A Novel Approach of Preventing SQL Injection Attacks with the Use of Combinatorial Approach

(1)

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 4, Issue 10, October 2014)

697

A Novel Approach of Preventing SQL Injection Attacks with

the Use of Combinatorial Approach

P. Naga Raju

1

_{, P. Uma Rani}

2

_{, Eshwari Devi}

3

1_{Associate Professor,}2&3_{M.Tech Scholars,}1, 2&3_{Sri Indu College of Engg and Tech, Ibrahimpatan, Hyderabad, TS, India}

Abstract-- A combinatorial approach for safeguarding net applications against SQL injection is mentioned during this paper, that may be a novel plan of incorporating the individuality of Signature based mostly methodology and auditing methodology. the foremost issue of net application security is that the SQL Injection, which may offer the attackers unrestricted access to the info that underlies net applications. several software system systems have evolved to incorporate a Web-based element that produces them accessible to the general public via the web and might expose them to a spread of Web-based attacks. one among these attacks is SQL injection, which may offer attackers unrestricted access to the databases that underlie net applications and has become more and more frequent and high. This paper presents a replacement extremely machine-driven approach for safeguarding net applications against SQL injection that has each abstract and sensible blessings over most existing techniques. From a abstract position, the approach relies on the novel plan of positive tainting and on the conception of syntax-aware analysis. From a sensible position, our technique is precise and economical, has stripped preparation necessities, and incurs a negligible performance overhead in most cases. we've got enforced our techniques within the net Application SQL-injection Preventer (WASP) tool, that we tend to accustomed perform associate empirical analysis on a large vary of net applications that we tend to subjected to an oversized and varied set of attacks and legit accesses. WASP was able to stop all of the otherwise roaring attacks and failed to generate any false positives.

I. INTRODUCTION

SQL injection techniques area unit associate more and more dangerous threat to the protection of knowledge keep upon Oracle Databases. These techniques area unit being mentioned with bigger regularity on security mailing lists, forums, and at conferences. There are several smart papers written regarding SQL Injection and many regarding the protection of Oracle databases and software system however not many who target SQL injection and Oracle software system. this is often the primary article during a two-part series which will examine SQL injection attacks against Oracle databases. the target of this series is to introduce Oracle users to a number of the risks of SQL injection and to recommend some easy ways in which of protective against these kinds of attack. SQL injection techniques area unit associate more and more dangerous threat to the protection of knowledge keep upon Oracle.

WEB applications area unit applications that may be accessed over the web by mistreatment any compliant browser that runs on any software system and design. They need become omnipresent as a result of the convenience, flexibility, accessibility, and ability that they supply. Sadly, net applications also are susceptible to a spread of recent security threats. SQL Injection Attacks (SQLIAs) area unit one among the foremost important of such threats. SQLIAs became more and more frequent and cause terribly serious security risks as a result of they will offer attackers unrestricted access to the databases that underlie net applications. ….In net Application info it contains Personal info regarding the client. a technique within which this happens is that Attackers will submit input strings that contain specially encoded info once the online application builds question|a question |a question} by mistreatment these strings and submits the query To its underlying info, the attacker’s embedded commands area unit dead by the info and therefore the attack succeeds. The results of those attacks area unit typically fatal and might vary from unseaworthy of sensitive this is often referred to as as SQL-Injection Attacks (SQLIAs).To avoid this we tend to use a replacement techniques is named WASP.

In existing they checked solely the international organization sure information dynamic tainting approaches mark bound international organization sure information (typically user input) as tainted, track the flow of tainted information at runtime, and forestall this information from being employed in probably harmful ways in which Researchers have projected a large vary of different techniques to handle SQLIAs, however several of those solutions have limitations that have an effect on their effectiveness and usefulness. as an example, one common category of solutions relies on defensive cryptography practices, that are but roaring for 3 main reasons.

(2)

International Journal of Emerging Technology and Advanced Engineering

698

II. LITERATURE SURVEY

Over the past many years, attackers have developed a large array of subtle attack techniques that may be accustomed exploit SQL injection vulnerabilities. These techniques transcend the well-known SQLIA examples and make the most of qabalistic and advanced SQL constructs. Ignoring the existence of those sorts of attacks ends up in the event of solutions that solely part address the SQLIA drawback. as an example, developers and researchers typically assume that SQLIAs area unit introduced solely via user input that's submitted as a part of an internet type. This assumption misses the very fact that any external input that's accustomed build a question string could represent a potential channel for SQLIAs. In fact, it's common to envision alternative external sources of input like fields from associate communications protocol cookie or server variables accustomed build a question. Since cookie values area unit below the management of the user’s browser and server variables area unit typically set mistreatment values from communications protocol headers, these values are literally external strings that may be manipulated by associate offender. Additionally, second-order injections use advanced data of vulnerable applications to introduce attacks by mistreatment otherwise properly secured input sources. A developer could befittingly escape, typecheck, and filter input that comes from the user and assume that it's safe. Later on, once that information is employed during a totally different context or to make a special form of question, the antecedently safe input could change associate injection attack. Once attackers have known associate input supply that may be accustomed exploit SQLIA vulnerability, there area unit many various kinds of attack techniques that they will leverage. counting on the kind and extent of the vulnerability, the results of those attacks will embrace flaming the info, gathering info regarding the tables within the info schema, establishing covert channels, and open-ended injection of nearly any SQL command. Here, we tend to summarize the most techniques for playacting SQLIAs. we offer further info and samples of however these techniques add.

III. PROPOSED SYSTEM

We propose a new extremely machine-driven approach for dynamic detection and hindrance of SQLIAs. Intuitively, our approach works by distinguishing “trusted” strings in associate application and permitting solely these sure strings to be accustomed produce the semantically relevant elements of a SQL question like keywords or operators. The final mechanism that we tend to use to implement this approach relies on dynamic tainting, that marks and tracks bound information during a program at run time.

(3)

International Journal of Emerging Technology and Advanced Engineering

699

The sole preparation necessities for our approach area unit that the online application should be instrumented and it should be deployed with our Meta Strings library, that is completed mechanically. The approach doesn't need any made-to-order runtime system or further infrastructure.

Advantages of the proposed system are First, not like existing dynamic tainting techniques, our approach relies on the novel conception of positive tainting, that is, the identification and marking of sure, instead of international organization sure.

Second, our approach performs correct and economical taint propagation by exactly following trust markings at the character level. Third, it performs syntax-aware analysis of question strings before they're sent to the info and blocks all queries whose non literal elements.

Fig.1. System Architecture

Fig.2. Technical architecture

IV. FUNCTIONAL REQUIREMENTS

Functional requirements will define the fundamental actions that must take place in the software in accepting & processing the inputs in processing & generating the output.

(4)

International Journal of Emerging Technology and Advanced Engineering

700

This is normal procedure but the user can login without his password by injecting the SQL Query so to solve this problem we develop the tool(WASP) to find the user input is valid data or not .that tool contain a technique is positive tainting and syntax-awareness .it check wither the inputs is injected the present query or not .If the present value is inject the query means that tool doesn’t send the data To the SQL Query.

If the data is good means it send the data to the database through the sqlquery. To invoke the WASP tool the user want to click any one of radio button in the login page .once you click it check’s full project After the admin login success admin have the sub modules .in our project we checked all the data’s weather the give data is correct or not then we send the data to the database.

4.2. Process Flow

user W AS P

positive tainting syntax-aware

injection No injection

in

je

c

tio

n

f

o

u

n

d

a

d

m

in

adm in or custom er change pasword

view details am ount transaction

tarnsastion detail New Registraton am ount credit

Fig.3. Use Case Diagram

Admin module

username & password

WASP

In

je

cte

d

No injected

Registration

Transaction

Customer details

Amount credit

Registration

name age gender occupaiton

. . .

view the tarnsaction details

Edit the customer detials

(5)

International Journal of Emerging Technology and Advanced Engineering

701

4.3. Customer: This module customer can view his details and change the password and send the amount to another account. To process this he/she must login by his account number and password. This module has two sub-modules.

V. CONCLUSION

This paper presented a completely unique highly automated approach for safeguarding Web applications from SQLIAs. Our approach consists of 1) distinguishing sure information sources and marking information coming back from these sources as sure,

2) Mistreatment dynamic tainting to trace sure information at runtime, and 3) permitting solely sure information to make the semantically relevant elements of queries like SQL keywords and operators.

Not like previous approaches supported dynamic tainting, our technique relies on positive tainting, that expressly identifies sure (rather than untrusted) information during a program. This way, we tend to eliminate the matter of false negatives that will result from the unfinished identification of all untrusted information sources. False positives, though potential in some cases, will usually be simply eliminated throughout testing. Our approach additionally provides sensible blessings over the various existing techniques whose application needs made-to-order and sophisticated runtime environments: it's outlined at the appliance level, needs no modification of the runtime system, and imposes an occasional execution overhead.

VI. SCREENSHOTS

(6)

International Journal of Emerging Technology and Advanced Engineering

702

Test Case Scenario: 1 Admin Login Screenshot:

1.1 Validations and Messages:

SNO Field Name Validations Messages Remarks

1 ACCOUNT

NUMBER Required Invalid It is required

2 PIN NUMBER Required Invalid It is required

3 Submit Required Login failed! try

again Checking valid user or not

1.2. Test Cases:

SNo Inputs Expected Result

Actual Result

Status(Passed/ Failed)

Remarks

1. Account

number Navigate Navigate Passed It is required 2. Password Navigate Navigate Passed It is required 3. Submit Navigate Navigate Passed Checking valid user or

(7)

International Journal of Emerging Technology and Advanced Engineering

703

2. Admin Login With Character Level Tainting:

2.1 Validations and Messages:

1 ACCOUNT

NUMBER Required Invalid It is required

2 PIN NUMBER Required Invalid It is required

3 Submit Required Login failed! try

again

Checking valid user or not

2.2. Test Cases:

SNo Inputs Expected

Result Actual Result Status(Passed/ Failed) Remarks 1. Account

number Navigate Navigate Passed It is required 2. Password Navigate Navigate Passed It is required 3. Submit Navigate Navigate Passed Checking valid user or

(8)

International Journal of Emerging Technology and Advanced Engineering

704

3. Adding Customer Details By Admin Screenshot:

3.1. Validations and Messages:

1 Name Required Enter the name It is Required

2 Date of birthday Required Enter the Dob It is Required

3 Age Required Enter the age It is Required

4 Gender Required Enter the gender It is Required

5 Address Required Enter the Address It is Required

6 Occupation Required Enter the

Occupation

It is Required

7 Account type Required Enter the Account

Type It is Required 8 Contact number Required Enter the Contact

num It is Required 9 Account Number Required Enter the Account

Number It is Required

10 Amount Required Enter the Amount It is Required

11 Password Required Enter the

Password It is Required

12 Conform

Password

Compare Enter the correct password

It is Required

3.2. Test Cases:

SNo Inputs Expected

Result Actual Result Status(Passed/ Failed) Remarks 1 Submit Successfully

registered Successfully registered Passed Added to the Db New Customer 2 Reset Fields will

become Empty

Fields will become

Empty

(9)

International Journal of Emerging Technology and Advanced Engineering

705

4 Output Screen For Loans:

If the loans button is clicked, details of loans will be displayed.

REFERENCES

[1] S.W. Boyd and A.D. Keromytis, “SQLrand: Preventing SQL

Injection Attacks,” Proc. Second Int’l Conf. Applied Cryptography and Network Security, pp. 292-302, June 2004.

[2] G.T. Buehrer, B.W. Weide, and P.A.G. Sivilotti, “Using Parse

Tree Validation to Prevent SQL Injection Attacks,” Proc. Fifth Int’l Workshop Software Eng. and Middleware, pp. 106-113, Sept. 2005

[3] J. Clause, W. Li, and A. Orso, “Dytan: A Generic Dynamic Taint

Analysis Framework,” Proc. Int’l Symp. Software Testing and Analysis, pp. 196-206, July 2007.

[4] W.R. Cook and S. Rai, “Safe Query Objects: Statically Typed

Objects as Remotely Executable Queries,” Proc. 27th Int’l Conf. Software Eng., pp. 97-106, May 2005.

[5] “Top Ten Most Critical Web Application Vulnerabilities,”

OWASP Foundation,

http://www.owasp.org/documentation/topten.html, 2005.

About the authors:

Nagaraj Peddarapu currently working as a Associate Professor in CSE dept, Sri Indu College of Engg & Technology. He gained 6 years in teaching. His research interests include: Data Mining, Cloud Computing and Data Base Management Systems.

P.Uma Rani Completed B.Tech from Megha Institute of Engineering and Technology, Hyderabad. JNTUH with first class. Currently Pursuing M.Tech 2nd_{Year in Sri Indu College of} Engineering. Areas of Interest are Cloud Computing, Information Security, Data Mining, Database Management System and Web Technologies.