1. 1. A DISSERTATION STAGE I REPORT ON Web services based SQL Injection Detection and Prevention SUBMITTED TO THE UNIVERSITY OF PUNE, PUNE IN PARTIAL FULFILMENT OF THE REQUIREMENTS FOR THE AWARD OF DEGREE Master of Engineering (Computer Engineering) By Candidate Name:BODAKE VIJAY JAGANNATH Exam no.: UNDER THE GUIDANCE OF Prof. Ranjit Gawande DEPARTMENT OF COMPUTER ENGINEERING Matoshri College of Engineering and Research Centre, Nashik Eklahare, Near OdhaGaon, Aurangabad Road, Nashik Pin No.:422135 University of Pune 2014-15
2. 2. DEPARTMENT OF COMPUTER ENGINEERING Matoshri Education Societys Matoshri College of Engineering and Research Centre,Nashik Eklahare,Near Odha Gaon,Aurangabad Road,Nashik CERTIFICATE This is to certify that the dissertation entitled Web services based SQL Injection Detection and Prevention submitted by BO- DAKE VIJAY JAGANNATH Exam No: [ ] is a bonaed the work carried out by her is approved for the partial fulll- ment of the requirements of University of Pune, for the award of degree of Master of Engineering in Computer Engineering. (Prof.R.M.Gawande) Dr. Varsha H. Patil Dr. G.K.Kharate Internal Guide Head Principal Department of Computer Engineering Seal of the College
3. 3. DECLARATION I hereby declare that this submission is my own work and that, to the best of my knowledge and belief, it contains no material previously published or written by another person nor material which has been accepted for the award of any other degree or diploma of the university or other institute of higher learning, except where due acknowledgement has been made in the text. Place:Nasik Signature Date: Name : Bodake Vijay Jagannath . PRN/Reg. No.:
4. 4. ACKNOWLEDGEMENT Inspiration and guidance are invaluable in every aspect of life, espe- cially in the eld of education, which I have received from our respected H.O.D. Dr. Mrs. Varsha H. Patil who has guided me in the rst two phases of seminar work and gave earnest co-operation whenever required. I would like to express my sincere gratitude towards her. I am pleased to announce that my presentation of the Seminar as well as the report would not have been completed without the able guidance and complete support of Prof.Mr. Ranjit Gawande who helped me at each and every step in every possible way. He always provided me with access to the latest technology and facilities and encouragement at every point and took active participation in the achievement of my objective. Heartfelt my foremost thanks go to seminar guide and help of my well-wishers and colleagues. At last, I would like to take this opportunity to convey thanks to all my sta members, who directly or indirectly encouraged and helped me to complete my work on time and contributed their valuable time in helping me to achieve success in the work of seminar Bodake Vijay J. [ME computer, Roll no.:- ]
5. 5. ABSTRACT Web Applications form an integral part of our day to day life. The number of attacks on websites and the compromise of many individ- uals secure data are increasing at an alarming rate. Hence, providing increased amount of security for the users and their data becomes essen- tial. Most important vulnerability as described in top 10 web security issues by Open Web Application Security Project is SQL Injection At- tack (SQLIA). The Proposed system focuses on how the advantages of randomization can be employed to prevent SQL injection attacks in web based applications. The two most important advantages of the pro- posed approach against existing analogous mechanisms that are, rst, it prevents all Forms of SQL injection attacks using active guard and ser- vice detector; second, use of randomization encryption algorithm pro- vides enhanced security while detecting and preventing SQL Injection Attacks in database Keywords: Randomization, SQL injection,Vulnerability, web appli- cation security, Runtime Monitoring, service detector, active guard.
6. 6. INDEX Sr. no. Contents Page no. 1. Introduction 1-29 1.1 Background of SQLIAs 8 1.2 Need of the system 16 1.3 Detailed Problem Denition 17 1.4 Objectives of the system 17 1.5 Project Plan, Dissertation Plan 18 1.6 Paper Publication plan 18 1.7 Organization of Dissertation 19 2. Literature survey 20- 26 2.1 Existing System 20 2.2 Evaluation of existing techniques 23 2.3 Proposed System 25 2.4 Summary 26 3. Software Requirement Specication 26- 29 3.1 Requirement analysis 26 3.2 Functional Requirement 27 3.3 Non Functional Requirement 27 3.4 Algorithmic Strategies 28 3.5 Domain analysis 29 3.6 Summary 29
7. 7. Sr. no. Contents Page no. 4. Design and Modelling 29- 33 4.1 Design 29 4.2 Modelling 31 5. Conclusion 34
8. 8. LIST OF FIGURES Fig no. Figure caption Page no. 1.1 Example Containing Vulnerability 11 1.2 Project Plan 17 3.1 Random Encryption algorithm 29 3.2 Lookup table for Encryption algorithm 30 4.1 Use case Diagram 32 4.2 Class Diagram 33 4.3 Sequence Diagram 35 4.4 architecture Diagram 36 4.5 Data Flow Diagram 39
9. 9. LIST OF TABLES Tab no. Table caption Page no. 2.1 Comparison Of existing Technique 23 2.2 Objectives Of Various Approaches 24 2.3 COMPARISONS OF VARIOUS SQLIAs DETEC- TION FOCUSED APPROACHES WITH RESPECT TO ATTCK TYPES 25 2.4 Comparison of techniques with respect to deployment requirements 26 2.5 Comparison of prevention-focused techniques with re- spect to attack types 27 2.6 Evaluation of Code Improvement Techniques with Respect to Common Development Errors 28
10. 10. ABBREVIATIONS SQLIAs:-SQL injection attacks SQLIVs:-SQL injection Vulnerabilities
11. 11. Web services based SQL Injection Detection and Prevention 1 Chapter 1 INTRODUCTION This chapter introduces to the entire background of the proposed work. It highlights the overall description of entire work. It also high- lights the concept of SQL injection attacks. 1.1 Background of SQLIAs An SQL injection attack occurs when an attacker manipulates the intended eects of SQL query by inserting new SQL keywords or op- erators into the query. Attacker sends this modied query to a user input box in a web form of a web application to gain unauthorized ac- cess. This input is converted in an SQL query in such a way that it forms an SQL code [2, 3]. This is generalized denition of SQL injec- tion. 1.1.1 SQL Injection Mechanisms Malicious SQL Statements can be inserted into injection vulnerable application by dierent input mechanisms. This section focuses on most common injection mecha- nisms. 1. Injection through user inputs : in this type, attacker injects malicious SQL commands into user input query. A web application can read user inputs by many ways depending on the environment in which the application is developed and deployed. In most of the cases the user input comes from web form that is transmitted to the web application via HTTP GET or POST requests [14]. Using this type of injection, attacker can gain unauthorized access of web application and its underlying database. 2. Injection through server variables: Server variables are col- lection of variables containing HTTP , environmental variables, network headers etc. web application use these variables in variety of ways such as logging usage statistics and identifying browsing trends. If these variables are use to logged into database without sanitization, it could cause SQL injection vulnerability [30]. As attacker can forge the values in HTTP and network headers, they can expose these vulnerabilities by placing an SQLIA directly into the headers. When the query log to the server, the unsanitized variables get issued to the database and the attack in the forged header then takes place. Department of Computer Engineering,MCERC,Nashik.
12. 12. Web services based SQL Injection Detection and Prevention 2 3. Injection through cookies: Cookies are stored on the client machines which are les containing state information gathered by web applications. These cookies can be used to restore the clients state information when client returns to the web application. As client has full control over the cookies, a malicious client can mod- ify the contents of the cookies to built SQL Queries to submit the attack to the web application [8]. 4. Second Order Injection: In this type attacker sends malicious inputs to the system or database to directly perform SQLIA when the input is used at a later time. The objective of this type of attack signicantly diers from regular SQLIAs (rst order injec- tion attacks). Second order injections are not intended to occur at the time of input reaches to application or database but the attacker relays on the knowledge of where the and when the input will be used and plans the attack so that it executes during the usage of application or database. To clarify we present a classic example of a second order injection attack [1]. In this example, a user registers on a website using a seeded username, such as ad- min. The application will properly escape the single quotes from input before storing it in database, preventing its potentially ma- licious eects. At this point the attacker modies his or her pass- word, an operation typically involving 1) checking that the user knows the current password and 2) changing the password if the check is successful. To perform this web application might form an SQL command as follows: query String=UPDATE users SET password = +new Password+ WHERE username= + username+ AND password +old Password+ newPassword and oldPassword are the new and old pass- words given by user respectively, and username is the name of the user currently logged-in (i.e. admin). Therefore the query string that is sent to the database is: UPDATE users SET password = newPwd WHERE username= adminAND password=oldPwd (The query assumes that newPassword and oldPassword are newPwd and oldPwd). Because is the SQL comment operator, everything after this is ignored by the database. Therefore, the result of this query is that the database changes the password of the administrator (admin) to an attacker specied value. These types of injections are usually dicult to Department of Computer Engineering,MCERC,Nashik.
13. 13. Web services based SQL Injection Detection and Prevention 3 detect and prevent because the point of injection and point where the attack actually takes place are dierent. 1.1.2 attack Intent Attacks can also be characterized based on the goal or intention of the attacker [2]. Therefore each of the attack type described in section 4 has one of the following intention or goal. 1. Injectable parameters Identication: Here attacker nds parameters and user input elds that are vulnerable to SQLIAs and probe a web application accordingly. 2. Database ngerprinting: The attacker discovers the type and version of database that a Web application is using. Databases respond dierently to dierent queries and attacks, and this infor- mation can be used to ngerprint the database. Knowing the type and version of the database used by a Web application allows an attacker to craft database specic Attacks. [2]. 3. Extracting data: These types of attacks employ approaches that extract data values from the database. Depending on the type of the Web application, this information could be sensitive and highly desirable to the attacker. Attacks with this intent are the most common type of SQLIA. 4. Modication of Data: this type involves adding and modifying data in a database. 5. Performing denial of service: This involves shutdown of database of web application, and denying services to users. Locking and dropping database tables type of attack also comes under this cat- egory. 6. Evading detection: This type refers to certain attack approaches that are employed to avoid auditing and detection by system pro- tection mechanisms [2]. 7. Authentication Bypassing: This type of attack is intended to allow attacker to bypass database and web application authenti- cation mechanisms. And attacker gains all the rights and access privileges to databases and applications. Department of Computer Engineering,MCERC,Nashik.
14. 14. Web services based SQL Injection Detection and Prevention 4 8. Executing remote commands: These types of attacks aims to execute arbitrary commands on the database for ex. stored procedures or functions available to database users. 9. Performing Privilege Escalations: These types of attacks are intended to take advantages of errors in code and logical aws to escalate privileges of attacker. Department of Computer Engineering,MCERC,Nashik.