Internet has eased the life of human in numerous ways, but the drawbacks like the intrusions that
are attached with the Internet applications sustains the growth of these applications. Hackers find
new methods to intrude the applications and the web application vulnerability reported is increasing
year after year. One such major vulnerability is the SQL Injection attacks (SQLIA). Since SQLIA
contributes 25% of the total Internet attacks, much research is being carried out in this area. In this
paper we propose a method to detect the SQL injection. We deploy a Reverse proxy that uses the
input-data cleansing algorithm to mitigate SQL Injection Attack. This system has been tested on
standard test bed applications and our work has shown significant improvement in detecting and
curbing the SQLIA.
Prevention of SQL injection in E- Commerceijceronline
Structured Query Language (SQL) injection, in present scenario, emerges as one of the most challenging fact to effect on the online business, as it can expose all of the business transaction related sensitive information which is stored in online database, inclusive of most highly secured sensitive information such as credit card passwords , usernames, login ids, credentials, phone, email id etc. Structured Query Language injection remain a responsibility that when intruder gets the ability with SQL related queries which is passed to a back-end database. The query which is passed by the intruder to the data, can allow the query to data which is an assisting element with database and required operating system. Every SQL Query that allows the inputs from the attacker sides can defect our real web application. Intruder which attempts to insert defective SQL query into an entry field to extract the query so that they can dump the database or alter the database which is known as "code injection technique" and this type of attacker is also called attack vector for websites and usually used by any type of SQL database. Through this research paper, our endeavour is to understand the methodology of SQL injection and also to propose solution to prevent SQL Injection in one of the most vulnerable field of E commerce.
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Siteijtsrd
Structured Query Language (SQL) Injection is a code injection technique that exploits security vulnerability occurring in database layer of web applications [8]. According to Open Web Application Security Projects (OWASP), SQL Injection is one of top 10 web based attacks [10]. This paper shows the basics of SQL Injection attack, types of SQL Injection Attack according to their classification. It also describes the survey of different SQL Injection attack detection and prevention. At the end of this paper, the comparison of different SQL Injection Attack detection and prevention is shown. Mr. Vishal Andodariya"SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-2 | Issue-4 , June 2018, URL: http://www.ijtsrd.com/papers/ijtsrd13034.pdf http://www.ijtsrd.com/computer-science/computer-security/13034/sql-injection-attack-detection-and-prevention-techniques-to-secure-web-site/mr-vishal-andodariya
Devoid Web Application From SQL Injection AttackIJRESJOURNAL
ABSTRACT: The entire field of web based application is controlled by the internet. In every region, World Wide Web is hugely necessary. So, network assurance is badly assuring job for us. Several kind of attacker or application programmer is attempting to split the immunity of information and destroy the instruction composed in the database. The SQL Injection Attack is very large safety measure risk in that present day. The indicated attacks allow to attacker’ s unlimited access from the database or still authority of database those determine web based application. That manages conscious and secret records and put the injurious SQL query put to modify the expected function. Many database reviewer and theorist give distinct concept to avoid regarding SQL Injection Attack. But no one of the concept is completely adaptable to. This research introduces a latest framework to protecting web based application from the SQL Injection Attack. Introduced framework i.e. present in this research is based on two techniques known as SQM (SQL Query Monitor) and Sanitization Application. That is the two ways filter program which analyses the user query and generate a separate key for user before it is sent to the application server. Several aspects of SQL Injection Attack are also discussed in that research.
INTRUSION DETECTION IN MULTITIER WEB APPLICATIONS USING DOUBLEGUARDIJCI JOURNAL
Today, the use of distinct internet services and their applications by people are increase in very large amount. Due to its usage, it results the increase in data complexity. So, web services turn their focus on multi-tier design where web server acts as front-end and database server acts as back-end. Attackers try to hack personal data by targeting database server, hence it need to provide more security to both web server and database server. In this paper, the doubleguard system proposes an efficient intrusion detection and prevention system which detects and prevents various attacks in multi-tier web applications. This IDS system keeps track of all user sessions across both web server and database server. For this, it allocates the dedicated web container to each user’s session. Each user is associated with unique session ID which enhances more security. The system built well correlated model for website and detects and prevents various type of attacks. The system is implemented by using Apache webserver with MySQL.
The International Journal of Engineering and Science (The IJES)theijes
The International Journal of Engineering & Science is aimed at providing a platform for researchers, engineers, scientists, or educators to publish their original research results, to exchange new ideas, to disseminate information in innovative designs, engineering experiences and technological skills. It is also the Journal's objective to promote engineering and technology education. All papers submitted to the Journal will be blind peer-reviewed. Only original articles will be published.
Prevention of SQL injection in E- Commerceijceronline
Structured Query Language (SQL) injection, in present scenario, emerges as one of the most challenging fact to effect on the online business, as it can expose all of the business transaction related sensitive information which is stored in online database, inclusive of most highly secured sensitive information such as credit card passwords , usernames, login ids, credentials, phone, email id etc. Structured Query Language injection remain a responsibility that when intruder gets the ability with SQL related queries which is passed to a back-end database. The query which is passed by the intruder to the data, can allow the query to data which is an assisting element with database and required operating system. Every SQL Query that allows the inputs from the attacker sides can defect our real web application. Intruder which attempts to insert defective SQL query into an entry field to extract the query so that they can dump the database or alter the database which is known as "code injection technique" and this type of attacker is also called attack vector for websites and usually used by any type of SQL database. Through this research paper, our endeavour is to understand the methodology of SQL injection and also to propose solution to prevent SQL Injection in one of the most vulnerable field of E commerce.
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Siteijtsrd
Structured Query Language (SQL) Injection is a code injection technique that exploits security vulnerability occurring in database layer of web applications [8]. According to Open Web Application Security Projects (OWASP), SQL Injection is one of top 10 web based attacks [10]. This paper shows the basics of SQL Injection attack, types of SQL Injection Attack according to their classification. It also describes the survey of different SQL Injection attack detection and prevention. At the end of this paper, the comparison of different SQL Injection Attack detection and prevention is shown. Mr. Vishal Andodariya"SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-2 | Issue-4 , June 2018, URL: http://www.ijtsrd.com/papers/ijtsrd13034.pdf http://www.ijtsrd.com/computer-science/computer-security/13034/sql-injection-attack-detection-and-prevention-techniques-to-secure-web-site/mr-vishal-andodariya
Devoid Web Application From SQL Injection AttackIJRESJOURNAL
ABSTRACT: The entire field of web based application is controlled by the internet. In every region, World Wide Web is hugely necessary. So, network assurance is badly assuring job for us. Several kind of attacker or application programmer is attempting to split the immunity of information and destroy the instruction composed in the database. The SQL Injection Attack is very large safety measure risk in that present day. The indicated attacks allow to attacker’ s unlimited access from the database or still authority of database those determine web based application. That manages conscious and secret records and put the injurious SQL query put to modify the expected function. Many database reviewer and theorist give distinct concept to avoid regarding SQL Injection Attack. But no one of the concept is completely adaptable to. This research introduces a latest framework to protecting web based application from the SQL Injection Attack. Introduced framework i.e. present in this research is based on two techniques known as SQM (SQL Query Monitor) and Sanitization Application. That is the two ways filter program which analyses the user query and generate a separate key for user before it is sent to the application server. Several aspects of SQL Injection Attack are also discussed in that research.
INTRUSION DETECTION IN MULTITIER WEB APPLICATIONS USING DOUBLEGUARDIJCI JOURNAL
Today, the use of distinct internet services and their applications by people are increase in very large amount. Due to its usage, it results the increase in data complexity. So, web services turn their focus on multi-tier design where web server acts as front-end and database server acts as back-end. Attackers try to hack personal data by targeting database server, hence it need to provide more security to both web server and database server. In this paper, the doubleguard system proposes an efficient intrusion detection and prevention system which detects and prevents various attacks in multi-tier web applications. This IDS system keeps track of all user sessions across both web server and database server. For this, it allocates the dedicated web container to each user’s session. Each user is associated with unique session ID which enhances more security. The system built well correlated model for website and detects and prevents various type of attacks. The system is implemented by using Apache webserver with MySQL.
The International Journal of Engineering and Science (The IJES)theijes
The International Journal of Engineering & Science is aimed at providing a platform for researchers, engineers, scientists, or educators to publish their original research results, to exchange new ideas, to disseminate information in innovative designs, engineering experiences and technological skills. It is also the Journal's objective to promote engineering and technology education. All papers submitted to the Journal will be blind peer-reviewed. Only original articles will be published.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
SQL injection is the major susceptible attack in today’s era of web application which attacks the database to gain unauthorized and illicit access. It works as an intermediate between web application and database. Most of the time, well-known people fire the SQL injection, who is previously working in the organisation on the present database. Today organisation has major concern is to stop SQL injection because it is the major vulnerable attack in the database. SQLI attacks target databases that are reachable through web front. SQLI prevention technique efficiently blocked all of the attacks without generating any false positive. In this paper we present different techniques and tools which can prevent various attacks.
This paper presents a comparative analysis of various machine learning classification models for
structured query language injection prevention. The objective is to identify the best-performing model in
terms of accuracy on a given dataset. The study utilizes popular classifiers such as Logistic Regression,
Naive Bayes, Decision Tree, Random Forest, K-Nearest Neighbors, and Support Vector Machine. Based on
the tests used to evaluate the performance of the classifiers, the Naïve Bayes gets the highest level of
accurate detection. The results show a 97.06% detection rate for the Naïve Bayes, followed by
LogisticRegression (0.9610), Support Vector Machine (0.9586), RandomForest (0.9530), DecisionTree
(0.9069), and K-Nearest Neighbor (0.6937). The code snippet provided demonstrates the implementation
and evaluation of these models.
Now-a-days the world of information era, we can get information just our single click by using Web
application. Web applications are popular due to the ubiquity of web browsers, and the convenience of
using a web browser as a client, sometimes called a thin client. It are playing a major role in this, every
organization are mapping their business from a room to the world with the help of these Web Application.
It consist of a three tier structural design where database is in the third pole, which is the most valuable
assets in any organization, as the adaptation of web applications are increases day by day, various attacks
are possible increasing day by day. An attack which is directly compromises the database that is most
threatening attack is called SQL injection. There are various Vulnerability scanners has been proposed to
deal with this attack, but none of them are able to detect SQLI completely. In my tools have the accuracy
ratio very less as well as they produce a high rate of false positive, apart from that all these tools take
much time to scan. To avoid these problem and detect SQL completely we are presenting a NVS that is
Network Based Vulnerability Scanner approach this provides a better coverage and with no false positive
with a short span of time.
International Journal of Computer Science, Engineering and Information Techno...ijcseit
International Journal of Computer Science, Engineering and Information Technology (IJCSEIT) will provide an excellent international forum for sharing knowledge and results in theory, methodology and applications of Computer Science, Engineering and Information Technology. The Journal looks for significant contributions to all major fields of the Computer Science and Information Technology in theoretical and practical aspects. The aim of the Journal is to provide a platform to the researchers and practitioners from both academia as well as industry to meet and share cutting-edge development in the field.
Now-a-days the world of information era, we can get information just our single click by using Web
application. Web applications are popular due to the ubiquity of web browsers, and the convenience of
using a web browser as a client, sometimes called a thin client. It are playing a major role in this, every
organization are mapping their business from a room to the world with the help of these Web Application.
It consist of a three tier structural design where database is in the third pole, which is the most valuable
assets in any organization, as the adaptation of web applications are increases day by day, various attacks
are possible increasing day by day. An attack which is directly compromises the database that is most
threatening attack is called SQL injection. There are various Vulnerability scanners has been proposed to
deal with this attack, but none of them are able to detect SQLI completely. In my tools have the accuracy
ratio very less as well as they produce a high rate of false positive, apart from that all these tools take
much time to scan. To avoid these problem and detect SQL completely we are presenting a NVS that is
Network Based Vulnerability Scanner approach this provides a better coverage and with no false positive
with a short span of time.
Sqlas tool to detect and prevent attacks in php web applicationsijsptm
Web applications become an important part of our daily lives. Many other activities are relay on the functionality and security of these applications. Web application injection attacks, such as SQL injection (SQLIA), Cross-Site Scripting (XSS) and Cross-Site Request Forgery (XSRF) are major threats to the
security of the Web Applications. Most of the methods are focused on detection and prevention from these
web application vulnerabilities at Run Time, which need manual monitoring efforts. Main goal of our work
is different in the way it aims to create new systems that are safe against injection attacks to begin with, thus allowing developers the freedom to write and execute code without having to worry about these attacks. In this paper we present SQL Attack Scanner (SQLAS) a Tool which can detect & prevent SQL injection Attack in web applications. We analyzed the performance of our proposed tool SQLAS with various PHP web applications and its results clearly determines the effectiveness of detection and prevention of our proposed tool. SQLAS scans web applications offline, it reduces time and manual effort due to less overhead of runtime monitoring because it only focus on fragments that are vulnerable for attacks. We use XAMPP for client server environment and developed a TESTBED on JAVA for evaluation of our proposed tool SQLAS.
IJERA (International journal of Engineering Research and Applications) is International online, ... peer reviewed journal. For more detail or submit your article, please visit www.ijera.com
Attacks on web services need to secure xml on webcseij
Web Services are the newest mechanism of communication among applications. Web Services are independent of both hardware and software infrastructure, they are very flexible and scalable. Lack of security features provided by the web services creates a window of opportunity for attackers. Web Services are offered on Http with Simple Object Access Protocol (SOAP) as an underlying infrastructure. Both SOAP and Web Services relies heavily on XML, hence, Web Services are most vulnerable to attacks using XML as an attack parameter. Several attacks use XML and most of them lies in the category of XML injection.XML based attacks discussed in this study covered a variety of attacks for example Denial of Services and Data Theft, escalation of privileges etc. Among these attacks the injections attacks on the web services are more severe and being given special attention. This study is aimed at providing an insight of the various forms of XML injections such as XPath injection, Coercive Parsing, and oversize payload.
digital marketing training in chennai.digital marketing training.digital marketing training in chennai.digital marketing training.digital marketing training in chennai.digital marketing training.digital marketing training in chennai.digital marketing training.
Intrusion detection architecture for different network attackseSAT Journals
Abstract Now these days most of the work is carried out by internet. So web application becomes important part of today’s life, such as online banking, social networking, online shopping, enabling communication and management of personal information. So web services now have shifted to multi-tier design to accommodate this increase in web application and data complexity. Due to this high use of web application networks attacks increased with malicious purpose. DoubleGuard is an Intrusion Detection System helps to detect and prevent the networks attacks. DoubleGuard is able to find out attacks after checking web and database requests. Along with this, in this paper adding one more level that is admin, it is responsible for the training to the system, log generation, blacklist and employee entry. This IDS system provides security to prevent both the web server and database server. Key Words: DoubleGuard; Web Application; Multitier; IDS; Attacks.
A hybrid technique for sql injection attacks detection and preventionijdms
SQL injection is a type of attacks used to gain, manipulate, or delete information in any data-driven system
whether this system is online or offline and whether this system is a web or non-web-based. It is
distinguished by the multiplicity of its performing methods, so defense techniques could not detect or
prevent such attacks. The main objective of this paper is to create a reliable and accurate hybrid technique
that secure systems from being exploited by SQL injection attacks. This hybrid technique combines static
and runtime SQL queries analysis to create a defense strategy that can detect and prevent various types of
SQL injection attacks. To evaluate this suggested technique, a large set of SQL queries have been executed
through a simulation that had been developed. The results indicate that the suggested technique is reliable
and more effective in capturing more SQL injection types compared to other SQL injection detection
methods.
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Yuji Kosuga
With the recent rapid increase in interactive web applications that employ back-end database services, an SQL injection attack has become one of the most serious security threats. The SQL injection attack allows an attacker to access the underlying database, execute arbitrary commands at intent, and receive a dynamically generated output, such as HTML web pages. In this paper, we present our technique, Sania, for detecting SQL injection vulnerabilities in web applications during the development and debugging phases. Sania intercepts the SQL queries between a web application and a database, and automatically generates elaborate attacks according to the syntax and semantics of the potentially vulnerable spots in the SQL queries. In addition, Sania compares the parse trees of the intended SQL query and those resulting after an attack to assess the safety of these spots. We evaluated our technique using real-world web applications and found that our solution is efficient in comparison with a popular web application vulnerabilities scanner. We also found vulnerability in a product that was just about to be released.
Routine Detection Of Web Application Defence FlawsIJTET Journal
Abstract— The detection process for security vulnerabilities in ASP.NET websites / web applications is a complex one, most of the code is written by somebody else and there is no documentation to determine the purpose of source code. The characteristic of source code defects generates major web application vulnerabilities. The typical software faults that are behind of web application vulnerabilities, taking into different programming languages. To analyze their ability to prevent security vulnerabilities ASP.NET which is part of .NET framework that separate the HTML code from the programming code in two files, aspx file and another for the programming code. It depends on the compiled language (Visual Basic VB, C sharp C#, Java Script). Visual Basic and C# are the most common languages using with ASP.NET files, and these two compiled languages are in the construction of our proposed algorithm in addition to aspx files. The hacker can inject his malicious as a input or script that can destroy the database or steal website files. By using scanning tool the fault detection process can be done. The scanning process inspects three types of files (aspx, VB and C#). then the software faults are identified. By using fault recovery process the prepared replacement statement technique is used to detect the vulnerabilities and recover it with high efficiency and it provides suggestion then the report is generated then it will help to improve the overall security of the system.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
SQL injection is the major susceptible attack in today’s era of web application which attacks the database to gain unauthorized and illicit access. It works as an intermediate between web application and database. Most of the time, well-known people fire the SQL injection, who is previously working in the organisation on the present database. Today organisation has major concern is to stop SQL injection because it is the major vulnerable attack in the database. SQLI attacks target databases that are reachable through web front. SQLI prevention technique efficiently blocked all of the attacks without generating any false positive. In this paper we present different techniques and tools which can prevent various attacks.
This paper presents a comparative analysis of various machine learning classification models for
structured query language injection prevention. The objective is to identify the best-performing model in
terms of accuracy on a given dataset. The study utilizes popular classifiers such as Logistic Regression,
Naive Bayes, Decision Tree, Random Forest, K-Nearest Neighbors, and Support Vector Machine. Based on
the tests used to evaluate the performance of the classifiers, the Naïve Bayes gets the highest level of
accurate detection. The results show a 97.06% detection rate for the Naïve Bayes, followed by
LogisticRegression (0.9610), Support Vector Machine (0.9586), RandomForest (0.9530), DecisionTree
(0.9069), and K-Nearest Neighbor (0.6937). The code snippet provided demonstrates the implementation
and evaluation of these models.
Now-a-days the world of information era, we can get information just our single click by using Web
application. Web applications are popular due to the ubiquity of web browsers, and the convenience of
using a web browser as a client, sometimes called a thin client. It are playing a major role in this, every
organization are mapping their business from a room to the world with the help of these Web Application.
It consist of a three tier structural design where database is in the third pole, which is the most valuable
assets in any organization, as the adaptation of web applications are increases day by day, various attacks
are possible increasing day by day. An attack which is directly compromises the database that is most
threatening attack is called SQL injection. There are various Vulnerability scanners has been proposed to
deal with this attack, but none of them are able to detect SQLI completely. In my tools have the accuracy
ratio very less as well as they produce a high rate of false positive, apart from that all these tools take
much time to scan. To avoid these problem and detect SQL completely we are presenting a NVS that is
Network Based Vulnerability Scanner approach this provides a better coverage and with no false positive
with a short span of time.
International Journal of Computer Science, Engineering and Information Techno...ijcseit
International Journal of Computer Science, Engineering and Information Technology (IJCSEIT) will provide an excellent international forum for sharing knowledge and results in theory, methodology and applications of Computer Science, Engineering and Information Technology. The Journal looks for significant contributions to all major fields of the Computer Science and Information Technology in theoretical and practical aspects. The aim of the Journal is to provide a platform to the researchers and practitioners from both academia as well as industry to meet and share cutting-edge development in the field.
Now-a-days the world of information era, we can get information just our single click by using Web
application. Web applications are popular due to the ubiquity of web browsers, and the convenience of
using a web browser as a client, sometimes called a thin client. It are playing a major role in this, every
organization are mapping their business from a room to the world with the help of these Web Application.
It consist of a three tier structural design where database is in the third pole, which is the most valuable
assets in any organization, as the adaptation of web applications are increases day by day, various attacks
are possible increasing day by day. An attack which is directly compromises the database that is most
threatening attack is called SQL injection. There are various Vulnerability scanners has been proposed to
deal with this attack, but none of them are able to detect SQLI completely. In my tools have the accuracy
ratio very less as well as they produce a high rate of false positive, apart from that all these tools take
much time to scan. To avoid these problem and detect SQL completely we are presenting a NVS that is
Network Based Vulnerability Scanner approach this provides a better coverage and with no false positive
with a short span of time.
Sqlas tool to detect and prevent attacks in php web applicationsijsptm
Web applications become an important part of our daily lives. Many other activities are relay on the functionality and security of these applications. Web application injection attacks, such as SQL injection (SQLIA), Cross-Site Scripting (XSS) and Cross-Site Request Forgery (XSRF) are major threats to the
security of the Web Applications. Most of the methods are focused on detection and prevention from these
web application vulnerabilities at Run Time, which need manual monitoring efforts. Main goal of our work
is different in the way it aims to create new systems that are safe against injection attacks to begin with, thus allowing developers the freedom to write and execute code without having to worry about these attacks. In this paper we present SQL Attack Scanner (SQLAS) a Tool which can detect & prevent SQL injection Attack in web applications. We analyzed the performance of our proposed tool SQLAS with various PHP web applications and its results clearly determines the effectiveness of detection and prevention of our proposed tool. SQLAS scans web applications offline, it reduces time and manual effort due to less overhead of runtime monitoring because it only focus on fragments that are vulnerable for attacks. We use XAMPP for client server environment and developed a TESTBED on JAVA for evaluation of our proposed tool SQLAS.
IJERA (International journal of Engineering Research and Applications) is International online, ... peer reviewed journal. For more detail or submit your article, please visit www.ijera.com
Attacks on web services need to secure xml on webcseij
Web Services are the newest mechanism of communication among applications. Web Services are independent of both hardware and software infrastructure, they are very flexible and scalable. Lack of security features provided by the web services creates a window of opportunity for attackers. Web Services are offered on Http with Simple Object Access Protocol (SOAP) as an underlying infrastructure. Both SOAP and Web Services relies heavily on XML, hence, Web Services are most vulnerable to attacks using XML as an attack parameter. Several attacks use XML and most of them lies in the category of XML injection.XML based attacks discussed in this study covered a variety of attacks for example Denial of Services and Data Theft, escalation of privileges etc. Among these attacks the injections attacks on the web services are more severe and being given special attention. This study is aimed at providing an insight of the various forms of XML injections such as XPath injection, Coercive Parsing, and oversize payload.
digital marketing training in chennai.digital marketing training.digital marketing training in chennai.digital marketing training.digital marketing training in chennai.digital marketing training.digital marketing training in chennai.digital marketing training.
Intrusion detection architecture for different network attackseSAT Journals
Abstract Now these days most of the work is carried out by internet. So web application becomes important part of today’s life, such as online banking, social networking, online shopping, enabling communication and management of personal information. So web services now have shifted to multi-tier design to accommodate this increase in web application and data complexity. Due to this high use of web application networks attacks increased with malicious purpose. DoubleGuard is an Intrusion Detection System helps to detect and prevent the networks attacks. DoubleGuard is able to find out attacks after checking web and database requests. Along with this, in this paper adding one more level that is admin, it is responsible for the training to the system, log generation, blacklist and employee entry. This IDS system provides security to prevent both the web server and database server. Key Words: DoubleGuard; Web Application; Multitier; IDS; Attacks.
A hybrid technique for sql injection attacks detection and preventionijdms
SQL injection is a type of attacks used to gain, manipulate, or delete information in any data-driven system
whether this system is online or offline and whether this system is a web or non-web-based. It is
distinguished by the multiplicity of its performing methods, so defense techniques could not detect or
prevent such attacks. The main objective of this paper is to create a reliable and accurate hybrid technique
that secure systems from being exploited by SQL injection attacks. This hybrid technique combines static
and runtime SQL queries analysis to create a defense strategy that can detect and prevent various types of
SQL injection attacks. To evaluate this suggested technique, a large set of SQL queries have been executed
through a simulation that had been developed. The results indicate that the suggested technique is reliable
and more effective in capturing more SQL injection types compared to other SQL injection detection
methods.
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Yuji Kosuga
With the recent rapid increase in interactive web applications that employ back-end database services, an SQL injection attack has become one of the most serious security threats. The SQL injection attack allows an attacker to access the underlying database, execute arbitrary commands at intent, and receive a dynamically generated output, such as HTML web pages. In this paper, we present our technique, Sania, for detecting SQL injection vulnerabilities in web applications during the development and debugging phases. Sania intercepts the SQL queries between a web application and a database, and automatically generates elaborate attacks according to the syntax and semantics of the potentially vulnerable spots in the SQL queries. In addition, Sania compares the parse trees of the intended SQL query and those resulting after an attack to assess the safety of these spots. We evaluated our technique using real-world web applications and found that our solution is efficient in comparison with a popular web application vulnerabilities scanner. We also found vulnerability in a product that was just about to be released.
Routine Detection Of Web Application Defence FlawsIJTET Journal
Abstract— The detection process for security vulnerabilities in ASP.NET websites / web applications is a complex one, most of the code is written by somebody else and there is no documentation to determine the purpose of source code. The characteristic of source code defects generates major web application vulnerabilities. The typical software faults that are behind of web application vulnerabilities, taking into different programming languages. To analyze their ability to prevent security vulnerabilities ASP.NET which is part of .NET framework that separate the HTML code from the programming code in two files, aspx file and another for the programming code. It depends on the compiled language (Visual Basic VB, C sharp C#, Java Script). Visual Basic and C# are the most common languages using with ASP.NET files, and these two compiled languages are in the construction of our proposed algorithm in addition to aspx files. The hacker can inject his malicious as a input or script that can destroy the database or steal website files. By using scanning tool the fault detection process can be done. The scanning process inspects three types of files (aspx, VB and C#). then the software faults are identified. By using fault recovery process the prepared replacement statement technique is used to detect the vulnerabilities and recover it with high efficiency and it provides suggestion then the report is generated then it will help to improve the overall security of the system.
Similar to Deployment of Reverse Proxy for the Mitigation of SQL Injection Attacks Using Input-Data Cleansing Algorithm (20)
How to Create Map Views in the Odoo 17 ERPCeline George
The map views are useful for providing a geographical representation of data. They allow users to visualize and analyze the data in a more intuitive manner.
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptxEduSkills OECD
Andreas Schleicher presents at the OECD webinar ‘Digital devices in schools: detrimental distraction or secret to success?’ on 27 May 2024. The presentation was based on findings from PISA 2022 results and the webinar helped launch the PISA in Focus ‘Managing screen time: How to protect and equip students against distraction’ https://www.oecd-ilibrary.org/education/managing-screen-time_7c225af4-en and the OECD Education Policy Perspective ‘Students, digital devices and success’ can be found here - https://oe.cd/il/5yV
The Indian economy is classified into different sectors to simplify the analysis and understanding of economic activities. For Class 10, it's essential to grasp the sectors of the Indian economy, understand their characteristics, and recognize their importance. This guide will provide detailed notes on the Sectors of the Indian Economy Class 10, using specific long-tail keywords to enhance comprehension.
For more information, visit-www.vavaclasses.com
Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
The Roman Empire A Historical Colossus.pdfkaushalkr1407
The Roman Empire, a vast and enduring power, stands as one of history's most remarkable civilizations, leaving an indelible imprint on the world. It emerged from the Roman Republic, transitioning into an imperial powerhouse under the leadership of Augustus Caesar in 27 BCE. This transformation marked the beginning of an era defined by unprecedented territorial expansion, architectural marvels, and profound cultural influence.
The empire's roots lie in the city of Rome, founded, according to legend, by Romulus in 753 BCE. Over centuries, Rome evolved from a small settlement to a formidable republic, characterized by a complex political system with elected officials and checks on power. However, internal strife, class conflicts, and military ambitions paved the way for the end of the Republic. Julius Caesar’s dictatorship and subsequent assassination in 44 BCE created a power vacuum, leading to a civil war. Octavian, later Augustus, emerged victorious, heralding the Roman Empire’s birth.
Under Augustus, the empire experienced the Pax Romana, a 200-year period of relative peace and stability. Augustus reformed the military, established efficient administrative systems, and initiated grand construction projects. The empire's borders expanded, encompassing territories from Britain to Egypt and from Spain to the Euphrates. Roman legions, renowned for their discipline and engineering prowess, secured and maintained these vast territories, building roads, fortifications, and cities that facilitated control and integration.
The Roman Empire’s society was hierarchical, with a rigid class system. At the top were the patricians, wealthy elites who held significant political power. Below them were the plebeians, free citizens with limited political influence, and the vast numbers of slaves who formed the backbone of the economy. The family unit was central, governed by the paterfamilias, the male head who held absolute authority.
Culturally, the Romans were eclectic, absorbing and adapting elements from the civilizations they encountered, particularly the Greeks. Roman art, literature, and philosophy reflected this synthesis, creating a rich cultural tapestry. Latin, the Roman language, became the lingua franca of the Western world, influencing numerous modern languages.
Roman architecture and engineering achievements were monumental. They perfected the arch, vault, and dome, constructing enduring structures like the Colosseum, Pantheon, and aqueducts. These engineering marvels not only showcased Roman ingenuity but also served practical purposes, from public entertainment to water supply.
Ethnobotany and Ethnopharmacology:
Ethnobotany in herbal drug evaluation,
Impact of Ethnobotany in traditional medicine,
New development in herbals,
Bio-prospecting tools for drug discovery,
Role of Ethnopharmacology in drug evaluation,
Reverse Pharmacology.
Instructions for Submissions thorugh G- Classroom.pptxJheel Barad
This presentation provides a briefing on how to upload submissions and documents in Google Classroom. It was prepared as part of an orientation for new Sainik School in-service teacher trainees. As a training officer, my goal is to ensure that you are comfortable and proficient with this essential tool for managing assignments and fostering student engagement.
Instructions for Submissions thorugh G- Classroom.pptx
Deployment of Reverse Proxy for the Mitigation of SQL Injection Attacks Using Input-Data Cleansing Algorithm
1. International Journal on Cryptography and Information Security (IJCIS),Vol.2, No.4, December 2012
DOI:10.5121/ijcis.2012.2408 67
DEPLOYMENT OF REVERSE PROXY FOR THE
MITIGATION OF SQL INJECTION ATTACKS
USING INPUT-DATA CLEANSING ALGORITHM
S. Fouzul Hidhaya1, 2
and Angelina Geetha1, 3
1
Department of Computer science and Engineering,
B.S. Abdur Rahman University,
Chennai, Tamilnadu, India.
2
fouzul_hameed@yahoo.com
3
anggeetha@yahoo.com
ABSTRACT
Internet has eased the life of human in numerous ways, but the drawbacks like the intrusions that
are attached with the Internet applications sustains the growth of these applications. Hackers find
new methods to intrude the applications and the web application vulnerability reported is increasing
year after year. One such major vulnerability is the SQL Injection attacks (SQLIA). Since SQLIA
contributes 25% of the total Internet attacks, much research is being carried out in this area. In this
paper we propose a method to detect the SQL injection. We deploy a Reverse proxy that uses the
input-data cleansing algorithm to mitigate SQL Injection Attack. This system has been tested on
standard test bed applications and our work has shown significant improvement in detecting and
curbing the SQLIA.
KEYWORDS
SQL Injection, SQL attack, Security threats, Web application vulnerability.
1. INTRODUCTION
The glory of Internet and its merits are being highly masked by the drawback associated with it.
Of them the prime issue is Internet vulnerability, leading to data modification and data thefts.
Many Web applications store the data in the data base and retrieve and update information as
needed. These applications are highly vulnerable to many types of attacks, one of them being
SQL injection Attacks (SQLIA).
The servers that host the web applications retrieve the information from the database and respond
to user’s request. This poses a high risk problem to the web applications and the data available.
To avoid the potential manipulation of the data by the end user, an internal network is formed by
coupling the server with reverse proxy.
2. International Journal on Cryptography and Information Security (IJCIS),Vol.2, No.4, December 2012
68
A reverse proxy is a type of proxy server that retrieves information from the server. The existence
of a proxy server may not be known to the end user. The job of checking the request for SQL
injection attack could be offloaded from the server to the reverse proxy.
A SQL injection attack occurs when an attacker causes the web application to generate SQL
queries that are functionally different from what the user interface programmer intended. For
example, consider an application dealing with author details.
A typical SQL statement looks like this:
select id, firstname, lastname from authors;
This statement will retrieve the 'id', 'forename' and 'surname' columns from the 'authors' table,
returning all rows in the table. The 'result set' could be restricted to a specific 'author' using
‘where’ clause.
select id, firstname, lastname from authors where firstname = 'James' and lastname
= ‘Baker’;
An important point to note here is that the string literals 'James' and 'Baker' are delimited with
single quotes. Here the literals are given by the user and so they could be modified. They become
the vulnerable area in the application. Now, to drop the table called ‘authors’, a vulnerable literal
can be injected into the statement as given below.
Firstname: Jam'; drop table authors--
lastname:
Now the statement becomes,
select id, firstname, lastname from authors where firstname = 'Jam' ; drop table
authors-- and lastname = ' ';
and this is executed.
Since the first name ends with delimiter ‘ and - - is given at the end of the input, all other
command following the - - is neglected. The output of this command is the deletion of the table
named ‘authors’, which is not the intended result from a server database.
The objective of this work is to handle SQLIA in any form. An Input-data cleansing algorithm
has been designed and implemented in a reverse proxy to effectively curb SQLIA.
2. RELATED WORK
SQL language being a very rich language, paves way for a number of attacks. David Litchfield
[1], in his paper classifies the attacks into 3 types: in-band, out-of-band, inference attack. In-band
attack refers to extracting of data over the same channel between the server and the client. Out-of-
band attack uses different channels to extract data. Inference attack is done by just trying to get
error message from the server or invoking the server to return messages that would give out
information about the server, the database and the application. In this paper, he discusses how
data could be collected using inference.
3. International Journal on Cryptography and Information Security (IJCIS),Vol.2, No.4, December 2012
69
Allaire [2] in 1999, published a note discussing the dangers of “Multiple SQL statements in
dynamic queries”. They had for the first time explained how an attack on the database would be
possible using appending malicious queries to the existing queries.
The term SQL injection has been believed to be first used in “SQL Injection FAQ” published by
Chip Andrews [3]. He, in his FAQ section explains all the facts about the SQL injection.
The black box testing methodology used in WAVES[4], which uses a web crawler to identify all
points in web application that can be used to inject SQLIAs. It uses machine learning approaches
to guide its testing.
Static code checkers like the JDBC-checker [5] is a technique for statically checking the type
correctness of dynamically generated SQL queries. This will be able to detect only one type of
SQL vulnerability caused by improper type checking of input.
Combined static and dynamic analysis like the AMNESIA [6] is a model based technique that
combines static analysis and runtime monitoring. The key intuition behind the approach is based
on two issues. Firstly the source code contains enough information to infer models of the
expected, legitimate SQL queries generated by the application. Secondly an SQLIA, by injecting
additional SQL statements into a query, would violate such a model. In its static part, this
technique uses program analysis to automatically build a model of the legitimate queries that
could be generated by the application. In its dynamic part, the technique monitors the
dynamically generated queries at runtime and checks them for compliance with the statically-
generated model.
SQLGuard [7] and SQLCheck [8] also check queries at runtime to see if they conform to a model
of expected queries. Taint based approaches like the WebSSARI [9] detects input-validation-
related errors using information flow analysis. In this approach, static analysis is used to check
taint flows against preconditions for sensitive functions. Livshits and Lam [10] use information
flow technique to detect when tainted input has been used to construct a SQL query.
Security gateway [11] is a proxy filtering system that enforces input validation rules on the data
flowing to a web application. SQLRand [12] is an approach based on instruction-set
randomization. It allows developers to create queries using randomized instruction instead of
normal SQL keywords. A proxy-filter intercepts queries to the database and de-randomizes the
keywords.
William G.J. Halfond, Jeremy Viegas, and Alessandro Orso [13] presented an extensive review of
the different types of SQL injection attacks known to date. For each type of attack, they provide
descriptions and examples of how attacks of that type could be performed. They also present and
analyze existing detection and prevention techniques against SQL injection attacks.
Ofer Maor and Amichai Shulman [14] in their paper give a detailed report of all the techniques
used to evade SQL Injection signatures. Signatures are standard forms in which an SQL
manipulation could be done to dynamically change the meaning of the query in the application.
They give an overview of all the signatures used to protect the server from SQLIA and their
counter techniques used to evade those techniques.
4. International Journal on Cryptography and Information Security (IJCIS),Vol.2, No.4, December 2012
70
Yonghee Shin and Laurie Williams [15] give a survey study of all the papers that deal with
SQLIA and Cross-site scripting attack. They categorize the detection methods and evaluation
criteria of the techniques. They have surveys around 21 papers and compares among the
techniques used to detect cross-site scripting and SQLIA. Stephen Kost [16] in his paper has
categorized SQLIA into 4 main categories namely SQL Manipulation, Code injection, Function
call Injection and Buffer Overflows. This paper deals with curbing, SQL manipulation and code
injection attacks.
Konstantinos Kemalis and Theodoros Tzouramanis [17] developed a prototype SQL injection
detection system (SQLIDS). The system monitors Java-based applications and detects SQL
injection attacks in real time. The detection technique is based on the assumption that injected
SQL commands have differences in their structure with regard to the expected SQL commands
that are built by the scripts of the web application.
Ben Smith Et. al [18] in their work examines two input validation vulnerabilities, SQL injection
vulnerability and error message vulnerability in four open source applications. They assessed the
effectiveness of system and unit level testing of web applications to reveal both the type of
vulnerabilities when used with iterative test automation.
In this paper we have designed an input-data cleansing algorithm that uses MD5 hashing to curb
SQLIA attempted through the entry form and uses regular expression to curb SQLIA attempted
through the URL. The System uses a sanitizing application in proxy server that will sanitize the
request before it is being forwarded to the main server and the database.
3. SYSTEM ARCHITECTURE
The architecture of the system is illustrated in Figure 1. In a client server model, a reverse proxy
server is placed, in between the client and the server. The presence of the proxy server is not
known to the user. The sanitizing application is placed in the Reverse proxy server.
Figure 1. System Architecture
5. International Journal on Cryptography and Information Security (IJCIS),Vol.2, No.4, December 2012
71
A reverse proxy is used to sanitize the request from the user. When the request becomes high,
more reverse proxy’s can be used to handle the request. This enables the system to maintain a low
response time, even at high load.
The general work of the system is as follows:
1. The client sends the request to the server.
2. The request is redirected to the reverse proxy.
3. The sanitizing application in the proxy server extracts the URL from the HTTP and the
user data from the SQL statement.
a. The URL is send to the signature check
b. The user data (Using prototype query model) is encrypted using the MD5 hash.
4. The sanitizing application sends the validated URL and hashed user data to the web
application in the server.
5. The filter in the server denies the request if the sanitizing application had marked the
URL request malicious.
6. If the URL is found to be benign, then the hashed value is send to the database of the web
application.
7. If the hashed user data matches the stored hash value in the database, then the data is
retrieved and the user gains access to the account.
8. Else the user is denied access. Figure 2 gives the flowchart of the system.
6. International Journal on Cryptography and Information Security (IJCIS),Vol.2, No.4, December 2012
72
Figure 2. Flowchart of the System
7. International Journal on Cryptography and Information Security (IJCIS),Vol.2, No.4, December 2012
73
4. THE SANITIZING APPLICATION
The sanitizing application uses the input-data cleansing algorithm to sanitize the user input.
4.1. Input-Data Cleansing Algorithm (IDC algorithm):
Step 1:
Extract the SQL statement from the HTTP;
Parse the SQL statement into Tokens-query;
While (not empty of query)
Convert into XML format using XML Schema;
Add to list - XMLquery;
For (every data in prototype document)
Check if (XMLquery = prototype model in document)
Extract the user input data;
Step 2:
Parse the user data into Tokens-tok;
While (not empty of tok)
Check if tok ≠ reserved SQL Keyword
Move tok to User data Array-UDA;
Step 3:
For (every data in UDA)
Convert to Corresponding MD5 and store in MD5-UDA.
Step 4:
Extract the URL from HTTP;
Parse the URL into Tokens-toks;
While (not empty of toks)
Check if (URL = Benign using the signature check)
Set the flag to continue;
Else
Set the flag to deny;
Step 5:
Send the MD5-UDA and flag to Web application Server;
8. International Journal on Cryptography and Information Security (IJCIS),Vol.2, No.4, December 2012
74
4.2. Input-Data Cleansing Algorithm Details
4.2.1. Extracting user data from SQL statement:
The SQL statement is extracted from the HTTP request and the query is tokenized. The tokenized
query is then compared with the prototype document. A prototype document consists of all the
SQL queries from the Web application. The query tokens are transformed into XML format. The
XSL’s pattern matching algorithm is used to find the prototype model corresponding to the
received Query. This method has been adapted in the previous work COMPVAL [19].
XSL’s Pattern Matching: The query is first analyzed and tokenized as elements. The prototype
document contains the query pertained to that particular application. For example the input query
is,
SELECT * FROM members WHERE login=’admin’ AND password=’XYZ’ OR ‘1=1’
When this query is received this is converted into XML format using a XML schema. The
resulting XML would be,
<SELECT>
<*>
<FROM>
<members>
<WHERE login= ’admin’>
<AND password= XYZ>
<OR 1=1>
</OR>
</AND>
</WHERE>
</members>
</FROM>
</*>
</SELECT>
Using the pattern matching the elements is searched such that the nested elements are similar to
query tokens. The corresponding matching XML mapping is,
<SELECT>
<identifier>
<FROM>
<identifier>
<WHERE id_list= ’userip’>
<AND id_list=’userip’>
</AND>
</WHERE>
</identifier>
</FROM>
</identifier>
</SELECT>
When the match is found, the corresponding prototype query would be,
9. International Journal on Cryptography and Information Security (IJCIS),Vol.2, No.4, December 2012
75
SELECT identifier FROM identifier WHERE identifier op ‘userip’ AND identifier op
‘userip’
which will be used to identify the user input data . The extra XML tags other than those in the
prototype will be considered as user input. This search is less time consuming because the search
is based on text and string comparison. The time complexity is O(n). This helps in increasing the
effectiveness of the program and reduces the latency time.
4.2.2. Encrypting the user data into MD5 hash
The user data extracted from the extraction phase is then encrypted using the MD5 hash function.
4.2.3. Signature check using regular expressions
All the possible forms of SQL injection manipulation are stored in the signature check in the form
of regular expressions. The URL is extracted from the HTTP request and the URL is tokenized.
These tokens are checked using the regular expressions. If they contain any form of the signature
that has been defined as SQL injection then the request is marked as malicious else it is marked as
benign.
5. IMPLEMENTATION
This system implements the IDC algorithm in the automated sanitizing application using Java.
We have used 4 systems in the lab setup connected through LAN. One system is considered as
the web application server. We set up two systems for the proxy server which has the automated
sanitizing application installed. One system acts as the client. On the server an Eclipse integrated
development Environment (IDE) runs the open source project. On the server gateway a filter
program is installed. This filter application redirects the request from the user to the proxy server.
For each request the server chooses one of the two proxy server alternatively. This is done to
minimize the loading on a particular proxy server which might slow down the process.
In each of the proxy server the sanitizing application is executed in the Eclipse IDE. When the
redirected request from the server reaches the sanitizing application the IDC Algorithm is
triggered. As a first step, the SQL query and the URL is extracted from the HTTP. The SQL
query is processed using the XSL’s pattern matching and the prototype document. The user data
is separated from the query. The URL is passed on to the signature check, which uses the regular
expression to validate the URL.
The following signature checks are done on the URL’s extracted from the HTTP request.
1. Query delimiter ( --)
2. White Spaces
3. Comment delimiter (/* */)
4. EXEC keyword
5. UTF coding
6. Scanning for query with signature OR followed same characters before and after ‘=’.
7. Dropping meta characters (and their encoding) like ; ,(,), >, <, %, +,= and @
10. International Journal on Cryptography and Information Security (IJCIS),Vol.2, No.4, December 2012
76
8. Use of ‘IN’, ‘BETWEEN’ after ‘OR’.
9. Use of SQL keywords. Just looking into the keywords will bring about a lot of false
positives. So the context before and after the keyword is also checked.
The user data is converted into its corresponding hash value using the MD5 algorithm. The hash
value and the validated URL are then directed back to the server.
Depending on the validation results the filter on the web application server decides whether to
continue with the request or to deny the request. If the URL is benign the URL and the hash value
is forwarded to the web application on the server system. The web application sends the hash
value to the database and the value are checked. If the values match, then the user gains access.
Else the request is denied. The database used with the web application is MySQL.
6. EVALUATION
This system was tested on 4 open source projects. The open source projects that was considered
for this study, was taken from gotocode.com. The four projects that were taken into study were
Online Bookstore, Online portal, Employee directory, registration form. We used Burp suite [20]
as an attacking tool. Our system was able to detect all the intrusions injected by burp suite and
was able to achieve 100% detection rate. The total number of SQL injections by the Burp suite
and the total number of detections by our system defining the detection rate is stated in Table 1.
Figure 3 and Figure 4 shows the response of the system when a malicious input is provided in the
input form. Figure 5 and Figure 6 shows the response when a malicious URL is given.
Table 1. Detection Rate
Web Application No. of SQL Injection
Attacks
No. of
Detections
Detection
Rate
Portal 276 276 100%
Employee Directory 238 238 100%
Book store 197 197 100%
Registration Form 419 419 100%
11. International Journal on Cryptography and Information Security (IJCIS),Vol.2, No.4, December 2012
77
Figure 3. Malicious input provided to the Application.
Figure 4. Access denied to the malicious input.
12. International Journal on Cryptography and Information Security (IJCIS),Vol.2, No.4, December 2012
78
Figure 5. Malicious URL provided to the application.
Figure 6. Accesss Denied to the maicious URL
7. ANALYSIS AND RESULT
We have analyzed our system and other methodologies that are used to curb SQLIA. The detailed
analysis is shown in Table 2. The system was run under light load condition, medium load
condition and heavy load condition. The time taken for the response with our system’s Intrusion
Prevention proxy (IP proxy) and without the Intrusion Prevention proxy was noted in
Nanoseconds. Under Light load condition 5 requests from client system was send to the server.
The results are as shown in Figure 7.
13. International Journal on Cryptography and Information Security (IJCIS),Vol.2, No.4, December 2012
79
Under medium load 50 requests was send from client system using threads. The results are as
shown in Figure 8. For heavy load 1000 requests was send using client system. The results are as
shown in Figure 9. The time taken did not show much difference for light load and medium load
condition. For heavy load condition, there was a slight difference in nanoseconds.
Figure 7. Low load
Table 2. Analysis of methodologies curbing SQLIA
Methodology Change in source Code Detection/Mitigation of attack
WAVES[4] Not necessary Automatized/ report generated
JDBC-Checker[5] Needed for automatic prevention of
attack.
Can be automatized.
AMNESIA[6] Not necessary Fully automatized
SQLGuard[7] Necessary Fully automatized
SQLCheck[8] Necessary Partially automatized
WebSSARI[9] Necessary Partially Automatized
Livshits and Lam[10] Not necessary Manual assistance needed
Security
Gateway[11]
Not needed Manual detection / automatized
Mitigation
SQLRand[12] Necessary Fully automatized
SQL-IDS[17] Not necessary Fully Automatized
Idea[18] Not necessary A study to expose vulnerabilities
COMPVAL[19] Not necessary Fully automated
Proposed DC
algorithm
Not necessary Fully automated
14. International Journal on Cryptography and Information Security (IJCIS),Vol.2, No.4, December 2012
80
Figure 8. Medium Load
The system using the proxy server protection was responding a little slower than the other system,
but had full protection against SQL injection attacks. If we increase the number of proxy server to
four then the server was able to handle the request with an increased pace. We have not yet
worked on optimization of the system. We believe, after optimization of the system, the
performance will improve.
Figure 9. High load
8. CONCLUSION
The novel system with intrusion prevention proxy has proved to be effective in detecting the SQL
injection attacks and preventing the attacks from penetrating the web application. This system
does not do any changes in the source code of the application. The detection and mitigation of the
attack is fully automated. By increasing the number of proxy servers the web application can
15. International Journal on Cryptography and Information Security (IJCIS),Vol.2, No.4, December 2012
81
handle any number of requests without obvious delay in time and still can protect the application
from SQL injection attack. In future work, the focus will be on optimization of the system and
removing the vulnerable points in the application itself, in addition to detection and studying
alternate techniques for detection and mitigation of SQL injection attacks.
REFERENCES
[1] David Litchfield, (2005) “Data-mining with SQL Injection and Inference”, Next Generation Security
software Ltd., White Paper.
[2] Allaire Security Bulletin, (1999) “Multiple SQL statements in dynamic queries”.
[3] Chip Andrews, “SQL Injection FAQs”,
http://www.sqlsecurity.com/FAQs/SQLInjectionFAQ/tabid/56/Default.aspx
[4] Y.Huang, F. Huang, T.Lin and C.Tsai, (2003) “Web Application Security Assessment by Fault
Injection and Behavior Monitoring”, Proc. International World Wide Web Conference ’03, pp. 148 -
159.
[5] C.Gould, Z.Su and P.Devanbu, (2004) “JDBC Checker: A Static Analysis Tool for SQL/JDBC
Application”, Proc. International Conference on Software Engineering ‘04, pp.697-698.
[6] W. G. Halfond and A. Orso, (2005) “AMNESIA: Analysis and Monitoring for NEutralizing SQL-
Injection Attacks”, Proc. ACM International Conference on Automated Software Engineering ’05, pp.
174-183.
[7] Gregory Buehrer, Bruce W. Weide and Paolo A. G. Sivilotti, (2005) “Using Parse Tree Validation to
Prevent SQL Injection Attacks”, Proc. International Workshop on Software Engineering and
Middleware, pp. 106-113.
[8] Zhendong Su and Gary Wassermann, (2006) “The Essence of Command Injection Attacks in Web
Applications”, Proc. ACM SIGPLAN-SIGACT Symposium on Principles of Programming
Languages ’06, pp.372-382.
[9] Y.Huang, F.Yu, C. Hang,C.H. Tsai, D.T.Lee and S.Y.Kuo, (2004) “Securing Web Application Code
by Static Analysis and Runtime Protection”, Proc. International World Wide Web Conference ’04, pp.
40-52.
[10] V.B. Livshits and M.S. Lam, (2005) “Finding Security Errors in Java Programs with Static Analysis”,
Proc. Usenix Security Symposium ‘05, pp. 271-286.
[11] D.Scott and R.Sharps, (2002) “Abstracting Application-level Web Security”, Proc. International
Conference on the World Wide Web ‘02, pp. 396-407.
[12] S.W. Boyd and A.D. Keromytis, (2004) “SQLrand: Preventing SQL Injection Attacks”, Proc. 2nd
Applied Cryptography and Network Security (ACNS) Conference, pp. 292-302.
[13] W. Halfond, J. Vigeas and A.Orso, (2006) “A Classification of SQL Injection Attacks and Counter
Measures”, Proc. International Symposium on Secure Software Engineering ’06.
[14] Ofer Maor and Amichai Shulman, (2003) “SQL injection signature evasion”, Imperva Inc., White
paper.
[15] Yonghee Shin and Laurie Williams, (2008) “Toward A Taxonomy of Techniques to Detect Cross-site
Scripting and SQL Injection Vulnerabilities”, NC state Computer science: Technical report.
[16] Stephen Kost, (2004) “An introduction to SQL injection attacks for Oracle developers”, Integrity
Corporation, White paper.
[17] Konstantinos Kemalis and Theodoros Tzouramanis, (2008) “SQL-IDS: a specification-based
approach for SQL-injection detection”, Proc. 2008 ACM symposium on Applied computing, pp.2153
- 2158.
[18] Ben Smith, Laurie Williams and Andrew Austin, (2010) “Idea: Using System Level Testing for
Revealing SQL Injection-Related Error Message Information Leaks”, Engineering Secure Software
and Systems, Springer, Lecture Notes in Computer Science, Volume 5965/2010, 192-200.
[19] S. Fouzul Hidhaya and Angelina Geetha, (2010) “COMPVAL – A system to mitigate SQLIA”, Proc.
International Conference on Computer, Communication and Intelligence ICCCI’10, PP.337-342.
[20] Burp suite, http://portswigger.net/burp/