Print Email Download Reference This Send to Kindle Reddit This
submit to reddit

Preventing Sql Injection Attacks Computer Science Essay

This article describing how to eliminate the vulnerabilities of the SQL injection in order to prevent the SQL injection attacks in web application. There are several techniques that have being use in SQL injection. Most of them use SQL statement in different SQL Injection techniques. Usually attackers try to get information about username and password. Then, most company face this problem in keep their important information about company. From this problem in web application, author find the solution in prevent SQL injection by doing their experiment. From their research, they found that SQL injection can prevent by SQL parse tree validation which parse tree is a data structured for the parsed representation of the statement. By parsing two statement and differentiate their parse trees either if the two query are equal. So from this situation, when hacker successfully inject SQL into a database query, the parse tree of the intended SQL query and result SQL not match. Meaning here, code by programmer has a formulation of the structure of the query. The programmer-supplied portion is the hard coded portion of the parse tree while the user-supplied portion is represented as empty leaf nodes. That’s mean programmer want user to assign values to these leaf nodes by condition a leaf can be represent one node in the resulting query. Then it must be the value of the literal and be in the position located. As result, the authors do not hinder the programmer from expressing their intended query on user-supplied portions of the parse tree. Their method establishes the query at runtime and verifying these queries is as straight-forward as the others (Buehrer, G., Weide, B., & Sivilotti, P. 2005(.

A black box testing is a methodology for Web applications, to test MS SQL injection vulnerability. The method used to explore the web to determine at all points of a web application that can be used to give MS SQLI. Building a targeted attack at these points based on the specified list models and methods of attack, the use of machine learning methods to improve their methods of attack. This method improves greater penetration of tests using machine learning methods approaches to guide their testing. However, as a "black box" and penetration testing methods that cannot be sure completeness (Halfond & Orso, 2006).

In this article, they present AMNESIA (Analysis and Monitoring for Neutralizing SQL-Injection Attacks), a tool that implements their technique for preventing SQL injection attacks. AMNESIA uses a model-based approach that is specifically designed to aim at SQL injection attacks and combines static analysis and runtime monitoring. It uses static analysis to analyze the Website code and automatically build a model of the legitimate queries that the application can generate. At runtime, the technique monitors all dynamically generated queries and checks them for compliance with the statically-generated model. When the technique detects a query that violates the model, it classifies the query as an attack, prevents it from accessing the database, and logs the attack information. Figure 2.1 shows the high level of AMNESIA (Halfond, W., & Orso, A. 2006).

Figure 2.1 High-level overview of AMNESIA (Halfond, W., & Orso, A. 2006)

SQL injection attacks pose a serious threat to Internet security applications because they can give attackers unrestricted access to databases that contain important information. This paper proposes the new approach, highly automated protection existingWeb applications that work with SQL injections. Their approach is conceptual and practical advantages compared with most existing methods. Of conceptually, the approach is based on a novel idea positive staining and the concept of syntax aware evaluation. From a practical point of view, their technique at the same time and effective and has minimal requirements for deployment. Figure 2.2 shows the high level overview of the approach and tool (Halfond, W., Orso, A., & Manolios, P. 2006).

Figure 2.2 High-level overview of the approach and tool (Halfond, W., Orso, A., & Manolios, P. 2006)

Web services are frequently used in critical software bugs that could be malicious exploitation. Web vulnerabilities Scanners are an easy way to check Web applications security vulnerabilities. However, previous studies have shown that the efficiency these tools in a web services environment are very poor. In fact, a large number of false positives and low coverage observed in practice, scroll severe limitations of these tools. The aim of this work is to demonstrate that it is possible to develop a vulnerability Scan to Web services, which performs many better than the commercials now. According to (Antunes, Laranjeiro, Vieira & Madeira, 2009), they propose an approach to the identification of MS SQL-injection vulnerability one of the most common and critical types of vulnerabilities in the Web environment. Experimental the evaluation shows that their approach performs much better than the well-known commercial tools, to achieve very high detection coverage, while maintaining very low false positives (Antunes, Laranjeiro, Vieira & Madeira, 2009).

It proposed a new technique to protect the web application by using stored procedures. This technique combines static analysis of application at runtime checks to eliminate the appearance of such attacks. In the static analysis software design and stored procedures for any operator of MS SQL, which depends on user input, use analyzer for the implementation of the declarations compare the original MS SQL structure for the inclusion user input. The deployment of this method can be automated and used in accordance with the need to read only. They also provide Preliminary assessment of the technical results proposal, as was done in a few stored procedures in database SQL Server 2005 (Wei, Muthuprasanna & Kothari, 2006).

This article presents a formal and methodical SQLI simulation by using augmented the attack trees. This model clearly reflects the particular thin incidents caused by the opponents and SQLI transitions. This State is the first known model tree attacks of SQL injection attacks. Figure 2.3 shows the Tree Modeling. (Wang, J., Raphael, C., Whitley, J., & Parish, D, 2010).

Figure 2.3: Augmented Attack Tree Modeling of SQL Injection Attacks (Wang, J., Raphael, C., Whitley, J., & Parish, D, 2010)

DATABASE SECURITY

Databases have become an essential part of the web-based applications in the modern world. These applications interact with databases using SQL queries embedded in the code. There are automated methods to test applications written in imperative and structured languages. However, the methodology for testing applications with built-in SQL queries at an early stage. In this approach there are three main steps: validation scheme, generation of test cases as shown in figure 3.3 and the last one is detection of vulnerabilities.

Attacks SQL injections are one of the most serious security threats. In this article, a new approach was proposed for testing applications in an inclusive way. This approach is a holistic one, is testing the system in real conditions, without any artifacts, to prevent possible attacks injections. Figure 2.4 shows AOP Based mechanism (Anchlia, A., & Jain, S. 2010).

Figure 2.4 AOP Based mechanism (Anchlia, A., & Jain, S. 2010)

As organizations increase their adoption of database systems as one of the key data management technology for the daily work and decision-making ingredients, the security of data held by this system becomes crucial. Damage and misuse of data not only affect a single user or application, but may effect throughout the organization. The recent surge distribution of Web applications its database backend further increased the risk exposure to the database outside world. There many of the recent reports by the external intrusion hackers who compromised the system databases. Nevertheless, there are insiders who abuse their privileges and access to the database for many intentions. For this reason, it is extremely important for us System of a secure database, both external and internal attacks. This article describes the database security threats and existing businesses, which were done to alleviate these problems. One possible solution is to use Intrusion Detection System (IDS). For this reason, the study offers a new MS SQL Injection and detection system of abuse by the Executive ensure a high level of security Database system (Asmawi, Sidek & Razak, 2008).

This literature does not apply to basic MS SQL syntax or MS SQL Injection. It assumes the reader has a strong understanding of these issues. This literature will focus on best practices that can be used in attack on the web the application using Microsoft SQL Server as a server. These methods demonstrate how an attacker can use the MS SQL injection vulnerability to extract the contents of the database because firewall and penetrate the internal network. This article is designed to train security professionals potentially devastating effects of MS SQL-injection can be an organization (Cerrudo, 2007).

SQL injection attacks raised as a serious Web data threat. To resolve this problem, the author shows the scheme of database security testing. It examines how identify potential entry points for SQL injection, automatically generate test cases and find a vulnerability of databases by running these tests for the application of modeling attacks. Safety testing database can be stopping SQL attack channels in the beginning. Figure 2.5 shows Testing model (Haixia, Y., & Zhihong, 2009).

Figure 2.5: Testing model (Haixia, Y., & Zhihong, 2009)

WEB SECURITY

When someone makes reservation and payment bills and shopping online, they hope that these web applications are safe and reliable. However, as the presence of these services has increased, there was a corresponding Increasing the number and sophistication of attacks that the purpose of them. One of the most serious forms of attack against web applications is SQL injection. Using SQL injection, attackers can precede sensitive information such as credit card numbers in databases and web applications to damage the database. In this article, they propose a new method SQL injection counter. The method combines conservative static analysis and performance monitoring to detect and suppress illegal query before his execution in the database. In the static part, the method is based conservative model of self queries can be obtained by application. In his dynamic part, the technique checks dynamically generated Query to perform static built models. Figure 2.6 shows example of interaction between user and a typical web application (Halfond, W., & Orso, A. 2005).

Figure 2.6: Example of interaction between user and a typical web application (Halfond, W., & Orso, A. 2005)

This literature provides a sound and complete algorithm to avoid based on context-free grammars and compiler analysis techniques. The main observation that for the attack, which receives the input deck to query the database or in the output document should be designed to change the syntactic structure of the query or document. And the algorithm is general and applies to many types of command injections. Then test their approach SQLCHECK (SQLCHECK is an attractive Performance Monitor for SQL Server. With this tool, you can explore, organizes and illustrates important data about your server’s hardware, operating system and SQL Server. With SQLCHECK's performance dashboard, you can speedily view full explanations and receive recovery suggestions), application to establish MS SQL injection attacks prompt. SQLCHECK was evaluated in real-world web applications with a systematic collected data as input actual attack. SQLCHECK produced no false positives and false negatives, incurred low yield overhead, and used directly in a web application Written in different languages (Su & Wassermann, 2006).

In recent years, Web applications have become extremely popular. The vulnerability widespread pursuant to the impact of organizations and companies to a wide range of risks, despite the numerous tools and techniques, attacks on Web applications is particularly through MS SQL-injection is increasing. Threat Simulation is an important risk assessment and a Mitigation practice, which provides an opportunity provide web-based applications. Fully developed the threat model can provide deeper understanding risks, but also to determine the degree of reduction action. This literature is beginning to model the risk of threats ADMIRE which is a comprehensive, structured and phased approach that will help you identify and mitigate SQL injection attacks and protect server database underlying database, which can be unauthorized bad faith reason access to Web-based applications (Madan, 2009).

A combinatorial approach to protect Web applications from SQL injection is described in this article, which is a new idea of incorporating the unique signature based on the method and the method of audit. From the perspective of a signature-based method of view, the present method for detection of SQL injection by acid pair wise arrangement of amino acid order code originated with a web form parameter, sent by a web server. Moreover, in terms of method based on the audit of view, analyzes the operation to find out unauthorized access. In the signature-based method uses an approach called Hirschberg algorithm, "divide and conquer to reduce the time and difficulty of space. This system was able to halt all attacks with success, and no false positives. Figure 2.7shows Combinatorial Approach for Preventing SQL Injection Attacks (Ezumalai, R., & Aghila, G, 2009).

Figure 2.7: Combinatorial Approach for Preventing SQL Injection Attacks (Ezumalai, R., & Aghila, G, 2009)

Correlations information various sources, was an effective method to improve detection performance, i.e. reducing both the speed false positives and the percentage of undetected intrusions. To do this, they collect the signs attacks on Web application in different layers of architecture, and to correlate them with the help of a systematic approach that applies a number of different anomaly detection model to combine data from multiple sources, which are in different places within the system, and transmitted information is different. Preliminary results of experiments show that by removing the alerts based on knowledge about the ability of individual probes to identify specific security malicious actions, the proposed approach indeed reduce the frequency of false positives and increase detection coverage. Figure 2.8 shows Correlation process (Ficco, M., Coppolino, L., Romano, L., Detection, K., Attacks, K., & Detection, K. 2009).

Figure 2.8: Correlation process (Ficco, M., Coppolino, L., Romano, L., Detection, K., Attacks, K., & Detection, K. 2009)

SOFTWARE GAPS

Web applications are the Achilles heel of their current ICT infrastructure. NIST National Vulnerability Database clearly shows that a significant percentage of vulnerabilities located in the application level have been rising steadily. Fire Web Applications Muro (WAFS) play an important role in the prevention of ex-Chion vulnerabilities in Web applications. However, the WAFS very pragmatic and ad hoc, and it is very difficult to establish precisely what security guarantees they offer. The main contribution to this literature, which shows how through a combination of static and dynamic control, WAFS can formally guarantee the absence of certain erroneous behavior in Web applications. They have made a prototype for this approach existing statistical tools for the control of Java, and they used their approach to J2EE applications, Web-based half Chion (Desmet, Piessens, Joosen & Verbaeten, 2006).

There are several problems faced in security applications. This literature emphasizes on the need for effective security testing and emphasizes the essence of the path of travel, MS SQL injection and cross site scripting. Regardless of how well the system can be developed, the nature of systems today's complex, with large amounts of code, complex internal interactions, interaction with an uncertain external components, unknown interdependencies, along with the selling price and schedule pressures, means that operational shortcomings will always be present or the surface over time. Therefore, security testing, you must fill the gap between development and actual operation of these systems. The organizations that are organized, systematic, complete, current priority security system tests, are better position to take the position of investment to improve the security of their systems (Dowd, McDonald & Schuh, 2006).

In this article they examine the design considerations for the honeypot application level to attract and learn about SQL-injection. Honeypot responds more details about the vulnerability of the assailants, ultimately, leads to misinformation, which may be useful for monitoring. Honeypot limit the escalation of attack aviation to the operating system or launch attacks against other systems. Honeypot can emulate the look of a common defense against SQL injection, in order to seem more real. Finally, the authors describe the considerations for deploying an experiment honeypot with honeyed (Chen, T., & Buford, J. 2009).

Figure 2.9: Experimental tested (Chen, T., & Buford, J. 2009)

In Fig.2.9 the public storefront web server is a conservative ecommerce application server that connects to a back office network for operation processing, database access, and other manufacture functions.

Figure 2.10: Populating and loading the SQL injection honeypot (Chen, T., & Buford, J. 2009)

In Fig.2.10 the simulator runs incessantly and drives both software agents which generate application traffic to the database, the data synthesizer to make periodic updates to the SQL injection database.

SUMMARY

This chapter has discussed the literatures related to MS SQL injection, web security, database security and software gaps. Next chapter will present the research methodology used in this study in order to achieve the objectives of this study.

Print Email Download Reference This Send to Kindle Reddit This

Share This Essay

To share this essay on Reddit, Facebook, Twitter, or Google+ just click on the buttons below:

Request Removal

If you are the original writer of this essay and no longer wish to have the essay published on the UK Essays website then please click on the link below to request removal:

Request the removal of this essay.


More from UK Essays

Doing your resits? We can help!