Transcript of Cryptoghaphy
- 1. A DISSERTATION STAGE I REPORT ON Web services based SQL
Injection Detection and Prevention SUBMITTED TO THE UNIVERSITY OF
PUNE, PUNE IN PARTIAL FULFILMENT OF THE REQUIREMENTS FOR THE AWARD
OF DEGREE Master of Engineering (Computer Engineering) By Candidate
Name:BODAKE VIJAY JAGANNATH Exam no.: UNDER THE GUIDANCE OF Prof.
Ranjit Gawande DEPARTMENT OF COMPUTER ENGINEERING Matoshri College
of Engineering and Research Centre, Nashik Eklahare, Near OdhaGaon,
Aurangabad Road, Nashik Pin No.:422135 University of Pune
2014-15
- 2. DEPARTMENT OF COMPUTER ENGINEERING Matoshri Education
Societys Matoshri College of Engineering and Research Centre,Nashik
Eklahare,Near Odha Gaon,Aurangabad Road,Nashik CERTIFICATE This is
to certify that the dissertation entitled Web services based SQL
Injection Detection and Prevention submitted by BO- DAKE VIJAY
JAGANNATH Exam No: [ ] is a bonaed the work carried out by her is
approved for the partial fulll- ment of the requirements of
University of Pune, for the award of degree of Master of
Engineering in Computer Engineering. (Prof.R.M.Gawande) Dr. Varsha
H. Patil Dr. G.K.Kharate Internal Guide Head Principal Department
of Computer Engineering Seal of the College
- 3. DECLARATION I hereby declare that this submission is my own
work and that, to the best of my knowledge and belief, it contains
no material previously published or written by another person nor
material which has been accepted for the award of any other degree
or diploma of the university or other institute of higher learning,
except where due acknowledgement has been made in the text.
Place:Nasik Signature Date: Name : Bodake Vijay Jagannath .
PRN/Reg. No.:
- 4. ACKNOWLEDGEMENT Inspiration and guidance are invaluable in
every aspect of life, espe- cially in the eld of education, which I
have received from our respected H.O.D. Dr. Mrs. Varsha H. Patil
who has guided me in the rst two phases of seminar work and gave
earnest co-operation whenever required. I would like to express my
sincere gratitude towards her. I am pleased to announce that my
presentation of the Seminar as well as the report would not have
been completed without the able guidance and complete support of
Prof.Mr. Ranjit Gawande who helped me at each and every step in
every possible way. He always provided me with access to the latest
technology and facilities and encouragement at every point and took
active participation in the achievement of my objective. Heartfelt
my foremost thanks go to seminar guide and help of my well-wishers
and colleagues. At last, I would like to take this opportunity to
convey thanks to all my sta members, who directly or indirectly
encouraged and helped me to complete my work on time and
contributed their valuable time in helping me to achieve success in
the work of seminar Bodake Vijay J. [ME computer, Roll no.:- ]
- 5. ABSTRACT Web Applications form an integral part of our day
to day life. The number of attacks on websites and the compromise
of many individ- uals secure data are increasing at an alarming
rate. Hence, providing increased amount of security for the users
and their data becomes essen- tial. Most important vulnerability as
described in top 10 web security issues by Open Web Application
Security Project is SQL Injection At- tack (SQLIA). The Proposed
system focuses on how the advantages of randomization can be
employed to prevent SQL injection attacks in web based
applications. The two most important advantages of the pro- posed
approach against existing analogous mechanisms that are, rst, it
prevents all Forms of SQL injection attacks using active guard and
ser- vice detector; second, use of randomization encryption
algorithm pro- vides enhanced security while detecting and
preventing SQL Injection Attacks in database Keywords:
Randomization, SQL injection,Vulnerability, web appli- cation
security, Runtime Monitoring, service detector, active guard.
- 6. INDEX Sr. no. Contents Page no. 1. Introduction 1-29 1.1
Background of SQLIAs 8 1.2 Need of the system 16 1.3 Detailed
Problem Denition 17 1.4 Objectives of the system 17 1.5 Project
Plan, Dissertation Plan 18 1.6 Paper Publication plan 18 1.7
Organization of Dissertation 19 2. Literature survey 20- 26 2.1
Existing System 20 2.2 Evaluation of existing techniques 23 2.3
Proposed System 25 2.4 Summary 26 3. Software Requirement
Specication 26- 29 3.1 Requirement analysis 26 3.2 Functional
Requirement 27 3.3 Non Functional Requirement 27 3.4 Algorithmic
Strategies 28 3.5 Domain analysis 29 3.6 Summary 29
- 7. Sr. no. Contents Page no. 4. Design and Modelling 29- 33 4.1
Design 29 4.2 Modelling 31 5. Conclusion 34
- 8. LIST OF FIGURES Fig no. Figure caption Page no. 1.1 Example
Containing Vulnerability 11 1.2 Project Plan 17 3.1 Random
Encryption algorithm 29 3.2 Lookup table for Encryption algorithm
30 4.1 Use case Diagram 32 4.2 Class Diagram 33 4.3 Sequence
Diagram 35 4.4 architecture Diagram 36 4.5 Data Flow Diagram
39
- 9. LIST OF TABLES Tab no. Table caption Page no. 2.1 Comparison
Of existing Technique 23 2.2 Objectives Of Various Approaches 24
2.3 COMPARISONS OF VARIOUS SQLIAs DETEC- TION FOCUSED APPROACHES
WITH RESPECT TO ATTCK TYPES 25 2.4 Comparison of techniques with
respect to deployment requirements 26 2.5 Comparison of
prevention-focused techniques with re- spect to attack types 27 2.6
Evaluation of Code Improvement Techniques with Respect to Common
Development Errors 28
- 10. ABBREVIATIONS SQLIAs:-SQL injection attacks SQLIVs:-SQL
injection Vulnerabilities
- 11. Web services based SQL Injection Detection and Prevention 1
Chapter 1 INTRODUCTION This chapter introduces to the entire
background of the proposed work. It highlights the overall
description of entire work. It also high- lights the concept of SQL
injection attacks. 1.1 Background of SQLIAs An SQL injection attack
occurs when an attacker manipulates the intended eects of SQL query
by inserting new SQL keywords or op- erators into the query.
Attacker sends this modied query to a user input box in a web form
of a web application to gain unauthorized ac- cess. This input is
converted in an SQL query in such a way that it forms an SQL code
[2, 3]. This is generalized denition of SQL injec- tion. 1.1.1 SQL
Injection Mechanisms Malicious SQL Statements can be inserted into
injection vulnerable application by dierent input mechanisms. This
section focuses on most common injection mecha- nisms. 1. Injection
through user inputs : in this type, attacker injects malicious SQL
commands into user input query. A web application can read user
inputs by many ways depending on the environment in which the
application is developed and deployed. In most of the cases the
user input comes from web form that is transmitted to the web
application via HTTP GET or POST requests [14]. Using this type of
injection, attacker can gain unauthorized access of web application
and its underlying database. 2. Injection through server variables:
Server variables are col- lection of variables containing HTTP ,
environmental variables, network headers etc. web application use
these variables in variety of ways such as logging usage statistics
and identifying browsing trends. If these variables are use to
logged into database without sanitization, it could cause SQL
injection vulnerability [30]. As attacker can forge the values in
HTTP and network headers, they can expose these vulnerabilities by
placing an SQLIA directly into the headers. When the query log to
the server, the unsanitized variables get issued to the database
and the attack in the forged header then takes place. Department of
Computer Engineering,MCERC,Nashik.
- 12. Web services based SQL Injection Detection and Prevention 2
3. Injection through cookies: Cookies are stored on the client
machines which are les containing state information gathered by web
applications. These cookies can be used to restore the clients
state information when client returns to the web application. As
client has full control over the cookies, a malicious client can
mod- ify the contents of the cookies to built SQL Queries to submit
the attack to the web application [8]. 4. Second Order Injection:
In this type attacker sends malicious inputs to the system or
database to directly perform SQLIA when the input is used at a
later time. The objective of this type of attack signicantly diers
from regular SQLIAs (rst order injec- tion attacks). Second order
injections are not intended to occur at the time of input reaches
to application or database but the attacker relays on the knowledge
of where the and when the input will be used and plans the attack
so that it executes during the usage of application or database. To
clarify we present a classic example of a second order injection
attack [1]. In this example, a user registers on a website using a
seeded username, such as ad- min. The application will properly
escape the single quotes from input before storing it in database,
preventing its potentially ma- licious eects. At this point the
attacker modies his or her pass- word, an operation typically
involving 1) checking that the user knows the current password and
2) changing the password if the check is successful. To perform
this web application might form an SQL command as follows: query
String=UPDATE users SET password = +new Password+ WHERE username= +
username+ AND password +old Password+ newPassword and oldPassword
are the new and old pass- words given by user respectively, and
username is the name of the user currently logged-in (i.e. admin).
Therefore the query string that is sent to the database is: UPDATE
users SET password = newPwd WHERE username= adminAND
password=oldPwd (The query assumes that newPassword and oldPassword
are newPwd and oldPwd). Because is the SQL comment operator,
everything after this is ignored by the database. Therefore, the
result of this query is that the database changes the password of
the administrator (admin) to an attacker specied value. These types
of injections are usually dicult to Department of Computer
Engineering,MCERC,Nashik.
- 13. Web services based SQL Injection Detection and Prevention 3
detect and prevent because the point of injection and point where
the attack actually takes place are dierent. 1.1.2 attack Intent
Attacks can also be characterized based on the goal or intention of
the attacker [2]. Therefore each of the attack type described in
section 4 has one of the following intention or goal. 1. Injectable
parameters Identication: Here attacker nds parameters and user
input elds that are vulnerable to SQLIAs and probe a web
application accordingly. 2. Database ngerprinting: The attacker
discovers the type and version of database that a Web application
is using. Databases respond dierently to dierent queries and
attacks, and this infor- mation can be used to ngerprint the
database. Knowing the type and version of the database used by a
Web application allows an attacker to craft database specic
Attacks. [2]. 3. Extracting data: These types of attacks employ
approaches that extract data values from the database. Depending on
the type of the Web application, this information could be
sensitive and highly desirable to the attacker. Attacks with this
intent are the most common type of SQLIA. 4. Modication of Data:
this type involves adding and modifying data in a database. 5.
Performing denial of service: This involves shutdown of database of
web application, and denying services to users. Locking and
dropping database tables type of attack also comes under this cat-
egory. 6. Evading detection: This type refers to certain attack
approaches that are employed to avoid auditing and detection by
system pro- tection mechanisms [2]. 7. Authentication Bypassing:
This type of attack is intended to allow attacker to bypass
database and web application authenti- cation mechanisms. And
attacker gains all the rights and access privileges to databases
and applications. Department of Computer
Engineering,MCERC,Nashik.
- 14. Web services based SQL Injection Detection and Prevention 4
8. Executing remote commands: These types of attacks aims to
execute arbitrary commands on the database for ex. stored
procedures or functions available to database users. 9. Performing
Privilege Escalations: These types of attacks are intended to take
advantages of errors in code and logical aws to escalate privileges
of attacker. Department of Computer Engineering,MCERC,Nashik.