Multitier Web Application Analyzer For SQL Injection

(1)

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 3, March 2013)

453

Multitier Web Application Analyzer For SQL Injection

J. Rethna Virgil Jeny

1

, Deepa B. Ekhande

2

1_{Associate Professor, AVCOE, Sangamner, Maharashtra, India} 2_{Student M.E IT, AVCOE, Sangamner, Maharashtra, India}

Abstract—In today’s world, web services and applications have paved the way of users for faster data access. In order to meet the user’s requirements for faster data retrieval, the web applications have turned out to be multitier in which the back-end server contains the data base and application interface or web server acts as the front end. The Omni-present use of web services has made them a target of attackers. In this paper, we use the multitier web application analyser for securing the data storage at the back-end as well as the front-end applications. The multitier web application analyser safeguards the behaviour of the sessions performed by the users from the wide range of attacks. It helps in monitoring the web as well as database requests to prevent attacks which would not be done by an independent intrusion detection system. Thus, enhances the performance of the system to provide high efficiency.

Keywords— Multitier web analyzer, Virtualization, container- based architecture, anomaly detection.

I. INTRODUCTION

Internet services have rapidly flourished across the globe on account of its popularity and complexity. The World Wide Web provides diverse applications like the social media, finance, educational, etc. But due to the wide use of these services they are on the peak of attackers. Various types of Attacks [1] like hijacking the session of the users are carried out on the web servers wherein the webserver is taken over by the attacker. Hence, all the consequent user sessions are also being hijacked.

The anomaly detection systems [2] can detect the abnormal behaviors in the system. The network packets are individually being analyzed by the intrusion detection systems. But for the system designed to be multitier a very little task is carried out. So, due to the lack of such architecture even if we use firewall to protect the database backend, they are prone to be attacked by the attackers who use the web request for exploiting the back end data. The misused detection [3] can also be used for matching the altered patterns in order to prevent the multi tier web services. But, when the network traffic is sent from the web to the database or vice-versa, the intrusion detection system fails to identify the anomalous traffic by just using the web intrusion detection system or the database intrusion detection system.

In case, for exploiting the vulnerabilities in the web, the attacker can use the nonadmin rights by issuing a privileged database query. This type of attack would neither be discovered by the database intrusion detection system nor by the web intrusion detection system. It would be impossible to detect the casual mapping between the database and the web server with the present web server multithreaded architecture.

Here, a solution to this problem is presented which deals with the intrusion detection and prevention in the multitier web architecture. The multitier web application analyser is been developed for preventing the system from number of attacks. Normality Models of the isolated user sessions are being built which consists of both the web application front end that can be in form of HTTP requests and the data base backend [4] i.e. the SQL or file server. The intrusion prevention system can build a casual mapping model which can be done by taking into account both the web server and database traffic. The intrusion prevention system is the extension of intrusion detection system. In IPS, the vulnerabilities are blocked and hence do not affect the system or network anymore. Here we present o lightweight virtualization concept for assigning every user’s session to a container. To precisely relate the web request with the consequent database queries we employ the container ID. The IPS built a casual mapping profile by considering into account both the web server and database traffic. The OpezVZ [5] is used for implementing the IPS container architecture. The container based architecture along with casual mapping also provides an isolation which helps in preventing the session hijacking attacks of the users. The lightweight virtualization [6] helps us to run multiple copies of the web server instances in different containers. Hence, everyone is differentiated from the rest. Each client is assigned a dedicated container so even if the attacker attacks the session, it is limited to that session only and does not affect the other user session.

II. RELATED WORK

(2)

International Journal of Emerging Technology and Advanced Engineering

454 It produces reports for a management station. The anomaly based detection needs the system to explain and classify the write and acceptable form and nature that can be used for finding the behaviours which are different from others. Another approach is the Intrusion Detection Alert correlation [7] approach which involves combination of all the security alert events like the replicated alerts, false alarm and other non relevant data to the users. But, instead of correlating the alerts from the individual detection system our approach works on multiple feed of the traffic in the network just involving the use of single IDS. The IDS can use temporal information [8] to detect intrusions which needs to correlate events on time basis which increases the risk to the system. The Intrusion Prevention Systems are the extension of the intrusion detection system wherein they not only monitor the network traffic and system activities but also place in-line and are able to actively prevent or block the intrusions that are affected.

III. SYSTEM ARCHITECTURE

A. Normality Model Based Architecture

The network traffic from both valid and invalid users is received at the same web server. The attacker can affects all the future sessions by compromising the web server. It is not a genuine option to allocate each session to a dedicated web server, since it may deplete the web server. Hence to gain similar captivity when maintaining a low performance and overhead of resources, light-weight virtualization is used. The light-weight process containers which are disposable servers for the client are being used. Thousands of containers can be initialized on a single machine. These containers can be aborted, reverted or reinitialized for every new client session.ll paragraphs must be indented. All paragraphs must be justified, i.e. both left-justified and right-left-justified.

Here every session is assigned to a dedicated web server and is isolated from all other sessions. The initialization of each virtualized container can be done using read-only template which is assumed to be cleaned and hence guaranties that at initialization every session is being server with a clean web server instance. The communication of a single user is expected to go to the same dedicated web server different users can be represented by the sessions to some extend where by permitting us to identify the suspectable behaviour by the session and user. We will treat all the traffic with the session as infected if we detect any abnormal behaviour in a session. The flow of information is being separated in every container session. This provides us with high security performance. It also maps the web server request and database queries.

The normality model as shown in fig. 1 helps us for mapping the relationship between the unauthorised user accesses. The normality model separates the sessions of the users and thus help in detecting the attacks. It is possible to identify the web requests and the resulting SQL queries and hence possible to analyze them in the session. Sensors are being placed on either side of the server which will detect anomalies by capturing the traffic at both the end.

Fig.1 Normality Model

B. Types of Attacks

1. SQL injection Attack

The SQL injection [9] does not need compromising the web server. The existing vulnerabilities in the web server logic can be used by the attackers for injecting the exploited data content for attacking the backend database. Even if the exploits are accepted by the web server, as our approach provides a two tier detection, the contents which are related to the database server will be unable to take the expected structure for given web server request. Even though the injected data go through the web server side, the SQL queries are generated in a different manner which can be detected from normally followed SQL query structure.

Fig.2 SQL Injection Attack

2. Privilege Escalation Attack

(3)

International Journal of Emerging Technology and Advanced Engineering

455 For an administrator, the request will trigger the set of admin level queries and for the regular users; the web request will trigger the set of SQL queries. The attacker invades into the webserver as a normal user, raises the user privileges and elicits the admin queries to obtain an admin data. The attack of this type can never be detected by the webserver intrusion detection system or the database intrusion detection system as both are valid queries. Our approach uses mapping model to detect such type of attack because in this the database query does not match the request according to the mapping model.

Fig.3 Privilege Escalation Attack

3. Direct DB Attack

There is a possibility that an attacker can bypass the webserver or firewall and directly connect to the database. The attacker can also submit queries from the webserver without sending the web request by taking over the webserver. So for such queries, without the matched web request webserver IDS would not be to detect them. In addition to this, if the database queries are with the set of valid queries, the database IDS would itself not be able to detect the attack.

Fig.4 Direct DB Attack

4. Hijack Future Session Attack

This kind of attack mostly happens at the webserver side. Attacker generally invades over the webserver and thus hijacks all resulting unauthorized user sessions to launch attacks.

By hijacking other user session for a while, the attacker con send or drop duplicate messages or replies or even drop user requests.

Fig.5 Hijack Future Session Attack

5. Man in Middle Attack

Here, the attacker tries to create independent connections with the one who is prone to be vulnerable. But it will not be able to authenticate itself with the verifier which has no clue of the fingerprint of the two end nodes.

IV. MODELLING DETERMINISTIC MAPPING AND PATTERNS

In static website, the links are static and clicking on the same link will always return the same information. Thus we can create an accurate model of mapping relationships between web request and database queries. In place on one-to-one mapping relationship between database queries and web request there can be many number of SQL queries for single web request. In some cases, it may happen that no queries will be generated by the web request i.e. some request will just retrieve data from webserver. In the other, one request let the webserver may invoke number of queries. Hence, we classify the mapping patterns into four classes which are given below. The request is at the origin of the data flow. We consider a set of request rm and set of

queries Qp. The total number of sessions of the training

phase is N. Then we can achieve the set total web request

REQ and set of SQL queries SQL across the whole session. The mapping in the model is in form of one request to a query set rm ->Q p.

A. Deterministic Mapping

This category is most common mapping and perfectly matched pattern. Here, the web request rm appears in all

traffic with SQL query set Qp. If there is an absence of

query set Qp for any session in the testing phase with

(4)

International Journal of Emerging Technology and Advanced Engineering

456 Fig.6 Representation of Mapping Patterns

B. Empty Query Set

This is a special case that i.e. EQS wherein the SQL query can be an empty set. This indicates that the web request neither cause nor generate any database queries. The mapping of this type can be rm->ø There web request

are put together in the set EQS during the testing phase. Consider the example, when a web request for retrieving a GIF image file is made from the same webserver, then a mapping relationship does not exist as only the web requests are observed.

C. No Matched Request

In some cases the queries cannot match-up with the web requests. These unmatched queries are kept in a set NMR. Any query within a set NMR is considered to be legitimate. The NMR size is dependent on the webserver logic but it is typically small

D. Non Deterministic Mapping

The same web request can arrive each time. It matches up with one query in the pole of query set. The mapping pattern can be rm -> Qi (Qi € {Qn, Qp, Qq...}). So it is difficult

to identify the matched traffic pattern. This happens in case of dynamic websites.

V. STATIC WEBSITES MODELLING

The non-deterministic mapping does not exist for static websites as there are no available input variables or states for the static content. The traffic collected by servers can be classified into three patterns to build a mapping model. Since the traffic is already separated by sessions, we begin by iterating all the sessions from 1 to N. For the request that belong to REQ, we maintain a list ARm to record the

session ID’s in which rm appears. For database queries we

have set AQs for each query that belong to SQL to record

the session ID’s. We search for AQs for each ARm.

If ARm= AQs then it indicates that every time rm appears

in a session, Qs will also appear in same session. To

confidentially extract a mapping pattern rm->Qs, threshold

value t is used, so that in case if the mapping appears in more than t sessions then a mapping pattern is been recognized. If the patterns are less then threshold t, then it indicts that the number or training session is insufficient.

A. Model Building Algorithm

1. for each session separated traffic Ti do

2. Get different HTTP requests r and DB queries

q in this session

3. for each different r do

4. if r is a request to static file then 5. Add r into set EQS

6. else

7. if r is not in set REQ then 8. Add r into REQ

9. Append session ID i to the set ARr with

r as the key

10. for each different q do 11. if q is not in set SQL then 12. Add q into SQL

13. Append session ID i to the set AQq with q as

the key

14.for each distinct HTTP request r in REQ do 15. for each distinct DB query q in SQL do 16. Compare the set ARr with the set AQq

17. if ARr = AQq and Cardinality(ARr) > t then

18. Found a Deterministic mapping from r to q 19. Add q into mapping model set MSr of r

20. Mark q in set SQL

21. Else

22. Need more training session 23. return False

24. for each DB query q in SQL do

25. if q is not marked then 26. Add q into set NMR

27. for each HTTP request r in REQ do

28. if r has no deterministic mapping model then 29. Add r into set EQS

30. return True

B. Detecting Intrusions

(5)

International Journal of Emerging Technology and Advanced Engineering

457 Each distinct web request in the session will have only one mapping rule in the model. This can be done with the following algorithm: Intrusion Detection Algorithm:

1.For the deterministic mapping rule, where r->Q, we check whether Q is a subset of the query set of the session. If it is present, then we mark the queries in Q as valid request.

2.If the Empty Query Set i.e. r->ø, rule persists then the request is not considered to be abnormal and we do not need to mark any database queries. Hence, no intrusion is reported.

3.If the remaining queries are unmarked, then there is a need to check whether they are in set NMR. If this is so then we mark the query as such.

4.The database queries which are untested or unmarked

are considered to be abnormal. If it exists within a

session then that session will be marked as vulnerable

VI. FUTURE WORK

The cloud data storage offers great convenience to users since they don’t there is no time to care about the complexities of hardware management. The cheaper and powerful processors, with the software as a service computing architecture are transforming data centres into pools of computing services. Due to increase in bandwidth and flexible network providing high reliability it possible for users to subscribe high quality services form software and data that is residing on the remote data centres. From the view of data security, which is an important aspect of the quality of service, cloud computing certainly creates new challenging security threats for various reasons.

Fig.7 Attack Scenario in Cloud Data Storage

A distributed protocol is of most important in achieving a robust and secure cloud data storage system.

For the cloud data storage, the attacker can try to send the request to any system which is in the network. This can prove to be hazardous for the system’s working. The attacks like the SQL injection can be done using the database queries with injection to the database server. Hence there is a need to protect these systems in the cloud storage. The multitier web analyzer should be designed such that it must be able to detect intrusions in of the server’s front end as well as back end. The SQL filter algorithm can be build for this purpose.

VII. CONCLUSION

The multitier web analyser is build to model the behaviour of the web applications. The mapping model is used for detecting the anomalous behaviour of the multitier web applications both at the front end as well as the back end data. The container-based architecture provides different session ID for different HTTP requests which helps in isolating the information flow of each webserver session. Thus, the multitier web analyser is able to identify the wide range of attacks invading the system.

REFERENCES

[1] “Five Common Web Application Vulnerabilities,”

http://www.symantec.com/connect/articles/five-common-web-applicationvulnerabilities,2011..

[2] H. Debar, M. Dacier, and A. Wespi, “Towards a Taxonomy of

Intrusion-Detection Systems,” Computer Networks, vol. 31, no. 9, pp.805-822, 1999.

[3] H.-A. Kim and B. Karp, “Autograph: Toward Automated Distributed

Worm Signature Detection,” Proc. USENIX Security Symp., 2004 Tavel, P. 2007 Modeling and Simulation Design. AK Peters Ltd.

[4] G. Vigna, F. Valeur, D. Balzarotti, W.K. Robertson, C. Kruegel, and

E. Kirda, “Reducing Errors in the Anomaly-Based Detection of Web-Based Attacks through the Combined Analysis of Web Requests and SQL Queries,” J. Computer Security, vol. 17, no. 3, pp. 305-329, 2009.

[5] OpenVz, http:/wiki.openvz.org, 2011.

[6] Y. Huang, A. Stavrou, A.K. Ghosh, and S. Jajodia, “Efficiently

Tracking Application Interactions Using Lightweight

Virtualization,” Proc. First ACM Workshop Virtual Machine Security, 2008.

[7] F. Valeur, G. Vigna, C. Kru¨ gel, and R.A. Kemmerer, “A

Comprehensive Approach to Intrusion Detection Alert Correlation,” IEEE Trans. Dependable and Secure Computing, vol. 1, no. 3, pp. 146-169, July-Sept. 2004.

[8] A. Seleznyov and S. Puuronen, “Anomaly Intrusion Detection

Systems: Handling Temporal Relations between Events,” Proc. Int’l Symp. Recent Advances in Intrusion Detection (RAID ’99), 1999.

[9] C. Anley, “Advanced Sql Injection in Sql Server Applications,”