This document discusses SQL injection attacks in banking transactions and methods to prevent them. It begins with an abstract discussing how SQL injections are a major security issue for banking applications and can be used to access secret information like usernames and passwords or bank databases. The document then provides examples of SQL injection attacks on banks, describes how hackers perform SQL injections, and discusses approaches like input validation, static query statements, and least privilege to prevent injections. It also introduces tools like Amnesia and the X-Log Authentication technique to detect and block injection attacks. The conclusion is that Amnesia and X-Log Authentication are effective techniques for preventing SQL injections in banking transactions.
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATIONijiert bestjournal
This system turns away these sort of attacks and ke ep the customer record from request from hacking. By using IDS it can offer security to both web server and da tabase server using mapping of sender require and t he search from web server to database. This edge work is fit to distinguish the ambushes that past intrusion ide ntification framework was not ready to do. This structure or fr amework does this work by isolating the surge of information from each web server session. It assess es the disclosure precision when framework tries to model static and dynamic web request and queries. Additio nally this framework shows this stayed valid for el ement demand where both recuperation of information and u pdates to the back end database happen using the we b server front end.
This Slide contain information about the SQL injection.
Types of SQL injection and some case study about the SQL injection and some technique so we prevent our system
Last month a hacker breached Yahoo!'s security systems and acquired full access to certain Yahoo! databases, leading to full access on the server. Technically, this highlights the danger of SQLi. From a business perspective, we see the security problem posed third-party code.
Intrusion detection architecture for different network attackseSAT Journals
Abstract Now these days most of the work is carried out by internet. So web application becomes important part of today’s life, such as online banking, social networking, online shopping, enabling communication and management of personal information. So web services now have shifted to multi-tier design to accommodate this increase in web application and data complexity. Due to this high use of web application networks attacks increased with malicious purpose. DoubleGuard is an Intrusion Detection System helps to detect and prevent the networks attacks. DoubleGuard is able to find out attacks after checking web and database requests. Along with this, in this paper adding one more level that is admin, it is responsible for the training to the system, log generation, blacklist and employee entry. This IDS system provides security to prevent both the web server and database server. Key Words: DoubleGuard; Web Application; Multitier; IDS; Attacks.
Updated Mvc Web security updated presentationJohn Staveley
OWASP Top 10 threats to web applications and how to conunter the threats using Mvc.net mitigations, first shown at #DDDNorth, contains bonus slides for DDOS and social engineering
IJERA (International journal of Engineering Research and Applications) is International online, ... peer reviewed journal. For more detail or submit your article, please visit www.ijera.com
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATIONijiert bestjournal
This system turns away these sort of attacks and ke ep the customer record from request from hacking. By using IDS it can offer security to both web server and da tabase server using mapping of sender require and t he search from web server to database. This edge work is fit to distinguish the ambushes that past intrusion ide ntification framework was not ready to do. This structure or fr amework does this work by isolating the surge of information from each web server session. It assess es the disclosure precision when framework tries to model static and dynamic web request and queries. Additio nally this framework shows this stayed valid for el ement demand where both recuperation of information and u pdates to the back end database happen using the we b server front end.
This Slide contain information about the SQL injection.
Types of SQL injection and some case study about the SQL injection and some technique so we prevent our system
Last month a hacker breached Yahoo!'s security systems and acquired full access to certain Yahoo! databases, leading to full access on the server. Technically, this highlights the danger of SQLi. From a business perspective, we see the security problem posed third-party code.
Intrusion detection architecture for different network attackseSAT Journals
Abstract Now these days most of the work is carried out by internet. So web application becomes important part of today’s life, such as online banking, social networking, online shopping, enabling communication and management of personal information. So web services now have shifted to multi-tier design to accommodate this increase in web application and data complexity. Due to this high use of web application networks attacks increased with malicious purpose. DoubleGuard is an Intrusion Detection System helps to detect and prevent the networks attacks. DoubleGuard is able to find out attacks after checking web and database requests. Along with this, in this paper adding one more level that is admin, it is responsible for the training to the system, log generation, blacklist and employee entry. This IDS system provides security to prevent both the web server and database server. Key Words: DoubleGuard; Web Application; Multitier; IDS; Attacks.
Updated Mvc Web security updated presentationJohn Staveley
OWASP Top 10 threats to web applications and how to conunter the threats using Mvc.net mitigations, first shown at #DDDNorth, contains bonus slides for DDOS and social engineering
IJERA (International journal of Engineering Research and Applications) is International online, ... peer reviewed journal. For more detail or submit your article, please visit www.ijera.com
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Yuji Kosuga
With the recent rapid increase in interactive web applications that employ back-end database services, an SQL injection attack has become one of the most serious security threats. The SQL injection attack allows an attacker to access the underlying database, execute arbitrary commands at intent, and receive a dynamically generated output, such as HTML web pages. In this paper, we present our technique, Sania, for detecting SQL injection vulnerabilities in web applications during the development and debugging phases. Sania intercepts the SQL queries between a web application and a database, and automatically generates elaborate attacks according to the syntax and semantics of the potentially vulnerable spots in the SQL queries. In addition, Sania compares the parse trees of the intended SQL query and those resulting after an attack to assess the safety of these spots. We evaluated our technique using real-world web applications and found that our solution is efficient in comparison with a popular web application vulnerabilities scanner. We also found vulnerability in a product that was just about to be released.
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)IJNSA Journal
Despite their proven security breaches, text passwords have been dominating all other methods of human authentication over the web for tens of years, however, the frequent successful attacks that exploit the passwords vulnerable model raises the need to enhance web authentication security. This paper proposes BMBAT; a new authentication technique to replace passwords, that leverages the pervasive user mobile
devices, QR codes and the strength of symmetric and asymmetric cryptography. In BMBAT, the user’s mobile device acts as a user identity prover and a verifier for the server; it employs a challenge-response model with a dual mode of encryption using AES and RSA keys to mutually authenticate the client to the server and vice-versa. BMBAT combats a set of attack vectors including phishing attacks, man in the middle attacks, eavesdropping and session hijacking. A prototype of BMBAT has been developed and evaluated; the evaluation results show that BMBAT is a feasible and competitive alternative to passwords.
Confident Technologies provide out-of-band, multifactor authentication using a highly secure and easy-to-use, image-based approach. Learn more at www.confidenttechnologies.com
Connection String Parameter Pollution AttacksChema Alonso
Paper about Connection String Attacks that focus in Connection String Parameter Pollution in Web Applications. Presented in Ekoparty 2009, Black Hat DC 2010 and Troopers 2010
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Abridged version of my mvc security presentation covering the OWASP Top 10 security vulnerabilities and how they can be mitigated against in the Microsoft Mvc framework. Covers SQL Injection, XSS, CSRF etc. There is a source code project to go with this presentation with all of the solutions implemented at https://github.com/johnstaveley/SecurityEssentials
digital marketing training in chennai.digital marketing training.digital marketing training in chennai.digital marketing training.digital marketing training in chennai.digital marketing training.digital marketing training in chennai.digital marketing training.
International Journal of Engineering Inventions (IJEI) provides a multidisciplinary passage for researchers, managers, professionals, practitioners and students around the globe to publish high quality, peer-reviewed articles on all theoretical and empirical aspects of Engineering and Science.
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Yuji Kosuga
With the recent rapid increase in interactive web applications that employ back-end database services, an SQL injection attack has become one of the most serious security threats. The SQL injection attack allows an attacker to access the underlying database, execute arbitrary commands at intent, and receive a dynamically generated output, such as HTML web pages. In this paper, we present our technique, Sania, for detecting SQL injection vulnerabilities in web applications during the development and debugging phases. Sania intercepts the SQL queries between a web application and a database, and automatically generates elaborate attacks according to the syntax and semantics of the potentially vulnerable spots in the SQL queries. In addition, Sania compares the parse trees of the intended SQL query and those resulting after an attack to assess the safety of these spots. We evaluated our technique using real-world web applications and found that our solution is efficient in comparison with a popular web application vulnerabilities scanner. We also found vulnerability in a product that was just about to be released.
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)IJNSA Journal
Despite their proven security breaches, text passwords have been dominating all other methods of human authentication over the web for tens of years, however, the frequent successful attacks that exploit the passwords vulnerable model raises the need to enhance web authentication security. This paper proposes BMBAT; a new authentication technique to replace passwords, that leverages the pervasive user mobile
devices, QR codes and the strength of symmetric and asymmetric cryptography. In BMBAT, the user’s mobile device acts as a user identity prover and a verifier for the server; it employs a challenge-response model with a dual mode of encryption using AES and RSA keys to mutually authenticate the client to the server and vice-versa. BMBAT combats a set of attack vectors including phishing attacks, man in the middle attacks, eavesdropping and session hijacking. A prototype of BMBAT has been developed and evaluated; the evaluation results show that BMBAT is a feasible and competitive alternative to passwords.
Confident Technologies provide out-of-band, multifactor authentication using a highly secure and easy-to-use, image-based approach. Learn more at www.confidenttechnologies.com
Connection String Parameter Pollution AttacksChema Alonso
Paper about Connection String Attacks that focus in Connection String Parameter Pollution in Web Applications. Presented in Ekoparty 2009, Black Hat DC 2010 and Troopers 2010
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Abridged version of my mvc security presentation covering the OWASP Top 10 security vulnerabilities and how they can be mitigated against in the Microsoft Mvc framework. Covers SQL Injection, XSS, CSRF etc. There is a source code project to go with this presentation with all of the solutions implemented at https://github.com/johnstaveley/SecurityEssentials
digital marketing training in chennai.digital marketing training.digital marketing training in chennai.digital marketing training.digital marketing training in chennai.digital marketing training.digital marketing training in chennai.digital marketing training.
International Journal of Engineering Inventions (IJEI) provides a multidisciplinary passage for researchers, managers, professionals, practitioners and students around the globe to publish high quality, peer-reviewed articles on all theoretical and empirical aspects of Engineering and Science.
call for papers, research paper publishing, where to publish research paper, journal publishing, how to publish research paper, Call For research paper, international journal, publishing a paper, IJEI, call for papers 2012,journal of science and technology, how to get a research paper published, publishing a paper, publishing of journal, research and review articles, engineering journal, International Journal of Engineering Inventions, hard copy of journal, hard copy of certificates, journal of engineering, online Submission, where to publish research paper, journal publishing, international journal, publishing a paper, hard copy journal, engineering journal
International Journal of Engineering Inventions (IJEI) provides a multidisciplinary passage for researchers, managers, professionals, practitioners and students around the globe to publish high quality, peer-reviewed articles on all theoretical and empirical aspects of Engineering and Science.
call for papers, research paper publishing, where to publish research paper, journal publishing, how to publish research paper, Call For research paper, international journal, publishing a paper, IJEI, call for papers 2012,journal of science and technology, how to get a research paper published, publishing a paper, publishing of journal, research and review articles, engineering journal, International Journal of Engineering Inventions, hard copy of journal, hard copy of certificates, journal of engineering, online Submission, where to publish research paper, journal publishing, international journal, publishing a paper, hard copy journal, engineering journal
Prevention of SQL injection in E- Commerceijceronline
Structured Query Language (SQL) injection, in present scenario, emerges as one of the most challenging fact to effect on the online business, as it can expose all of the business transaction related sensitive information which is stored in online database, inclusive of most highly secured sensitive information such as credit card passwords , usernames, login ids, credentials, phone, email id etc. Structured Query Language injection remain a responsibility that when intruder gets the ability with SQL related queries which is passed to a back-end database. The query which is passed by the intruder to the data, can allow the query to data which is an assisting element with database and required operating system. Every SQL Query that allows the inputs from the attacker sides can defect our real web application. Intruder which attempts to insert defective SQL query into an entry field to extract the query so that they can dump the database or alter the database which is known as "code injection technique" and this type of attacker is also called attack vector for websites and usually used by any type of SQL database. Through this research paper, our endeavour is to understand the methodology of SQL injection and also to propose solution to prevent SQL Injection in one of the most vulnerable field of E commerce.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Banking and Modern Payments System Security AnalysisCSCJournals
Cyber-criminals have benefited from on-line banking (OB), regardless of the extensive research on financial cyber-security. To better be prepared for what the future might bring, we try to predict how hacking tools might evolve. We briefly survey the state-of-the-art tools developed by black- hat hackers and conclude that they could be automated dramatically. To demonstrate the feasibility of our predictions and prove that many two-factor authentication schemes can be bypassed, we have analyzed banking and modern payments system security.
In this research we will review different payment protocols and security methods that are being used to run banking systems. We will survey some of the popular systems that are being used today, with a deeper focus on the Chips, cards, NFC, authentication etc. In addition, we will also discuss the weaknesses in the systems that can compromise the customer's trust.
The International Journal of Engineering and Science (The IJES)theijes
The International Journal of Engineering & Science is aimed at providing a platform for researchers, engineers, scientists, or educators to publish their original research results, to exchange new ideas, to disseminate information in innovative designs, engineering experiences and technological skills. It is also the Journal's objective to promote engineering and technology education. All papers submitted to the Journal will be blind peer-reviewed. Only original articles will be published.
Sql injection bypassing hand book blackroseNoaman Aziz
In this book I am not gonna teach you Basics of SQL injection, I will assume that you already know them, because cmon every one talks about it, you will find tons and tons of posts on forums related to basics of SQL Injection, In this post I will talk about common methods of used by hackers and pentesters for evading IDS, IPS, WAF's such as Modsecurity, dotdefender etc .
INTRUSION DETECTION IN MULTITIER WEB APPLICATIONS USING DOUBLEGUARDIJCI JOURNAL
Today, the use of distinct internet services and their applications by people are increase in very large amount. Due to its usage, it results the increase in data complexity. So, web services turn their focus on multi-tier design where web server acts as front-end and database server acts as back-end. Attackers try to hack personal data by targeting database server, hence it need to provide more security to both web server and database server. In this paper, the doubleguard system proposes an efficient intrusion detection and prevention system which detects and prevents various attacks in multi-tier web applications. This IDS system keeps track of all user sessions across both web server and database server. For this, it allocates the dedicated web container to each user’s session. Each user is associated with unique session ID which enhances more security. The system built well correlated model for website and detects and prevents various type of attacks. The system is implemented by using Apache webserver with MySQL.
A Review paper on Securing PHP based websites From Web Application Vulnerabil...Editor IJMTER
In today’s Era, Web applications are one of the most part ubiquitous platforms for
information sharing and services over Internet which play significant role in individual life as well
as in any country’s growth. Web applications have gone through a very rapid Growth As they are
increasingly used for the financial organization, government, hospitality and many critical services.
Web applications become a popular and precious target for security attacks. at the present time,
billions of transactions are done online through net banking, online shopping, online billing and
many more. Even though these applications are used by lots of people modern web applications
often implements the complex structure requires for user to carry out actions in given order, in
many cases the security level is too low, which makes them vulnerable to get compromised. Even
though a large number of techniques have been developed to build up web applications and
mitigate the attacks toward web applications, there is little effort constant to drawing relations
among these techniques and building a big picture of web application security(WAS) research. In
this paper, we present a survey on various types of web application vulnerabilities(WAV).
In today's digital world, web applications are the gateways to our data. But are they truly secure? This cyber security project presentation delves into the ever-present threat of web application vulnerabilities. Explore common vulnerabilities like SQL injection and Cross-Site Scripting (XSS). Learn how attackers exploit these weaknesses and discover effective strategies to identify, prevent, and mitigate them. Whether you're a developer, security professional, or website owner, this presentation equips you with the knowledge to safeguard your web applications and protect user data. visit us for more cyber security project presentation, https://bostoninstituteofanalytics.org/cyber-security-and-ethical-hacking/
In today's modern world, security is a necessary fact of life. GreenSQL Security helps small to large organizations protect their sensitive information against internal and external threats. The rule-based engine offers database firewall, intrusion detection and prevention (IDS/IPS). GreenSQL Security Engine applies exception detection to prevent hacker attacks, end-user intrusion and unauthorized access by privileged insiders. The system provides a web based intuitive and flexible policy framework that enables users to create and edit their security rules quickly and easily. GreenSQL interfaces between your database and any source requiring a connection to it. This approach shields your database application and database operating system from direct, remote access. GreenSQL Database Security 1) Stops SQL Injection attacks on your web application 2) Blocks unauthorized database access and alerts you in real time about unwanted access 3) Separates your application database access privileges from administrator access 4) Gives you a complete event log for investigating database traffic and access 5) Ensures you achieve successful implementation with 24/7 support
Application Security session given as part of the Solvay Executive Master in IT Management.
Explaining application security challenges for web, mobile, cloud and internet of things.
Positioning OWASP SAMM as structural and measurable framework to get application security under control in the complete application lifecycle.
International Journal of Engineering Inventions (IJEI)
1. International Journal of Engineering Inventions
ISSN: 2278-7461, www.ijeijournal.com
Volume 1, Issue 8 (October2012) PP: 70-75
A STUDY OF SQL INJECTION IN BANKING TRANSACTION
Varun Tiwari1, Kimmi Makhija2, Jyoti Ratra3
1
Research Scholar NWMDI University South Africa.
2,3
Asst. Prof. KIRAS, (Affiliated GGSIP University)
Abstract:––In these days the use of the World Wide Web (WWW) is increasingly rapidly, so there are lot of problems
comes from hacking. One of the most important fields of Hacking is Banking Sector. In case of Banking System there are
lots of transactions daily, soproviding the security from the attackers is necessary. Now these days the major issues of the
security in the Banking Transaction are SQL Injections, which are creating a serious issues regarding the attacks of Banking
applications and acquiring the secret information‘s such as id and Password and accessing the bank databases through the
SQL injections. My main motive to presenting this paper is describing the sql injection method, techniques and how to
prevent this situation? These methods we can protect transaction from the attack by using SQL injections.These methods are
used to denote the parameters that are used to attack by the SQL injections and analyzed by the transactions which cause
illegal access. By these methods we can totally protect the applications without any hacking of the database and completely
condemned the attacks and it will not generate any wrong transactions as a correct one. In an SQL injection attack, an
attacker might insert a malicious SQL query as input to perform an unauthorized database operation. Using SQL injection
attacks, an attacker can retrieve or modify confidential and sensitive information from the database.
Keywords:––SQLInjection, Security, Detection and Prevention.
I. INTRODUCTION
"An attack technique used to exploit web sites by altering backend SQL statements through
manipulating application input." SQL injection is an attack in which malicious code is inserted
In to strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL
statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically
valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker. List of some
SQL Injection attacker bank are
1. Forex Swiss Bank Vulnerable to SQL Injection [1]
2. HDFC Bank Database Hacked by zSecure team using SQL injection vulnerability [2]
[1] SQL Injection Vulnerability found in Dukascopy by zSecure Team. Dukascopy offers direct access to the Swiss Foreign
Exchange Marketplace. This market provides the largest pool of ECN spot forex liquidity available for banks, hedge funds,
other institutions and professional traders. To accommodate the existing banking relationships of its clients, Dukascopy
offers full Prime Broker capability with give up facility, by utilizing an extensive network of banking partners. [5]
[2] ZSecure team is back in news again, this time they have discovered a critical SQL injection vulnerability in HDFC
Bank's Web Portal. Using this critical flaw HDFC Bank's various databases can be accessed and dumped as well. This
critical flaw really affects the customer relations of HDFC Bank's and this really questions the existing security in place
within bank.HDFC Bank is the leading bank in India but they lack behind the basic security that needs to be implemented.
ZSecure team claimed in their blog post that even after sending they complete details about the vulnerability and even after
conducting the vulnerability assessment from the third party service provider they were not able to discover this critical flaw
which existed in their web portal. This really raises a big question on their existing security policy. [6]
SQL Injection is a type of security exploit in which the attacker adds Structured Query Language (SQL) code to a Web form
input box to gain access to an organization's resources or to make changes to data. Using this technique, hackers can
determine the structure and location of key databases and can download the database or compromise the database server.
"What makes this vulnerability so pervasive is that SQL Injection attacks can prey on all types of Web applications - even
those as simple as a monthly loan payment calculator or a 'signup for our customer newsletter' form," .
"SQL Injection is successful only when the web application is not sufficiently secured,". "Unfortunately, the majority of
websites and web applications are not secure. Thus, we are advising all organizations to use 'input validation' for any form to
ensure that only the type of input that is expected is accepted." [1]
1.1 How Hacker Done
The hacker goes to coffee shop and connects to the same Wi-Fi network you are connected to. He runs a series of
utilities to redirect other user‘s data through his machine. He runs a number of other utilities to sniff the data, act as an SSL
Certificate Server and to be the Man-the-Middle. The following diagram shows a very simplified graphic of how your SSL
Banking session should work under normal conditions, then how it would work during an attack:
ISSN: 2278-7461 www.ijeijournal.com P a g e | 70
2. A STUDY OF SQL INJECTION IN BANKING…
An important concept to grasp here is that a certificate is used to establish the secure SSL connection. This is a
good thing, if you have a good certificate and are connecting directly to the website to which you intended to use. Then all
your data is encrypted from your browser to the SSL website where the bank‘s website will use the information from the
certificate it gave you to decrypt your data/credentials. If that is truly the case, then it is pretty darn hard for a hacker to
decrypt the data/credentials being transmitted, even if he is able to sniff your data.
This is a bad thing if you have a ―Fake‖ certificate being sent from the hacker, and you are actually connecting to his
machine, not directly to the bank‘s website. In this case, your credentials are being transmitted between your browser and the
hacker‘s machine. The hacker is able to grab that traffic, and, because he gave you the certificate to encrypt the
data/credentials, he can use that same certificate to decrypt your data/credentials.
1.2 Approaching Methods
1. Input Validation
2. Static Query Statement
3. Least Privilege
4. Code Verification
5. Web Application Gateway
6. SQL Driver Proxy
7. MISC Method
Some other method to prevent attack of SQL Injection:
1. Trust no-one
2. Don't use dynamic SQL when it can be avoided
3. Update and patch
4. Firewall
5. Reduce your attack surface
6. Use appropriate privileges
7. Keep your secrets secret
8. Don't divulge more information than you need to
ISSN: 2278-7461 www.ijeijournal.com P a g e | 71
3. A STUDY OF SQL INJECTION IN BANKING…
9. Don't forget the basics
10. Buy better software
1.3 Preventing Techniques
1.3.1 X – Log Authentication Technique
This approach addresses SQLIA‘s (Sql Injection Attack) with runtime monitoring. The key insights behind the
approach are that (1) the sourcecode contains enough information to infer models of theexpected, legitimate SQL queries
generated by theapplication, and (2) an SQLIA, by injecting additional SQLstatements into a query, would violate such a
model.Proposed technique monitors the dynamically generatedqueries with the Data model which is generated by X-
LogGenerator at runtime and checks them for compliance. Ifthe Data Comparison violates the model then it
representpotential SQLIA‘ s and prevented from executing on thedatabase and reported. For each application, when the
loginpage is redirected to our checking page, it was to detect andprevent attacks without stopping legitimate
accesses.Moreover, our technique proved to be efficient, imposingonly a low overhead on the Web applications. This
techniqueconsists of three filtration techniques to prevent SQLI‘S.We summarize the steps and then describe them in
moreConclusions. Detail in subsequent sections.
Vulnerability Guard: Vulnerability Guard detects theWildcard characters or Meta characters and prevents themalicious
attacks.
X – Log Authentication: X-Log valuator validate from-Log Generator where the Sensitive data‘s are Stored fromthe
Database, The user input fields compare with the dataexisted in X-Log generator if it is identical then the queryis allowed to
proceed.
Stored Procedure: Testing the size and data type ofinput and enforce appropriate limit. Stored Procedures isused to validate
user input and to perform server sidevalidation. The safety of stored procedures depends on theway in which they are coded
and on the use of adequatedefensive coding practices. These Three input filtrations areused to improve the scalability,
performance andoptimization.
1.3.2 AMNESIA
AMNESIA (Analysis and Monitoring for Neutralizing SQL Injection Attacks) is the prototype tool that
implements our techniqueto counter SQLIAs for Java-based web applications. AMNESIA is developed in Java and its
implementation consists of three modules that leverage various existing technologies and libraries:
Analysis module: This module implements Steps 1 and 2 of our technique. Its input is a Java web application and it outputs
list of hotspots and a SQL-query models for each hotspot. For the implementation of this module, we leveraged JSA [5]. The
analysis module is able to analyze Java Servletsas well as JSP pages.
Instrumentation module: This module implements Step 3 of our technique. It inputs a Java web application and a list
ofhotspots and instruments each hotspot with a call to the runtime monitor. We implemented this module using INSERT,a
generic instrumentation and monitoring framework for Java developed at Georgia Tech [4].
Runtime-monitoring module:This module implements Step 4 ofour technique. It takes as input a query string and the IDof
the hotspot that generated the query, retrieves the SQLquerymodel for that hotspot, and checks the query againstthe model.
For this module, we also leveraged INSERT.
Figure 6 shows a high-level overview of AMNESIA. In thestatic phase, the Instrumentation Module and the Analysis
Moduletake as input a web application and produce (1) an instrumentedversion
ISSN: 2278-7461 www.ijeijournal.com P a g e | 72
4. A STUDY OF SQL INJECTION IN BANKING…
of the application, and (2) an SQL-query model for eachhotspot in the application. In the dynamic phase, the
Runtime-Monitoring Module checks the dynamic queries while users interactwith the web application. If a query is
identified as an attack, it is blocked and reported. [2]
Another Step of Amnesia Tool
Identify hotspots: Scan the application code to identifyhotspots—points in the application code that issue SQLqueries to the
underlying database.
Build SQL-query models: For each hotspot, build a modelthat represents all of the possible SQL queries thatmay be
generated at that hotspot. An SQL-querymodel is a non-deterministic finite-state automaton inwhich the transition labels
consist of SQL tokens, de-limiters, and placeholders for string values.
Instrument Application:At each hotspot in the application, add calls to the runtime monitor.
Runtime monitoring: At runtime, check the dynamically-generated queries against the SQL-query model andreject and
report queries that violate the model.
1.4 SECURITY EXAMPLE OF SQL INJECTION
Websites of many banks, credit unions, smaller online retailers, and many government agencies remain highly
vulnerable to SQL injection attacks.
8th November 2010: (BBC News)
The Royal Navy's website has been hacked by a suspected Romanian hacker known as TinKode.
December 2009: (The New York Times)
An attacker breached a Rock You plaintext database containing the unencrypted usernames and passwords of about 32
million users using an SQL injection attackWebsites of many banks, credit unions, smaller online retailers, and many
government agencies remain highly vulnerable to SQL injection attacks.
Some of the real world examples:
Most of the application will have a login screen and we construct dynamic SQL statement with the screen input as follows:
SELECT *FROM Users WHERE login = 'ravi' and password = 'dBa#1';
If the attacker modifies the user name supplied as ‗ravi' or 1=1; -- then the code will be as follows:
SELECT *FROM UsersWHERE login = 'ravi' or 1=1;--and password = 'dBa#1';
If the above statement executes, the attacker can gain access to the database as 1=1 is always true.
The attacker could log on as any user, given that they know the users name, using the following input:
Username: admin'--
If the user specifies the following:
Username: ‗drop table users--
Password:
The 'users' table will be deleted, denying access to the application for all users.
To illustrate how an SQLIA occurs, we introduce a simple example that we will use throughout the paper. The example is
based on a Servlets, show.jsp, for which a possible implementation is shown in here: [4]
1.4.1 Example of Secure Login by Java Language
public class Show extends HttpServlet
{
publicResultSetgetUserInfo(String login, String password)
{
ISSN: 2278-7461 www.ijeijournal.com P a g e | 73
5. A STUDY OF SQL INJECTION IN BANKING…
Connection conn = DriverManager.getConnection("MyDB");
Statement stmt = conn.createStatement();
String queryString = "";
queryString = "SELECT info FROM userTable WHERE ";
if ((! login.equals("")) && (! password.equals("")))
{
queryString += "login=‘" + login + AND pass=‘" + password + "‘";
}
Else
{
queryString+="login=‘guest‘";
}
ResultSettempSet = stmt.execute(queryString);
returntempSet;
}.
}
1.4.2 Example of Secure Login by Php Language
To prevent such an attack, a secure login technique is required. Here, in this article, we discuss the coding of a
secure login script using PHP and Mysql.
Step I:Create a database and a table 'members' in it:
CREATE TABLE `members` (`username` varchar (20), `password` varchar (128))
Step II: Create a Login Form:
<formaction="process_login.php" method="post">
Username: <input type="text" name="username" />
Password: <input type="password" name="password" />
<input type="submit" value="Login" /></form>
Connect to Mysql Server:
$host = 'local host'; // Host name Normally 'LocalHost'
$user = 'root'; // MySQL login username
$pass = ''; // MySQL login password
$database = 'test'; // Database name
$table = 'members'; // Members name
mysql_connect ($host, $user, $pass);
mysql_select_db($database);
Step III: Now, you need to provide mechanism to avoid SQL Injection. For this, escape special characters like ", ',
We can escape special characters (prepend backslash) using mysql_real_escape_string or add slashes functions. In most
cases PHP will this do automatically for you? But PHP will do so only if the magic_quotes_gpc setting is set to on in the
php.ini file. If the setting is off, we use mysql_real_escape_string function to escape special characters. If you are using PHP
version less that 4.3.0, you can use the add slashes function instead.
name = mysql_real_escape_string ($_POST['username']);
$password = md5 ($_POST ['password']);
$result = mysql_query ("SELECT * FROM $table WHERE username = '$username' AND password = '$password'");
Here, we use the MD5 (Message Digest 5) Algorithm, that generates the message digest for the password. So, while writing
the script for registration page, care must be taken that the md5 of the password entered by the user must be stored in the
database, instead of the actual text password.
Validating the login:
if(mysql_num_rows($result))
{
session_start();
$_SESSION['username'] = htmlspecialchars($username);
}
else
{
// Invalid username/password
echo '<p><strong>Error:</strong> Invalid username or password.</p>';
}
// Redirect
header('Location: http://www.example.com/loggedin.php');
exit;
ISSN: 2278-7461 www.ijeijournal.com P a g e | 74
6. A STUDY OF SQL INJECTION IN BANKING…
You are done!! This code will help prevent the SQL injection problem. However, it must be noted that no script is 100%
secure. So, it is advisable to provide multilevel security process, which makes the login more secure.
II. CONCLUSION
In this paper we mention there are lot of mechanism and technique used to prevent the SQL Injection in Banking
Transaction. We have presented a survey reports on various types of SQL Injection attacks in Bank, Methods, and
Prevention Techniques. At Last Conclusion the best and suitable techniques are Amnesia and X-Log Authentication. In this
technique we use different type‘s language such as Java and Php.
REFERENCES
1. Research Book ―SQLInjectionWhitePaper‖.
2. AMNESIA: Analysis and Monitoring for Neutralizing SQLInjection Attacks William G.J. Halfond and Alessandro
Orso, College of Computing, Georgia Institute of Technology, ASE’05, November 7–11, 2005.
3. ―Securing Web Application Code by Static Analysis and Runtime Protection‖, In Proceedings of the 12th
International World Wide Web Conference (WWW 04), May 2004.
4. Steve Fried‘s Unixwiz.net Tech Tips ―SQL Injection Attacks by Example‖.
5. Report on ―Dukascopy: Forex Swiss Bank Vulnerable to SQL Injection‖.
6. Report on ―HDFC Bank Database Hacked by zSecure team using SQL injection vulnerability‖.
7. Research Book ―SQL Injection Attacks and Defense‖ author Justin Clarke.
8. ―Preventing SQL Injection Attacks Using AMNESIA‖ William G.J. Halfond and Alessandro OrsoCollege of
Computing Georgia Institute of Technology , ICSE’06, May 20–28, 2006, Shanghai, China.
9. ―A Survey on SQL Injection: Vulnerabilities, Attacksand Prevent ion Techniques‖ Diallo Abdoulaye Kindy and
Al-Sakib Khan PathanDepartment of Computer Science, International Islamic University Malaysia, Malaysia.
10. M. Ruse, T. Sarkar and S. Basu. Analysis & Detection of SQLInjection Vulnerabilities via Automatic Test Case
Generation ofPrograms. 10th Annual International Symposium on Applicationsand the Internet pp. 31 – 37 (2010)
11. Preventing SQL Injection Attacks in Stored Procedures Wei, M. Muthuprasanna, SurajKothari Dept. of Electrical
and Computer Engineering Iowa State University Ames, IA – 50011.
ISSN: 2278-7461 www.ijeijournal.com P a g e | 75