Coalesce Techniques to Secure Web Applications and Databases against SQL
Injection Attacks
Khaleel Ahmad1, Jayant Shekhar2, K.P.Yadav3 1, 2
CSE/IT Department, S.I.T.E., Swami Vivekanand Subharti University 3
CSE/IT Department, ACME College of Engineering, UPT University 1, 2, 3
(U.P., India)
e-mail: [email protected], [email protected], [email protected]
Abstract - SQL Injection attacks are one of the gravest threats for web applications. In this paper, we propose coalesce techniques to mitigate SQL injection attacks and focus on the research of the attack protection module. These techniques are based on a filter, cryptographic hash-function, linear probing technique, customized error message and POST method. The filter is used to detect malformed SQL queries whereas the hash function is used to match hash values of usernames and passwords against stored hash values. A linear probing technique is used to address the data collision and debug error message problems because it is able to stop the reconnaissance progress of threat agents.
Keywords - SQL Injection; Database Security; Authentication; Linear probing; Error Message; POST Method; Filter
I. INTRODUCTION
The rapid growth of the Internet has created many services which have become an integral part of our daily life. Web applications can be accessed over the Internet by using any web browser that runs on any operating system and architecture. They have become ubiquitous due to the convenience, flexibility, availability, and interoperability that they provide [1]. Web applications are used for making reservations, paying bills, and shopping online. They are vulnerable to a variety of new securitythreats.SQLIAs are one of the most significant of such threats [2, 3, 13]. The rapid growth of SQLIAs pose immense security risks as they give attackers unrestricted access to the databases that lie under web applications.
In 2008, more than 500,000 legitimate websites were hacked and spread malware. These included UK government websites, the United Nations, and the US Department of Homeland Security [4, 5]. According to an annual report (February 2009), more than 30% of websites were hacked through SQL Injection attacks [6]. Web applications are commonly vulnerable to them, the major cause of attacks for web based applications in 2010 as estimated by OWASP [29].
An SQL injection attack insert "injects” the malformed SQL queries via the input data from the client to the application. A successful SQL injection can obtain sensitive data from the database, modify the database data (insert/update/delete), execute administrative operations on the database (e.g. shutdown the DBMS), recover the content of a given
file present on the DBMS file system, and in some cases issue commands to the operating system [7-13]. As a result of the attacks confidentiality, integrity and availability of information can be jeopardized.
II. SQL INJECTION ATTACKS
SQL (Structured Query Language) is a textual language used for interaction with relational databases. The typical unit of execution in SQL is the ‘query’, which is a collection of statements that usually returns a single ‘result set’. SQL statements can modify the structures and manipulate the contents of databases by using various DDL and DML commands. SQL ‘injection’ occurs when an attacker is able to insert a series of SQL statements into a query by manipulating the data input into an application. Some of the SQL injection attacks from [1, 13, 14] are shown in Table 1. Based on an exhaustive review of SQL injection attacks [15, 16, 17, 18, 19, 20, 21, 22], a typical SQL statement for SQL injection attack may look like this:
SELECT *FROM Users WHERE User_id = ‘abc’ AND Password = ‘tcy12’
SQL Statement 1
Many SQL queries for SQLIAs were used in the testing. SQL statement 1 can retrieve the user_id and password column from the user’s table, returning all rows in the table where the user_id is ‘abc’ and password is ‘tcy12’. A cardinal point is that the string literals ‘abc’ and ‘tcy12’ are delimited with single quotes. Now, presuming that, at the login time, the user_id and password held are gathered from user’s supplied input, an attacker might be able to ‘inject’ an SQL query, by inserting values into a web application like this:
User_id: 1’OR’1’=’1 and Password: 1’OR’1’=’1
The ‘query string’ can be represented as follows:
a) SELECT * FROM Users WHERE User_id= ‘1’OR’1’=’1’ AND Password=‘1’OR’1’=’1’
When the database attempts to run this query, it will execute without any error. With the help of above inputs, the attacker could log in as the maiden user and
access the information in the database without having a valid login. This way, the attacker could gain access to unauthorized information.
Table 1. User/Attacker input in form of SQL query
S.No. User/Attacker Input Inputs in form of SQL Query 1 User submits login and pin to access the database as “doe” and “123,”; the
application dynamically builds the query[1]:
SELECT acct FROM users WHERE login=’doe’ AND pin=123
2 Attacker enters “’’ OR 1=1- -‘” as the username and any value as the pin (for example, “0”), the resulting query[1] :
SELECT acct FROM users WHERE login=’’ OR 1=1- -‘ AND pin=0
3 User submits login and password for access the database as “guest” and “secret,” the application dynamically builds the query[14]:
Select member_id, member_level from members where member_login=’guest’ and member_password = ‘secret’’’
4 A malicious user enter input “’ or 1=1- -“ in the first field and leave the second input field as blank. The resultant query will be [14]:
Select member_id, member_level from members where member_login=’’or 1=1--‘ and member_password = ‘’’’
III. LITERATURE REVIEW
Various techniques have been proposed for preventing SQL injection attacks. In [23], SQLrand was proposed which uses instruction set randomization of SQL statements to check SQL injection attacks. It uses a proxy to append the key to SQL keywords. A de-randomizing proxy then converts the randomized query into appropriate SQL queries for the database. The key is not known to the attacker, so the code injected by attacker is treated as undefined keywords and expressions which cause runtime exceptions, and the query is not sent to the database. The disadvantage of this system is its complex configuration and the security of the key. If the key is exposed, the attacker can formulate queries for a successful attack.
Halfond and Orso in [24] developed AMNESIA, which is a model-based technique that combines static and dynamic analysis. The tool first identifies hotspots where SQL queries are issued to database engines. At each hotspot, a query model is developed by using Non-Deterministic Finite Automata (NDFA). The hotspot is instrumented with monitor code, which matches the dynamically generated query against the query model. If a generated query is not consumed by NDFA, then it is an attack.
Su and Wassermann in [25] based their work on a formal definition of SQL injection attack. In their definition, SQL injection occurs when the intended syntactic structure of SQL queries is changed by tainted input. In order to check whether this policy is violated by a program, they track tainted input dynamically by enclosing it within randomly generated markers. When the program issues an SQL query, the markers indicate the points of the query that contain potentially malicious values.
Cova, Balzarotti et al. in [26] proposed an anomaly based approach for the detection of volition of web applications. They used “Swaddler” for the analysis of the internal state of web applications and to find the relationship between the critical points and internal
state. Swaddler identified attacks that attempted to bring violation of the intended workflow of a web application.
Cristian Pinzón in [27] designed an agent for the detection and prevention of SQL injection queries at the database layer of an application. The agent incorporates a case-based reasoning mechanism whose main characteristic involves a mixture of neural networks that carry out the task of filtering attacks. MeiJunjin in [28] proposed an approach for the detection of SQL injection loopholes. The author adopted static, dynamic and automatic testing methods for the detection of SQL injection loopholes. Their proposed approach traces user queries to vulnerable location.
Angelo Ciampa in [29] proposed an approach and a tool- named V1p3R (“viper”) for web-application penetration testing. The working of this approach is based on pattern matching of error message and on outputs produced by the application under testing; it relies upon an extensible knowledge-base consisting of a large set of templates.
IV. PROPOSED TECHNIQUES A. Filter
We are using a filter (see Figure 1) in between the Web application server and database server to filter out the abnormal or bad SQL injection queries. If the username and password are making an SQL injection query then the filter will not pass the SQL injection query to the database server, and client side Web page will show that the username and password are invalid. The filter will check that the username and password are not a combination of operators, special characters and specific characters, for example:
7. ‘) or (’a'=’a 8.” or 0=0 #
Apart from the few SQL injection queries mentioned above, these operators can be used as username and password:
1. ORIFICE 2. MLIKE 3. MOORE
Figure 1. Filter
If operators with equal, special characters or specific characters become SQL injection queries, then the filter will discard the username and password. A single operator cannot make an SQL injection query. In this case, the filter willallow only the single operator to become the username and password, and not the special and specific characters.
Filters can also check a single line comment, multiple line comments, and concatenate (double pipe) the fields of username and password. If any comment – among those that are discussed above – is present in the username and password, then the filter discards the entered values.
• -- or # single-line comment • /*…*/ multiple-line comment • || concatenate (double pipe)
B. The Three Components
The three components in the architecture of our proposed technique are as follows:
a) User login interface
b) SQL injection protector for authentication c) User account table
The user account table is used to store the users’ account data. SQL Injection Protector for Authentication (SQLIPA) is the arc component of architecture (see Figure 2). The SQLIPA component generates the hash values of user name and password first duringthe creation of a user account (see Figures 3
& 4) and checks against the stored hash value. If both are matched, access to the account is granted, otherwise access is denied.
Figure 2. Architecture of the proposed technique
Figure 3. Login form
We have used the linear probing technique (also known as rehashing technique) for storing and retrieving data. This technique removes data collision problem at storing time and data coinciding problems at retrieving time.
Figure 4. Account Information Table in Database
location [30]. The function for the rehashing is as follows:
Rehash (key) = (n+1) %K: Test algorithm:
5 spaces for integers Input: 1, 5, 21, 27, 25
# To insert 1, 1%5 = 1, therefore 1 is stored at array [1]. # To insert 5, 5%5= 0, therefore 5 is stored at array [0]. # To insert 21, 21%5 = 1, since 1 is occupied, rehashing is done, 22%5 = 2, therefore 21 is stored at array[2] and so on.
C. Customized Error Message
Error messages here refer to the blind SQL injection attack. The binge of informative error messages may accommodate the knowledge to access the database to the user. But it is a difficult task for debugging if we try to remove error messages completely. Customized error messages hinder the reconnaissance progress of threat agents, particularly in deducing specific details such as injectable parameters etc.
D. POST Method
For sending data to the server, the POST method is used. In this method, along the request object, the query string is appended, but not in URL. That is why transferable parameters are in the hidden form.
V. CONCLUSIONS
SQL injection is a common technique for attackers using SQL queries to attack on Web-based applications. These attacks reshape SQL queries and thus alter the behavior of the program for the benefit of the hacker.
Besides adopting proposed coalesce techniques, we also recommend to adopt the given below additional defenses, in order to provide security in depth.
• Least Privilege
• White List Input Validation
To minimize the potential damage of a successful SQL injection attack, one should minimize the privileges assigned to every database account in their environment. Do not assign DBA or admin type access rights to one’s application accounts. It is always recommended to prevent attacks before the processing of the user’s (attacker's) request. Input validation can be used to detect unauthorized input before it is passed to the SQL query.
Developers frequently perform black list validation in order to try to detect attack characters and patterns like the ' character or the string 1=1. But this is a massively flawed approach as it is typically trivial for an attacker to avoid getting caught by such filters. In addition, such filters frequently prevent authorized input, like O'Brian, when the ' character is being filtered out.
SQLIAs have evolved over years. Information security researchers invented innovative techniques to eliminate a number of problems. The mode of attack and its various methodologies define the graft of
providing security to Web based applications. If the suggestions as given in this article are implemented, the Web applications and databases will be quite secure from SQL injection attacks. Also, there are chances to explore the mentioned techniques in future to enhance the security in the field of web applications and database.
REFERENCES
[1] William G.J. Halfond, Alessandro Orso, and Panagiotis Manolio, “WASP: Protecting Positive Tainting and Syntax-Aware Evaluation,” IEEE Transactions on Software Engineering, Vol. 34, No. 1, January/February 2008.
[2] “top ten most critical web application vulnerabilities”, OWASP Foundation, http://www.owasp.org/documentation/topten.html, 2005. [3] Craig Ulmer, Maya Gokhale, Brian Gallagher, Philip Top, and Tina Eliassi-Rad, “Massively Parallel Acceleration Of A Document-Similarity Classifier to Detect Web Attacks,” Journal of Parallel and Distributed Computing, page 225-235, 2010.
[4] Hackers jack thousands of sites, including U.N. domains http://www.computerworld.com/action/article.do?command=viewArti cleBasic&articleId=9079961
[5] Hackers hijack a half-million sites in latest attack
http://www.computerworld.com/action/article.do?command=viewArti cleBasic&articleId=9084991
[6] http://www.breach.com/resources/whitepapers/downloads/WP_ WebHackingIncidents_2008.pdf.
[7] Jaroslaw Skaruz, Jerzy Pawel Nowacki, and Aldona Drabik, “Soft Computing Techniques for Intrusion Detection of SQL-Based Attacks,” Springer-Verlag Berlin Heidelberg, LNAI 5990, pp. 33-42, 2010.
[8] Xu Ruzhi, Guo jian and Deng Liwu, “A Database Security Gateway to the Detection of SQL Attacks,” IEEE 3rd International Conference on Advanced Computer Theory and Engineering (ICACTE) , page v3-537-540, 2010.
[9] Yaashuwanth .C and R. Ramesh, “Attacks in WEB Based Embedded Applications,” International Journal of Computer Sciences Issues (IJCSI) Vol. 7, Issue 6, ISSN:1694-0814, Nov 2010.
[10] Prithvi Bisht, A. Prasad Sistla, and V.N. Venkatakrishnan, “Automatically preparing Safe SQL Queries,” Springer-Verlag Berlin Heidelberg, LNCS 6052, pp. 272-288, 2010.
[11] Sushila Madan and Supriya Madan, “Security Standards Perspective to Fortify Web Database Applications From Code Injection Attacks,” IEEE International Conference on Intelligent Systems, Modeling and Simulation, page 226-230, 2010.
[12] Hossain Shahriar and Mohammad Zulkernine, “Taxonomy and Classification of Automatic Monitoring of Program Security Vulnerability Exploitations,” The Journal of Systems and Software, pp. 250-269, 2010 (www.elsevier.com/locate/jss).
[13] Ankit Anchila and Sheela Jain, “A Novel Injection Aware Approach for the Testing of Database Applications,” IEEE International Conference on Recent Trends in Information, Telecommunication and Computing, page 311- 312, 2010.
[14] H. Shahriar and M. Zulkernine, “MUSIC: Mutation-based SQL Injection Vulnerability Checking,” The Eighth International Conference on Quality Software, IEEE Computer Society, 2008. [15] Angelos D and Keromyns, “Randomized Instruction Sets and Runtime Environments,” IEEE Security & Privacy, IEEE Computer Society, 2009.
[16] A.Asmawi, Z.M.Sidek, and S.A.Razak, “System Architecture for SQL Injection and Insider Misuse Detection System,” IEEE Conference, 2008.
[18] J.C. Lin, J.M. Chen, and C.H. Liu, “An Automatic Mechanism for Sanitizing Malicious Injection,” The 9th International Conference for Young Computer Scientists, IEEE Computer Society, 2008. [19] A. Suliman, M. K. Shankarapani, S.Mukkamala, and A.H. Sung, “RFID Malware Fragmentation Attacks,” IEEE Conference, 2008. [20] Y. Kosuga, K.Kono, M.Hanaoka, M.Hishiyama, and Y. Takahama, “Sania: Syntactic and Semantic Analysis for automated Testing against SQL Injection,” 23rd Annual Computer Security Applications Conference, IEEE Computer Society, 2007.
[21] J.C. Lin and J.M. Chen, “The Automatic Defense Mechanism for Malicious Injection Attack,” Seventh International Conference on Computer and Information Technology, IEEE Computer Society, 2007.
[22] E. Bertino, A. Kamra, and James P. Early, “Profiling Database Applications to Detect SQL Injection Attacks,” IEEE Conference, 2007.
[23] S. W. Boyd and A. D. Keromytis, “SQLRand: Preventing SQL injection attacks”, In Proceedings of the 2nd Applied Cryptography and Network Security (ACNS) Conference, Springer-Verlag, June 2004.
[24] William G.J. Halfond and Alessandro Orso, “AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks,”
Proc. 20th IEEE and ACM Int’l conf. Automated Software Engg., Nov. 2005.
[25] Zhendong Su and Gary Wassermann, “The Essence of Command Injection Attacks in Web Applications”, In ACM Symposium on Principles of Programming Languages (POPL), 2006.
[26] M. Cova, D. Balzarotti., V. Felmetsger, and G. Vigna, “Swaddler: An Approach for the Anomaly-based Detection of State Violations in Web Applications,” Recent Advances in Intrusion Detection (RAID). Gold Coast, Australia, pp. 63 – 86, 2007. [27] Cristian Pinzón, Yanira De Paz, and Rosa Cano, “Classification Agent-Based Techniques for Detecting Intrusions in Databases,” HAIS 2008, LNAI 5271, pp. 46–53, Springer-Verlag Berlin Heidelberg 2008.
[28] MeiJunjin, “An approach for SQL injection vulnerability detection”, Sixth International Conference on Information Technology: New Generations: pp. 1411-1414, 2009.
[29] Angelo Ciampa, Corrado Aaron Visaggio, and Massimiliano Di Penta, “A heuristic-based approach for detecting SQL-injection vulnerabilities in Web applications,” ACM SESS’10, Cape Town South Africa, pages 43-49, May 2, 2010.
