Upload
pankaj-jindal
View
212
Download
0
Embed Size (px)
Citation preview
8/17/2019 SQLIA Review Paper
1/6
A Review on SQL Injection Prevention Technique Navjot Verma Amardeep Kaur
M. Tech CSE Assistant Professor
Department of computer Science Department of computer Science
PUC!TM" Moha#i $Punja%& PUC!TM" Moha#i $Punja%&
[email protected] amardeep'tiet()ahoo.com
Abstract- S*+ injection is the major
suscepti%#e attac, in toda)-s era of e%
app#ication hich attac,s the data%ase to
/ain unauthori0ed and i##icit access. !t
or,s as an intermediate %eteen e%
app#ication and data%ase. Most of the time"
e##1,non peop#e fire the S*+ injection"
ho is previous#) or,in/ in the
or/anisation on the present data%ase.
Toda) or/anisation has major concern is to
stop S*+ injection %ecause it is the major
vu#nera%#e attac, in the data%ase. S*+!
attac,s tar/et data%ases that are reacha%#e
throu/h e% front. S*+! prevention
techni2ue efficient#) %#oc,ed a## of the
attac,s ithout /eneratin/ an) fa#se
positive.
Keywords: SQL Injection, SQL
injection Prevention.
Introduction
S*+ injection attac, a##os attac,ers to
/ain contro# of the ori/ina# 2uer)" i##e/a#
access to the data%ase and e3tract or
transform the data%ase 456. The main cause
of S*+ injection vu#nera%i#ities is7
attac,ers use the input support to attac,
strin/s that contains specia# data%asecommands. An S*+!A occurs hen an
attac,er chan/es the S*+ contro# %)
insertin/ ne ,e)ords 486. A successfu#
S*+! attac, hinder privac) inte/rit) and
avai#a%i#it) of information in the data%ase.
!n most of cases" S*+ !njection is used to
initiate the denia# of service attac, on e%
app#ications. The strictness of the attac,s
depends on the ro#e or account on hich
the S*+ statement is e3ecuted.
An attac,er needs to ,no #oop ho#es inthe app#ication %efore #aunch an attac,.
Attac,ers use7 input format" timin/"
performance and error messa/e to decide
the t)pe of attac, suita%#e for an
app#ication. Data%ase is the heart of man)
e% app#ications" %asis for hich data%ase
more and more comin/ under /reat
num%er of attac,s. S*+!As occur hen
data provided %) the user is incorporated
direct#) in the 2uer) and is not
appropriate#) va#idated.
Phase used in web application security:
There are to t)pes of Phase7
Data base layer: The data%ase #a)er
provides an o%ject vision of data%ase
information %) app#)in/ schema semantics
to data%ase records" so iso#atin/ the upper
#a)ers of the director) service from the
under#)in/ data%ase s)stem. The data%ase#a)er is an inner %oundar) that is not
e3posed to users. No data%ase admission
ca##s are made direct#) to the E3tensi%#e
Stora/e En/ine9 as an a#ternative" a##
data%ase ri/ht to use is routed throu/h the
data%ase #a)er.
Application layer: refers to techni2ues of
shie#din/ :e% app#ications at the
app#ication #a)er $#ast #a)er of the seven1
#a)er ;S! mode#& from nast) attac,s that
ma) picture private information.Protection is app#ied to the app#ication
#a)er especia##) to protect a/ainst i##e/a#
access and attac,s.
here are advanta!es o" #eb Security:
5. !nternet sites are e##1#i,ed tar/ets for
crac,ers" and even ithout mean forces
securit) ho#es can permit accidents
happen.
8. A /ood netor, is a secure netor,.
8/17/2019 SQLIA Review Paper
2/6
sensitive information" or at #east
information )ou don=t ant in the pu%#ic
domain %efore )ou are prepared.
ypes o" SQL Injection$
So%e o" the attac&s are:
a) First order attack
Attac,ers aim the data%ase ith strin/s
attached to an input fie#d and receives the
anser immediate#). Such attac,s hich
e3p#oit the #ac, of va#idation in the input
fie#d parameter are ,non as first order
attac,s.
b) Second order attack
An attac,er attac,s the data%ase ith
insertin/ mean 2ueries in a ta%#e %ut
imp#ement these 2ueries from other
actions.
c) Tautology attack
Conditiona# operators are used %) the
attac,ers in the S*+ 2ueries such that the
2uer) a#a)s eva#uates to TUE 45 8 >
5?6.
SE+ECT @ ;M student :BEE name
== ; =5==5=9d) Logically incorrect
Queries
An i##e/a# 2uer) used %) the attac,er to
/#ance at the ho#e data%ase 45 8 > 5?6.
SE+ECT @ ;M student :BEE id
name 9
e) Piggy-backed query
!n this attac," attac,er tries to add on
supp#ementar) 2ueries %ut terminates the
first 2uer) %) insertin/ F9G 45 8 H6.
SE+ECT @ ;M student :BEE
ro##'no59D;P TAI+E student9
f) Timing attack
!n this t)pes of attac, the ! E+SE
statement is used for injectin/ 2ueries 45
86. E3amp#e :A!T;" !" E+SE"
IENCBMAK etc .
SE+ECT @ ;M student :BEE
ro##'no51S+EEP$5J&9
/& Alternate encoding
Attac,er modifies the injection 2uer) %)
usin/ a#ternate encodin/ such as
he3adecima# " ASC!! and Unicode 45 86 .
SE+ECT @ ;M student :BEE
ro##'nounhe3$=?J=&9 .
Literature Survey
A. S. ad/i,ar et al S*+ injection attac,
has %ecome a major threat to e%
app#ications" hich /ives unauthori0ed
access 456. This paper has used ne/ative
taintin/ approach ith #in,ed #ist structure.
This approach is imp#emented %eteen
app#ication pro/ram and data%ase server.
A## the s)mptoms of S*+ injection attac, are stored in data%ase. The future /oa# is to
improve the efficienc) %) reducin/ fa#se
positives. Mu#tithreadin/ can %e used to
reduce the time re2uirements. !n this paper
S*+ data%ase is used for testin/.
:. . L. Ba#fond et al An S*+!A occurs
hen an attac,er chan/es the deve#opers
S*+ command %) insertin/ ne S*+
,e)ords or operators 486. !n this paper
their approach or,s %) identif)in/ trusted
strin/s and a##oin/ on#) those trustedstrin/s to %e used to create sensitive part of
the S*+ 2uer) strin/s. :ASP $e%
app#ication S*+ injection prevented& too#
imp#ements this techni2ue. !t stops a## the
attac,s ithout /eneratin/ fa#se positives.
!n the uture or,1 the proposed or, can
%e used for %inar) pro/rams and further
improve the efficienc) of techni2ue to
reduce the amount of information re2uired.
S. o) et al S*+ injection is most
vu#nera%#e to e% app#ications. !n this paper CS scanner used that is #i/ht
ei/hted" fast and #o fa#se positive rate
4
8/17/2019 SQLIA Review Paper
3/6
S. Ian/re et al S*+ injection tar/et
data%ases that are accessi%#e throu/h a e%
front end and ta,e advanta/e of f#as in
the input va#idation #o/ic of e%
components such as C! script 46. !n this
paper input fi#ter techni2ue has %een usedhich chec,s the attri%ute va#ue for sin/#e
2uote" dou%#e dash and space provided %)
the user throu/h input fie#ds. This paper
proposes simp#e and effective method %)
usin/ S*+ 2uer) parameter counter to
prevent S*+!A. This paper uti#i0es %oth
static and d)namic ana#)sis to detect S*+
injection attac,. uture or, is a#so
needed on this paper %ecause research
or, is not re#ated to e% app#ications of
S*+ %ut a#so other e% app#ication attac, such as SS.
'(istin! echni)ues$
So%e o" the e(istin! techni)ues to
prevent SQLIA are:
Positive aintin!$ Positive taintin/
focuses on the reco/nition and mar,in/ of
trusted strin/s. !t uses the concept of
s)nta3 sensitive estimation. This s)stemor,s in fo##oin/ manner1 $5& !dentif)in/
trusted data source. $8& A##oin/ on#) data
from such sources to suit a S*+ ,e)ord
or operator in 2uer) strin/s. Trusted data
strin/s can %e more readi#) ,non. :ASP
$:e% App#ication S*+ injection
Preventer& too# have imp#emented this
approach. This approach is defined at the
app#ication #eve# and it re2uires no
a#teration of the runtime $LVM& s)stem"
and it imposes #o e3ecution overhead.Positive taintin/ used to chec, S*+!A at
the runtime. :ASP too# or,s fruitfu##)
%ut it %#oc,ed over 58??? attac,s ithout
/eneratin/ fa#se positives.
*e!ative taintin!$ Preventin/ S*+
injection attac, usin/ ne/ative taintin/
provide uni2ueness %) usin/ #in,ed #ist.
This approach or,s on the untrusted
strin/s and provides /ood response time
for #ar/e data%ase pro/rams. This approachconsists of $5& !dentif)in/ hot spot from
the app#ication $8& To find out S*+
injection attac, usin/ ne/ative taintin/. $
8/17/2019 SQLIA Review Paper
4/6
SQL$ID -
Kema#is and T0ouramanis have su//ested
nove# specification1%ased methodo#o/) for
the detection of e3p#oitations of S*+
injection vu#nera%i#ities in FSpecification
%ased approach on S*+ !njection
detectionG 4
8/17/2019 SQLIA Review Paper
5/6
Schemes Tauto#o/) +o/ica##
)
!ncorrect
*ueries
Union
*uer)
Stored
Procedure
Pi//)
Iac,ed
*ueries
!nference
Attac,
A#ternatin/
Encodin/
Attac,
AMNES!A ES ES ES N; ES ES ES
S*+rand ES N; N; N; ES ES N;
CAND!D ES N; N; N; N; N; N;
S*+uard ES N; N; N; N; N; N;
S*+!PA ES ES ES N; ES ES ES
Ne/ative
Taintin/
ES ES ES N; ES ES ES
0onclusion
1e"erences
456 A. S. ad/i,ar" FPreventin/ S*+
injection attac,s usin/ ne/ative taintin/
approach"G in I International
!on"erence on !om#utational Intelli$ence
an% !om#utin$ Research" 8?5
8/17/2019 SQLIA Review Paper
6/6
Computing Conference, IACC 2013,
$%&', ((. &'&)*&'$'.
+&% P. Kuar and -. K. Pateriya, “A
Survey on SQL Injection Attacks ,
Detection and Prevention Tec"niues,# no. /u0y, $%&$.
+&& 1. Lu, 2. Pe0tsverger, S. 3"en, 4.
Sout"5estern, K. Qian, and S.
Po0ytec"nic, “A Static Ana0ysis
6rae5ork 6or Detecting SQL
Injection 7u0nera8i0ities,# no.
3o(sac, $%%).
+&$ S. T"oas, L. 9i00ias, and :.
3aro0ina, “Using Autoated 6i;
4eneration to Secure SQL
Stateents + S"ort (resentation
(a(er ,# $%%).
+&' K.. !5ang, !.