Detection Block Model for SQL Injection Attacks

Full Text (PDF, 449KB), PP.56-63

Views: 0 Downloads: 0

Author(s)

Diksha G. Kumar 1,* Madhumita Chatterjee 1

1. Pillai’s Institute of Information Technology, Navi Mumbai, 410216, India

* Corresponding author.

DOI: https://doi.org/10.5815/ijcnis.2014.11.08

Received: 2 Jan. 2014 / Revised: 16 Apr. 2014 / Accepted: 9 Jun. 2014 / Published: 8 Oct. 2014

Index Terms

SQL injection, information theory, entropy, web attacks, database security

Abstract

With the rapid development of Internet, more and more organizations connect their databases to the Internet for resource sharing. However, due to developers' lack of knowledge of all possible attacks, web applications become vulnerable to multiple attacks. Thus the network databases could face multiple threats. Web applications generally consist of a three tier architecture where database is in the third pole, which is the most valuable asset in any organization. SQL injection is an attack technique in which specially crafted input string is entered in user input field. It is submitted to server and result is returned to the user. In SQL injection vulnerability, the database server is forced to execute malicious operations which may cause the data loss or corruption, denial of access, and unauthentic access to sensitive data by crafting specific inputs. An attacker can directly compromise the database, and that is why this is a most threatening web attack. SQL injection attack occupies first position in top ten vulnerabilities as specified by Open Web Application Security Project. It is probably the most common Website vulnerability today. Current scenarios which provide solutions to SQL injection attack either have limited scope i.e. can’t be implemented across all platforms, or do not cover all types of SQL injection attacks. In this work we implement Message Authentication Code (MAC) based solution against SQL injection attacks. The model works both on client and server side. Client side implements a filter function and server side is based on information theory. MAC of static and dynamic queries is compared to detect SQL injection attack.

Cite This Paper

Diksha G. Kumar, Madhumita Chatterjee, "Detection Block Model for SQL Injection Attacks", International Journal of Computer Network and Information Security(IJCNIS), vol.6, no.11, pp.56-63, 2014. DOI:10.5815/ijcnis.2014.11.08

Reference

[1]Hossain Shahriar, Mohammed Zulkernine, “Information Theoretic Detection of SQL Injection Attacks” Proceedings of 14th International Symposium on High Assurance System Engineering, 2012.
[2]Qian XUE, Peng HE, “On Defense and Detection of SQL SERVER Injection Attack”. Proceedings of International Conference on Security Systems, 978-1-4244-6252-0/11/ IEEE, 2011, pg 324-330.
[3]Indrani Balasundaram, E.Ramaraj “An Authentication Scheme for Preventing SQL Injection Attack Using Hybrid Encryption (PSQLIAHBE” (ISSN 1450-216X Vol.53 No.3 (2011), pp.359-368).
[4]Srinivas Avireddy, Varalakshmi Perumal, Narayan Gowraj, Ram Srivatsa Kannan, Prashanth” Random4: An Application Specific Randomized Encryption Algorithm to prevent SQL injection” Proceedings of 11th International Conference on Trust, Security and Privacy in Computing and Communications, IEEE, 2012, p1327-1335.
[5]Kai-Xiang Zhang, Chia-Jun Lin, Shih-Jen Chen, Yanling Hwang” TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks” Proceedings of First International Conference on Robot, Vision and Signal Processing, IEEE, 2011, p248-252.
[6]Baohua Huang, Tongyi Xie, Yan Ma “Anti SQL Injection with Statements Sequence Digest” National Science Foundation of China, Scientific Research and Development Plan of Nanning City (No. 10876012), IEEE 2012.
[7]Sruthy Mamadhan, Manesh T, Varghese Paul” SQLStor: Blockage of Stored Procedure SQL Injection Attack Using Dynamic Query Structure Validation” (No. 978-1-4673-5119-5/12/$31.00c) IEEE, 2012, p240-246.
[8]J. Kim, ‘‘Injection Attack Detection Using the Removal of SQL Query Attribute Values,’’ Proc. of the International Conference on Information Science and Applications (ICISA), Jeju Island, Korea, May 2011, pp. 1-7, 978-1- 4244-9224-4/11/$26.00 ?2011 IEEE.
[9]Jueneman, R. R., Matyas, S. M., and Meyer, C. H., “Message Authentication”, IEEE Communication, Vol 23, No. 9, 1985, pp 29-40.
[10]Rahul Johari, Pankaj Sharma” A Survey On Web Application Vulnerabilities (SQLIA, XSS) Exploitation and Security Engine for SQL Injection” Proceedings of International Conference on Communication Systems and Network Technologies, IEEE, 2012, p453-459.
[11]W. G. Halfond, J. Viegas, and A. Orso, “A Classification of SQL Injection Attacks and Countermeasures,” Proceedings of the International Symposium on Secure Software Engineering (ISSSE 2006), Mar. 2006.
[12]The Open Web Application Security Project (OWASP), Available:https://www.owasp.org/index.php/Top_10_2013-Top_10.
[13]T. Cover and J. Thomas, Elements of Information Theory, John Wiley and Sons, 2006.
[14]Pushpendra Kumar, R.K.Pateriya, “A Survey on SQL Injection Attacks Detection and Prevention Techniques” Proceedings of ICCCNT’12(IEEE -20180), July 2012.
[15]N. Antunes and M. Vieira, ‘‘Defending Against Web Application Vulnerabilities,’’ IEEE Computer, Volume 45, Issue 2, February 2012, pp. 66-72.
[16]SQL Injection Walkthrough, Accessed from http://www.securiteam.com/securityreviews/5DP0N1P76E.html.
[17]H. Shahriar and M. Zulkernine, “Mitigation of Program Security Vulnerabilities: Approaches and Challenges,” ACM Computing Surveys (CSUR), Vol. 44, No. 3, Article 11, May 2012, pp. 1-46.