1. Jun. 30 IJASCSE Vol 1 Issue 1 2012
SQLI Prevent Parser for the prevention
of SQL Injection Attacks. This Parser
Framework of SQL Injection Attack determines the structure of queries and
compares whether the queries are
Neha Patwari1, Parvati Bhurani 2
functionally equivalent or not. This
parser has been used on a sample web
Abstract application and the results have come
out to be positive majors to prevent SQL
With the changing demographics of Injection Attacks.
globalization, the emergence and
prevalence of web application have I Introduction
acquired a central and pivotal role in the
domains of technology and There has been a rapid advancement in
advancements. It thus becomes information technology as a result of the
imperative to probe deeply into the widespread use of the internet since the
architecture, significance and different past few years. The common man today
facets of usages. Web applications uses the internet with a number of
enclose the functioning between a user purposes such as to be used in the field
and the services provided by the server, of education, for money transactions
which contains a database as its and other countless activities. Though
backend. The user can access the there is also an inherent risk in the
required information through sending a frequent use of the internet as found in
request in the form of text to the web transferring some money from one bank
server, which is interpreted by the server account to another or in the confidential
side script to construct an SQL. The database of the companies. The secure
query is sent to the database which websites stores the highly sensitive
responds in order to generate an HTML information along with non-critical data
page that is sent back to the user. Since in their database systems in such a way
the functioning of web application is a that the Owner of the information is able
dynamic and complicated matter, certain to access it quickly while attackers of the
threats to the database security have unauthorized users are blocked in their
been registered. One such alarming attempts to have access to the
threat is the prevalence of SQL Injection information.
Attack. Hence a dynamic algorithm is
given in this paper for preventing SQL Hence we have to understand the
Injection Attacks which is based on architecture of web application; a web
context free grammars and compiler application accepts requests from users
parsing techniques. The paper attempts in order to gather information from a
to present the notation of a database. It is assumed by database
2. Jun. 30 IJASCSE Vol 1 Issue 1 2012
application and a user in order to have a
better understanding of SQL injection.
that the input is correct and thus uses it
to access the database by creating an II Overview of SQL injection
SQL. These web applications become
virtually prone to SQL injection attacks A web application is one through which
since these do not check the validity of a user can access the services provided
the user queries before submitting them by the web server while working on a
to gather the data. For example, client machine, which contains a
attackers pretending as genuine user database for example an online email id.
utilize maliciously created input text The user enters a login name and
which contains SQL instructions in order password to access the email account.
to produce SQL queries on the web As he presses the submit button a URL
application back-end. In case web is created and is sent to the web server.
application processes the query, the The server side of the script interprets
accepted malicious query may breach the user input due to which a dynamic
security net of the underscored SQL query is created. It is submitted to
database. As a consequence of the the database and HTML pages are
query there occurs an improper generated in response to the query
functioning of the database parser which which is sent back to the user. A
results in the release of the sensitive particular section of the database query
information [1]. code is submitted by the malicious
In order to have access to the sensitive attackers to the server, while responding
information from the database a general with the corresponding result some
break-in strategy is to first create a sensitive information is disclosed by the
query which will corrupt the functioning server. This is categorized as SQL
of the database parser, and forward the injection attack. A SQL injection attack
application of this query to the targeted contains injection of a SQL query to the
database. This type of approach in order application through the input data from
to have access to the private information the client. If successful SQL injection
is known as SQL injection. Now SQL can read and modify the data in the
injection has become a common database (Insert/Update/Delete), it
occurrence due to the easy access of means that an SQL injection attack
the database via the internet. It is takes place. When the intended effect of
equally necessary to have a deep an SQL query is modified by an attacker
understanding of the types of on inserting new SQL keywords of
communication which occurs during a operators into the query, following are
particular session in between a web the qualities of SQL injection attacks:
3. Jun. 30 IJASCSE Vol 1 Issue 1 2012
the database. i.e., if user inputs
username= ’OR 1=1- -then the query will
i) Threat Modelling ii) Attack Intent iii) be forwarded as :
Assets
SELECT * FROM login WHERE name
III. Working of SQL Injection = ‘ ’OR 1=1–’AND password = ‘ ’;
The concept driving a SQL injection is It will work as specified below:
simple above all attacks like these can The input data is being used in the
be executed and mastered with ease. WHERE clause. Since the application is
To exploit the SQL injection weakness not actually concerned about the query
the basic requirement for the attacker is simply tailoring a string, user has
to identify the working of the web converted a single-component WHERE
application. A malicious SQL command clause into a two-component clause,
can be inserted carefully into the content and this makes it certain that the 1 = 1
of the criteria empowering the attacker clause will be true notwithstanding the
to trick the web application so that a fact that what the first clause is. The
malicious query can be forwarded to the query emphasize that "Select everything
database. from the table login if the name equals
e.g. the LOGIN FORM which accepts "nothing" Or 1=1, ignores anything after
the username and password from the the comment.
login. The input in the field (“name” and ’ : Is used to close the user input field.
“Password”) is directly used to create OR : The SQL query will be continued to
the SQL Query like: get the process as equal to what
SELECT * FROM login WHERE name proceeds before OR what follows.
= ‘name’ AND password = ‘password’; 1=1 : A statement which is all time true.
Now, let the user input the correct name – : Discards the rest of the lines in order
=“Administrator” and Password=“admin”. to stop further processing.
The query will become: Noticing that 1 will always equal 1, the
SELECT * FROM login WHERE name server has been virtually duped as the
= ‘Adminstrator’ AND password = statement received is true and this
‘admin’; empowers the attacker to have
additional access. The code which
This will function without any problem. In relates to the password input field is not
case the user supplied some vulnerable run by the server and therefore does not
string of code then that will empower the use it [2].
attacker to by-pass the authentication
and create an SQL Injection so that he IV. Types of SQL Injection Attacks
finds out the relevant information from
4. Jun. 30 IJASCSE Vol 1 Issue 1 2012
response mechanism for example E-
mail.
Divergent types of advanced and
powerful techniques have been All type of attacks which is mentioned
developed by attackers over the past below, if performed directly in text field
several years which empower attackers and provides important information or
to exploit SQL injection vulnerabilities. data, from the response then such type
These techniques are much advanced of attack is called First Order Attack or
than the generic SQL injection attacks Direct injection.
examples and derive the benefits from
sophisticated SQL designs. These In the case of direct injection the SQL
threats must be taken into account while query will use each argument submitted
working on the development of SQL as such without any modification. For
injection attack problems. example attempt to take parameter’s
An SQL Injection Attacks proneness can legitimate value and appending a space
be exploited by the attacker once he has along with the word “OR” with it. In case
detected the input source, for this if an error is generated by this, a direct
purpose the attacker can utilize various injection is possible.
types of techniques. As per the type and
extent of the proneness the attack can First order is basically performed by
lead to crashing the database, collecting SELECT query which is used in
the relevant information regarding the application for retrieving information.
tables in the database. Given below is a
synopsis of the main techniques of Tautologies Queries
performing SQL injection attacks.
An isolated attack is not a general Attack Intent: Bypassing authentication,
phenomenon instead a combination of retrieving data, identifying inject able
attacks either simultaneously or parameters.
sequentially used as per the desired Description: The normal aim of this
target of the attacker. type of attack is to inject code that may
be in one or more conditional
First Order Attacks statements due to which the statements
are always evaluated as to be true. The
In some attacks the desired result is results of this type of attack take place
immediately received by the attacker. due to the way in which the application
This may be due to the direct response uses the outcome of the query. The
by the application with which they are most common purpose is to skip
interacting or may be via some other authentication route and extract data. An
attacker exploits an injectable area
5. Jun. 30 IJASCSE Vol 1 Issue 1 2012
Query (i) given below is generated after
entering valid name
‘adminstrator1_ad’and valid password
under this type of injection which is ‘admin1_ad’by genuine user.
utilized in a query’s WHERE conditional. Query = "select * from
The transformation of the conditional login_table_llwhere
into a tautology results in returning all name=‘adminstrator1_ad’and
the rows in the database table being password=‘admin1_ad’";————–(i)
targeted by the query. For the attack to
be fruitful the code must either display If an attacker writes: ’or 1=1–’in the
all of the returned records or must name field (the input entered for the
perform some action so that at least one other fields are impertinent) leaving the
record is returned. password field empty, the structure of
the SQL query will be changed.
Ex: Let there be an input form with the Query (ii) given below is generated with
fields “name” and “password”. Using this SQL injection by the attacker.
user can login in web application. The Query = “select * fromlogin_table_ll
given below PHP code for the where name=‘’or 1=1 –’and
application server, created by a web password=‘’——————(ii)
application developer has inherent The complete WHERE clause is
weakness for SQL injection attack: transformed into a tautology by the code
1. $connection=mysql_connect(); injected in the conditional(’OR 1=1–).
2. mysql_select_ db(“sample”); The conditional is used by the database
3. $user=$HTT_GET_VARS[‘name’]; as the basis in order to evaluate each
4. row and to decide which is to be
$pass=$HTTP_GET_VARS[‘password’]; returned to the application. As the
5. $query="select * from login_table_ll conditional being a tautology, the query
where name=‘$ u_user1_name ’and evaluation is true for each row in the
password =‘$p_pass1_name’"; table and so all of them are returned [3].
6. $result=mysql_query($query);
7.if (mysql_num_rows($result)==1) echo Illegal/Logically Incorrect Queries
“Authorized” else echo “authorization
failed”; Attack Intent: Retrieving data,
User data created in the form of a web identifying inject able parameters,
are assigned to variables performing database finger-printing.
“u_user1’_name’ and “p_pass1_name” Description: This category of attack
and then utilized to produce the SQL allows to collect the relevant information
statement. as per the type and structure of the
back-end database of a Web application.
6. Jun. 30 IJASCSE Vol 1 Issue 1 2012
A parentheses must be added to the
bad value part of the injection, and one
to the WHERE clause. In few cases two
The main aim of this attack is to gather or more parentheses may be required.
information for further Here’s the code:
attacks and is treated as a preliminary mySQL= " SELECT Last_ name1_l,
step. These attacks pinpoint a weakness First_name1_f, Title_ t1_t, Notes_n1_n
due to which the application servers FROMEmployee_ Table1_eWHERE
returns the default error page which City_ name1_c = (‘ “& strCity &” ’) "
often contains over description. The When an attacker inserts " ’ " then the
vulnerable or inject able parameters can query is built as:
be revealed to the attacker due to the "SELECT Last_name1_l, First_name1_f,
simple fact that error messages are Title_t1_t, Notes_n1_n FROM
being generated. Employee_Table1_eWHERE
The additional error information which City_name1_c =(‘ ’ ’)"
was fundamentally aimed at assisting Then the error generated is :
the programmer to repair or correct their Error Type:
application further empowers the Microsoft OLE DB Provider for ODBC
attacker to access information related to Driver [Microsoft][SQL Server ]Unclosed
the schema of the back-end database. Parentheses mark before the Character
During working on this type of attack, he String " ’ " From the error generated, the
tries to inject statements which can attacker knows that here parentheses is
result in syntax error, type conversion or used.
could create logical error into the Hence, attacker tries to inject the value ’)
database. The injectable parameters (‘UNION SELECT another field FROM
can be detected by using the syntax another table), thus this query will be
errors. The deduction of the data types forwarded to the server.
of certain columns or the seperation of SELECT Last_name1_l, First_name1_f,
the data can be done by using the type Title_t1_t, Note_n1_n FROM
errors. The names of the tables and Employee_table1_e WHERE
columns causing the errors can often be City_name1_c = (‘ ’) (‘UNION SELECT
revealed by logical errors. another field from another Table ’) ;
Example: In case the syntax error Through the errors generated, the
consists of a parentheses in the cited attacker gets to know a lot of useful data
string (for example SQL Server through various steps.
message used in the illustration given Hence by the use of error messages
below) or a message is generated which attacker gets information [4].
clearly mentions about missing
parentheses. Union Queries
7. Jun. 30 IJASCSE Vol 1 Issue 1 2012
Predicting that there is no login1_area
equal to “ ”, a null set is returned by the
Attack Intent: Bypassing Authentication, first original query, while the data from
extracting data. the “Debit_Card1_d” table is returned
Description: In such attacks the weaker from the second query. For account
parameters are exploited by the attacker “100” the column “cardNo1_c” would be
with a view to transform the data set returned by the database in this case.
returned for a specific query. The result obtained from these queries
This technique allows the attacker to combines and returns them to the
form the application, giving back data application [3].
from a table not from the one which
intended by the developer but from Second Order Attacks
another unintended table.
In this type of attack when the malicious
The attacker performs it by introducing a code is injected into the web based
statement in the way:’ UNION SELECT application instead of being immediately
< remaining of injected query >. executed it is stored by the web
Since the second/injected query is application i.e. it is first stored in the
totally controlled by the attackers, this database to be retrieved, rendered or
query can used by them in order to executed by the victim. This category of
retrieve information from a particular attack happens because of the notion
table. This attack results in the form of a that when the data is contained in the
dataset from the database which is the database, it is often supposed to be
collective result of the original query and clean and need not be checked again.
the injected query. While due to the frequent use of the
Example: Referring to the running data in the queries, it is still able harm
example, an attacker could introduce the the web application. This type of attack
text " ’UNION SELECT card_no1_c from happens in case where the filtration
Debit_Card1_d where process is skipped during the process of
accountNo1_a=100–" into the data insertion in search page. We
login1_area field, leading to the should apply filtration for special
generation of the following query: characters before storing data in
databases, which no special characters
SELECT bank_accounts FROM are allowed for inserting in databases. It
users1 WHERE login1_area = ‘’UNION is inherently performed by INSERT
SELECT card_no1_c from basics which are used in application.
INSERT keyword is used to add
Debit_Card1_d where accountNo1_a information in the database. In case of
= 100 – AND pass=‘’; web application this keyword is used for
8. Jun. 30 IJASCSE Vol 1 Issue 1 2012
contrast to the other type of attacks
instead of modifying the original
intended query tries to insert new and
user registrations, bulletin boards distinct query that “piggy-back” on the
inclusion, adding items to shopping carts, original query. This results in multiple
etc. While trying to INSERT injection it SQL queries to the database. The
could result in the flooding of the rows in initiating query (intended query) is
the database having single quotes and executed as normal while the remaining
SQL keywords. As per the at queries are injected queries, and being
tentativeness of the administrator it can executed along with the initiating query.
be evaluated that what is to be done The attack of this category is highly fatal.
with the information. For example the In case an attacker succeeds in this
user is on a site on which user attack he can virtually insert any sort of
registration of some kind is allowed. SQL command in the additional queries
A format is provided in which the user and is able to execute them along with
has to enter name, address, phone the initiating query. This kind of attack
number, etc. As the information is vulnerability is often due to the
submitted in the format a page is possession of a database configuration
generated where this information is via which multiple statements can be
displayed along with an option to edit inserted in a single string.
the information. This is what is required
by the user. Thus after the process of Example: If the attacker inputs “ ’; drop
insertion the required data can be table login ;” into the password field, the
modified and updated. Thus in case application generates the query:
some malicious data is inserted in the SELECT * FROM login WHERE
database by the attacker, the data can name=‘admin’ AND password= ‘ ’;
be updated as per the desire of the drop table login ;
attacker. As the first query having query delimiter
(“;”) is completed the second query is
Piggybacked Query attack is example of executed by the database. The effect of
Second Order Attack [5]. the execution of the second query would
be to drop table login which may lead to
Piggybacked Queries the destruction of the valuable data [6].
Attack Intent: Inserting or updating data, V. Prevention Methodology
performing denial of service.
Description: In this category of attack, The methodology which has been used
attacker tries to inject queries in the to prevent the SQL injection attacks is
original query. These kinds of attacks in the merging of SQLIPreventParser with
the application therefore protecting
9. Jun. 30 IJASCSE Vol 1 Issue 1 2012
WHERE clause into a tautology of code
injected in the conditional statement(’
against any attacks. Firstly SQLI OR 1=1 –). The conditional used by
Prevent Parser has been built which is database to evaluate each row and
used to determines the structure of the decide the rows to return to the
query. Then limitations of the method application. Since conditional is a
are identified. Finally, the solution to tautology, query evaluates each row in
overcome the problems has been the table as true and returns all of them
proposed making the system fully to application. The problem is reckoned
efficient. by taking into consideration its cause:
Approach The detailed information of the program
is that the substrings are taken from
The developer built a data structure for user input and the substrings are
the parsed representation of the restrained syntactically. The concept is
statement, which is called a parser. For to restrict queries in which the input
parsing, we require the grammar substring modifies the syntactic
language of statement. In this method, structure of the remaining query. Such
by parsing two statements and queries are called SQL injection attacks
comparing their parser functionality, it in the perspective of database back-
leads to conclusion that the two queries ends.
are equal. When sql is injected
successfully in database query, the The user’s intake is visualized by using
parser of the intended SQL query and meta-character displayed as ‘(|’ and ‘|)’.
the resulting SQL query is generated It allegorizes the commencement and
after mismatch of attacker’s input. ending of each input string. This meta
character follow the string through
The SQL Query is: assignments, concatenations, etc., thus
SELECT * FROM login WHERE login as a query is ready to be transferred to
name=‘ ’ AND password=‘ ’; database, it contains matching pair of
Web applications have SQL injection markers identifying the substrings from
vulnerabilities because inputs are not input. We should refuse to introduce
sanitized which they use to construct input substrings from modification of the
structured output. syntactic structure of the remaining of
the query. For this grammar for queries
If an attacker passes name = ’ OR 1=1– as per the standard grammar for SQL
as the login name, all login name in the queries is build up. In the grammar, the
database will be returned and displayed, only productions in which ‘(|’ and ‘|)’
reason being transformation of entire occur have the following form:
10. Jun. 30 IJASCSE Vol 1 Issue 1 2012
1. If the attacker is somehow able to
detect the delimiter used, it would
Non terminal ::= ‘(|’ symbol ‘|)’
require only a slight modification of
Where symbol is either a terminal or the query to break this protection.
non-terminal 2. The attacker may simply use a
brute force attack to simply try out
For query to be in the language of this all possible combinations (to
grammar, the substrings surrounded by guess the correct delimiter
‘(|’ and ‘|)’ must be syntactic. A parser combination).
generator is used to build a parser for
grammar and each query is attempted to VII. Solution
be parsed. In case the query is parsed
successfully, it meets the syntactic Original solution where we use static
constraints and is legitimate. Conversely, delimiter upgraded to circumvent
it fails the syntactic constraints and may potential security leaks. Hence
be a SQL injection attack. implementation by dynamically changing
the delimiter combination for every
After SQL Prevent Parser is built using variable field and not using the same
the grammar of the output language and delimiter blend for two consecutive
plan of action is specified that permitted variable fields or in same field in
syntactic forms, it remains on the web application. As a result of this
server and intercepts generated queries. modification to the original algorithm, the
Each input needs to be propagated in attacker will have to correctly guess the
form of some query, notwithstanding the exact sequence of delimiters used to
input’s source, gets amplified with the bypass the parser’s security system.
meta-characters ‘(|’ and ’|)’ Then query Since the delimiter blend will be cycled
is generated by the application, which randomly this will not be easily possible.
SQLIPreventParser attempts to parse. If By this proposed method static delimiter
a query parses successfully, SQLI has been made dynamic. This solution
Prevent Parser sends it to the database makes the parser more secure than
without the meta-character. Otherwise, before.
the query is block out. Figure 3.3 shows the basic structure of
work where the user input is interpreted
VI. Limitation by the web application. In the web
application it has been used the concept
This solution can be overcome in either of dynamic delimiter so that the attacker
of two ways: is unable to guess the sequence of the
11. Jun. 30 IJASCSE Vol 1 Issue 1 2012
query at the Parser) are functionally
equivalent or not. Incase both the
queries are functionally equivalent then
delimiter; here even the user has no it reaches the database then response is
idea about the sequence of the delimiter. taken from the database, which is
generated as an HTML Page and is
Hence in the given application the send to the user [1].
limitation of the static delimiter has been
eliminated. VII. Result
Figure 3.3: Work Architecture. This paper presents the first overview of
SQL injection attacks in web application.
According to the presented paper an
effective technique has been developed
for preventing SQL injection attacks.
The implementation on web application
and parser on java CC [7] proved
effective under testing. Here have been
diligent efforts in applying parser on web
application and produces output.
The result of evaluation and test proves
that the proposed method is an effective
technique to prevent SQL Injection
Attacks.
In this work it has been managed to
prevent SQL injection attacks through:
If the user puts any input by using the
delimiter for example x|)’ OR ’(| 1 = 1 , • Tautologies Queries
then it will be checked at the application • Union Queries
itself and the error is reported here itself. • Illegal/Logically Incorrect Queries
Now from application query is sent to • Piggybacked Queries
the parser. •SQLIPreventParser has been built for
SQL constraints
The Parser determines the structure of Following are the two goals for future
SQL query and input variable. Parser works:
compares that both queries ( means 1. The parser is to be more
query at the application and the generalized for maximum number
of SQL commands.
12. Jun. 30 IJASCSE Vol 1 Issue 1 2012
2. The technique can be applied to
prevent cross-site scripting.
VIII. References
[1] Zhendong Su. The essence of
command injection attacks in web
applications. pages 372–382. ACM
Press, 2006.
[2] Chris Anley. Advanced sql injection
in sql server applications. In An
NGSSoftware Insight Security Research
(NISR) Publication, 2002.
[3] J.ViegasWilliam G.J.Holfond. A
classification of sql injection attacks and
countermeasures. In IEEE, 2009.
[4] SQL Injection, Are Your Web
Applications Vulnerable?
http://www.securitydocs.com/library/265
6/.
[5] SQL Injection Attack and Defense.
http://www.securitydocs.com/library/358
7/.
[6] D.K. Bhattacharyya Debasish Das,
Utpal Sharma. An appraoch to
detectionof sql injection attack based on
dynamic query matching. In International
Journal of Computer Application(0975-
8887) volume 1-No.25,2010., 2010.
[7]JAVACFAQ.
http://www.engr.mun.ca/~theo/ JavaCC-
FAQ/javacc-faq-moz.htm.