various SQLI attacks and investigation of previous approaches that detected and prevented these attacks in Web applications. Second, developed WASP tool that has been proposed by Halfond.2008 to detect the attacks of SQLI in real-time web applications. Third, proposed a protective approach that includes three preventive mechanisms that are: parameterized stored procedures, customized error messages, and encryption stored procedures in the SQL server. In order to, prevent the danger of SQLIA in stored procedures, and the last contribution is, conducted a comparison analysis of the developed technique and proposed protective approach based on the evaluations respect to efficiency and effectiveness of the technique, and effectiveness of the proposed protective approach. RT-WASP was efficient due to able to stop all SQLIAs and did not generate any false negative, a few false positive values in the results, and pose, low overhead and minimal deploy requirements. Whilst, our protective approach was effectiveness due to, capable to prevent the attacks of stored procedures SQLIAs. Finally, identify and focus on the future scope. 2015 Thesis http://eprints.utem.edu.my/id/eprint/15891/ http://eprints.utem.edu.my/id/eprint/15891/1/DETECTION%20AND%20PREVENTION%20FOR%20SQL%20INJECTION%20ATTACKS%20IN%20STORED%20PROCEDURES%20USING%20REAL%20TIME%20WEB%20APPLICATION%20%2824%20pgs%29.pdf text en public http://eprints.utem.edu.my/id/eprint/15891/2/Detection%20and%20prevention%20for%20SQL%20injection%20attacks%20in%20stored%20procedures%20using%20real%20time%20web%20application.pdf text en validuser https://plh.utem.edu.my/cgi-bin/koha/opac-detail.pl?biblionumber=96202 mphil masters Universiti Teknikal Malaysia Melaka Faculty of Information and Communication Technology Shibghatullah, Abdul Samad 1. F. Alserhani, A.Akhlaq, I. U. Awan and A. J. Cullen, 2011. Event-Based Alert Correlation System to Detect SQLI Activities. 2011 IEEE International Conference on Advanced Information Networking and Applications, pp.175–182. Available at: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=5763386 [Accessed October 6, 2014]. 2. Alvarez, G. & Petrovic, S., 2002. Encoding a Taxonomy of Web Attacks with Different-Length Vectors. , pp.1–22. Available at: http://arxiv.org/abs/cs/0210026v1 [Accessed October 19, 2014]. 3. Álvarez, G. & Petrović, S., 2003. A new taxonomy of Web attacks suitable for efficient encoding. Computers & Security, 22(5), pp.435–449. Available at: http://linkinghub.elsevier.com/retrieve/pii/S0167404803005121. 4. Ankush, S.D., 2014. XSS Attack Prevention Using DOM based filtering API XSS Attack Prevention Using DOM based fitering API. Department of Computer Science and Engineering National Institute of Technology Rourkela Rourkela –769 008, India. 5. Prabakar, 2013. AN EFFICIENT TECHNIQUE FOR PREVENTING SQL INJECTION ATTACK USING PATTERN. 2013 IEEE International Conference on Emerging Trends in Computing, Communication and Nanotechnology (ICECCN 2013) AN, 978-1-4673(Iceccn), pp.503–506.Gustavo, 2010. ANOMALY DETECTION OF WEB-BASED ATTACKS 6. Gustavo Miguel Barroso Assis do Nascimento. , (November). 7. N. Ashitah,A. Othman, S. Alam, F. Hani, M. Ali, M.Binti, and M. noh, 2014. Secured Web Application Using Combination of Query Tokenization and Adaptive Method in Preventing SQL Injection Attacks. , (l4CT), pp.472–476. 8. Athanasopoulos, E., Krithinakis, A. & Markatos, E.P., 2011. An Architecture for Enforcing JavaScript Randomization in Web2 . 0 Applications. Springer-Verlag Berlin Heidelberg 2011, M. Burmest(ISC 2010, LNCS 6531, pp. 203–209, 2011), pp.203–209. 9. Balasundaram, I. & Ramaraj, E., 2012. An efficient technique for detection and prevention of SQL injection attack using ASCII based string matching. Procedia Engineering, 30(2011), pp.183–190. Available at: http://dx.doi.org/10.1016/j.proeng.2012.01.850.Baranwal, A.K., 2012. Approaches to detect SQL injection and XSS in web applications. EECE 571B, TERM SURVEY PAPER, APRIL 2012, (April). 10. J. Bau, E. Bursztein, D. Gupta, and J. Mitchell, 2010. State of the Art: Automated Black-Box Web Application Vulnerability Testing. 2010 IEEE Symposium on Security and Privacy, pp.332–345. Available at: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=5504795 [Accessed October 6, 2014]. 11. Bisht, 2006, CANDID : Dynamic Candidate Evaluations for Automatic Prevention of SQL Injection Attacks. , V, pp.1–38. 12. Buehrer, G.T., Weide, B.W. & Sivilotti, P.A.G., 2005. Using Parse Tree Validation to Prevent SQL Injection Attacks. , (September), pp.106–113. 13. C.R.Kothari, 2004. Research Methodology Methods and Techniques, 14. Clarke, J. & Alvarez, R.M., 2009. SQL Injection Attacks and Defense, 15. S. Diego, G.Drive, L. Jolla, R. A. Mcclure, and I. H. Krunger, 2005. SQL DOM : Compile Time Checking of Dynamic SQL Statements. , pp.88–96. 16. Florin, C. Ştefan cel Mare, Mihai Eminescu, Mihai Eminescu , Web Security Platform ( W . S . P ) Teachers : 17. Gadgikar, a. S., 2013. Preventing SQL injection attacks using negative tainting approach. 2013 IEEE International Conference on Computational Intelligence and Computing Research, pp.1–5. Available at: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=6724140. 18. Gadgil, S., 2013. SQL Injection Prevention in Banking. , 4(2), pp.345–349. 19. Halfond, W.G.J., Choudhary, S.R. & Orso, A., 2011. Improving penetration testing through static and dynamic analysis. Software Testing, Verification and Reliability, 21(3), pp.195–214. Available at: http://doi.wiley.com/10.1002/stvr.450. 20. Halfond, W.G.J. & Orso, 2008, AMNESIA : Analysis and Monitoring for NEutralizing SQL-Injection Attacks. 21. Halfond, W.G.J. & Orso, A., 2005. Combining static analysis and runtime monitoring to counter SQL-injection attacks. Proceedings of the third international workshop on Dynamic analysis -WODA ’05, pp.1–7. Available at: http://portal.acm.org/citation.cfm?doid=1083246.1083250. 22. Halfond, W.G.J., Orso, A. & Manolios, P., 2006. Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering -SIGSOFT ’06/FSE-14, p.175. Available at: http://portal.acm.org/citation.cfm?doid=1181775.1181797. 23. Halfond, W.G.J., Orso, A. & Society, I.C., 2008. WASP : Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation. , 34(1), pp.65–81. 24. Uzi & Donald, 2003. Web Application Security : A Survey of Prevention Techniques. , (June).Janot, E. & Zavarsky, 2008. Preventing SQL Injections in Online Applications : Study , Recommendations and Java Solution Prototype Based on the SQL DOM. 25. Kemalis, K. & Tzouramanis, T., 2008. SQL-IDS : A Specification-based Approach for SQL-Injection Detection. , pp.2153–2158. 26. Khoury, N. ,P. Zavarsky, D. Lindskog, and R.Ruhl , 2011. An Analysis of Black-Box Web Application Security Scanners against Stored SQL Injection. 2011 IEEE Third Int’l Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third Int'l Conference on Social Computing, pp.1095–1101. Available at: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=6113264. 27. Kie, A., Guo, P.J. & Ernst, M.D., 2009. Automatic Creation of SQL Injection and Cross-Site Scripting Attacks. , pp.199–209. 28. Kiezun, A., Philip J. Guo, Karthick Jayaraman, Michael D. Ernst, 2008. Computer Science and Artificial Intelligence Laboratory Technical Report Automatic Creation of SQL Injection and Cross-Site Scripting Attacks.Kim, J., 2011. Injection Attack Detection Using the Removal of SQL Query Attribute Values. 2011International Conference on Information Science and Applications, pp.1–7. Available at: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=5772411. 29. Kindy, D.A. & Pathan, A.K., 2012. A Detailed Survey on Various Aspects of SQL Injection in Web Applications : Vulnerabilities , Innovative Attacks , and Remedies. , pp.1–13. 30. Kindy, D.A. & Pathan, A.-S.K., 2011. A survey on SQL injection: Vulnerabilities, attacks, and prevention techniques. 2011 IEEE 15th International Symposium on Consumer Electronics (ISCE), pp.468–471. Available at: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=5973873. 31. Kosuga, Y., Kenji Kono, Miyuki Hanaoka, Miho Hishiyama, Yu Takahama, 2007. Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection. Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), pp.107–117. Available at: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=4412981 [Accessed October 9, 2014]. 32. Lee, I., Soonki Jeong, Sangsoo Yeo, Jongsub Moon, 2012. A novel method for SQL injection attack detection based on removing SQL query attribute values. Mathematical and Computer Modelling, 55(1-2), pp.58–68. Available at: http://dx.doi.org/10.1016/j.mcm.2011.01.050. 33. Lu, X., Boris Peltsverger, Shijun Chen, Xiang Fu, Kai Qian, Lixin Tao, A Static Analysis Framework For Detecting SQL Injection Vulnerabilities. , pp.1–8. 34. Mamadhan, S., Manesh, T. & Paul, V., 2012. SQLStor: Blockage of stored procedure SQL injection attack using dynamic query structure validation. 2012 12th International Conference on Intelligent Systems Design and Applications (ISDA), pp.240–245. Available at: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=6416544. 35. Martin, M., Livshits, B. & Lam, M.S., 2005. Finding application errors and security flaws using PQL. ACM SIGPLAN Notices, 40, p.365. 36. Medhane, M.H.A.S.P., 2013. Efficient Solution for SQL Injection Attack Detection and Prevention. , (1), pp.395–398. 37. Medhane, M.H.A.S.P., 2013b. R-WASP : Real Time-Web Application SQL Injection Detector and Preventer. , (5), pp.327–330. 38. Mishra, N. & Gond, S., 2013. Defenses To Protect Against SQL Injection Attacks. , 2(10), pp.3829–3833. 39. Mule, T.S., Aakash S. Mahajan, Sangharatna Kamble, Omkar Khatavkar, 2014. Intrusion Protection againstSQL Injection And Cross Site Scripting Attacks Using a Reverse Proxy. , 5(3), pp.2846–2850. 40. Natarajan, K. & Subramani, S., 2012. Generation of Sql-injection Free Secure Algorithm to Detect and Prevent Sql-Injection Attacks. Procedia Technology, 4, pp.790–796. Available at: http://dx.doi.org/10.1016/j.protcy.2012.05.129. 41. Pietraszek, T. & Berghe, C. Vanden, 2006. Context-Sensitive String Evaluation. , pp.124–145. 42. Scholte, T., W. Robertson, D. Balzarotti, and E. Kirda,, 2012. Preventing Input Validation Vulnerabilities in Web Applications through Automated Type Analysis. 2012 IEEE 36th Annual Computer Software and Applications Conference, pp.233–243. Available at: 43. 119http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=6340148 [Accessed November 5, 2014]. 44. Ezumalai & Aghila, 2009. Combinatorial Approach for Preventing SQL Injection Attacks accaeds . In view , ritopreses am. , (March), pp.6–7. 45. Aich, D., 2009. Secure Query Processing By Blocking SQL injection Master of Technology Secure Query Processing By Blocking SQL Injection Master of Technology. , (May). 46. Servers, A.W.S., 2014. WEB APPLICATION ATTACK REPORT # 5. , (October). 47. Shahriar, H., K. Weldemariam, T. Lutellier, M. Zulkernine, 2013. A Model-Based Detection of Vulnerable and Malicious Browser Extensions. 2013 IEEE 7th International Conference on Software Security and Reliability, pp.198–207. Available at: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=6571710 [Accessed October 6, 2014]. 48. Shan, L., Province, J. & Xiaorui, D., 2010. An Adaptive Method Preventing Database from SQL Injection Attacks. , (2), pp.352–355. 49. Shar, L.K., Beng Kuan Tan, H. & Briand, L.C., 2013. Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis. 2013 35th International Conference on Software Engineering (ICSE), pp.642–651. Available at: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=6606610. 50. Shar, L.K. & Tan, H.B.K., 2012. Predicting common web application vulnerabilities from input validation and sanitization code patterns. Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering -ASE 2012, p.310. Available at: http://dl.acm.org/citation.cfm?doid=2351676.2351733. 51. Shrivastava, R., Bhattacharyji, J. & Soni, R., 2012. SQL INJECTION ATTACKS IN DATABASE USING WEB SERVICE : DETECTION AND PREVENTION –REVIEW. , 6, pp.162–165. 52. Srivastava, S., 2012. A Survey On : Attacks due to SQL injection and their prevention method for web application. , 3(1), pp.3225–3228.Wei, K. & Muthuprasanna, M., 2006. Preventing SQL injection attacks in stored procedures. Australian Software Engineering Conference (ASWEC’06), p.8 pp.–198. Available at: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=1615052. 53. Wei, K., Muthuprasanna, M. & Kothari, S., 2005. Preventing SQL Injection Attacks in Stored Procedures.Xin-hua, Z. & Zhi-jian, 2010, Notice of Retraction A Static Analysis Tool for Detecting Web Application Injection Vulnerabilities for ASP Program. 54. Yan, Y., Zhengyuan, S. & Zucheng, D., 2011. The database protection system against SQL attacks. 2011 3rd International Conference on Computer Research and Development, pp.99–102. Available at: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=5764254. 55. Zheng, Y. & Zhang, X., 2013. Path sensitive static analysis of web applications for remote code execution vulnerability detection. 2013 35th International Conference on Software Engineering (ICSE), pp.652–661. Available at: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=6606611.OWASP (2013) Top 10 Risks .2013, [Online], Available: https://www.owasp.org/index.php/Top_10_2013-Top_10

Similar Items