With the widespread popularity of the Internet, computer network technology and communication technology also developed rapidly, most of the website platform relies on client / server structure interactive mode to communicate with the customers. The model significantly increased the interaction between the user and the server. In the interaction, the users through the web, required to submit the form to the server, after execution of the server-side then feedback to the users. The model brings us convenient, at the same time some of the illegal users to use of the SQL injection vulnerability and Cross Site Scripting vulnerabilities to attack the servers and the client. (Gollmann, 2012).
SQL injection vulnerability exists in the application database layer, an attacker could exploit the vulnerability to entrainment of SQL command in the input string (Mahapatra, 2012), once the application ignores the check, these entrained instruction will be mistakenly believe that by the database server is the normal SQL command and executed, the structure of the database and system data will be leakage.
Almost all banks, securities, telecommunications, mobile, government and e-commerce companies are providing online transactions, queries, and interactive services (Bangre & Jaiswal, 2012). An attacker could exploit the cross-site scripting to stole the user's personal privacy and deceive the consumer to consume. Generally, all the information is stored in the back-end database through the Website. Once the online server paralyzed or just in normal operation, however, the backstage data has been tampered or stolen, will causing in great loss of business or personal (Mahapatra, 2012).
Generally there are two types of SQL injection: the Normal SQL Injection and the Blind Injection.
Normal SQL Injection
The normal SQL injection is the developer leak to check the user input carefully, the users could directly insert the SQL statement to the input box. Unexpectedly, these statements to be executed, once the attacker not only steal the data in the database. Generally, there are 3 means of the normal SQL Injection: String SQL Injection, Numeric SQL Injection and Database Backdoors.
String SQL Injection
String SQL Injection means to insert the SQL commands into a Web form to submit or enter the domain name or page request query string then achieve deceive server to execute malicious SQL commands
Figure 1 SQL platform to help the staff to view their credit card numbers
Generally, the user just needs to type the name then check their credit card numbers. However, the author does not check the contents of the input box, and the staff can casually entrain the SQL strings in the input box. "Smith' or 'a'='a" is a simple SQL statement, when we try to type it into the box and submit it, the injection occurred.
Figure 2 all the staff's credit card and details displayed
In the injection, "Smith' or 'a'='a" the condition of the expression always true, all staff's details displayed. Almost websites cannot be separated from the databases; especially the BBS and shopping site with a large amount of user privacy stored in the back-end database, database security issues is significant for the sites (Yang, et al, 2010). Once the database is attacked, a large number of user information will be leakage.
Generally, there are varieties type of users in a database system, different users will be assigned different user privileges (Yang, et al, 2010). When login the platform or the system, it is essentially to verify the username and password. However, some administrators of the database not tightly enough to verify the user login, make use of SQL string statement the attacker could easily bypass the validation login to the system.
Figure 3 Login window of a management platform
The Login window is a company's management platform entrance. The login authentication of the system is exist in name only; typically, just the boss or administrator of the system can view and use all function of the system. However, in the system the password is unnecessary; any one could as the boss Neville directly login the system.
Figure 4 the SQL String statement used
In the password verification, the SQL statement "x' or 'a'='a" the condition of the verification always true, the attacker easily login as the boss also get the right of database then free to modify the database.
Figure 5 as the boss without password successfully log in the system
Login authentication is significant aspect of a system. In this scenario, the attacker can make use of all the functions of the database system, casual modify the employee information, delete and create a configuration files, in terms of it is a deadly to a database system.
Numeric SQL Injection
The Numeric SQL Injection is similar to the String SQL Injection; in a Numeric SQL Injection just use the numeric characters to establish the expression then achieve the purpose of the invasion of the database.
Figure 6 the weather data View
The graph shows the Numeric SQL injection of weather data view in the Webgoat. Normally, the user could just choose one city from the drop-down menu then view the weather conditions details of the city which the user selected. However, in the process of the data submitted auditing is not tight enough; the attacker could casual insert the SQL injection code in the submission process to get some information which is not allowed.
Figure 7 the SQL code could be submitted
Figure 8 every city's weather condition be showed
In the Numeric SQL injection, the command line 101 OR 1=1 the SQL Statement always true for every city, the attacker could get all city's weather condition.
There has been a large amount of personal information was leaked in today's social activities (Bangre & Jaiswal, 2012). The organizations and companies pay much attention to protect the privacy of their staffs. However, nothing is perfect, still some companies leak to protect the privacy.
Figure 9 login window of a company
The login window of a company in the Webgoat. Generally, after authentication the staff just to view their own details and profile. However, when the logged staff submitting the view profile request, the staff can also entrain the SQL statement into the expression then view other staff's details.
Figure 10 the SQL statement entrained when submitted
In the injection, the statement "101 OR 1=1" always true, the attacker successfully view the profile of the staff. The boss generally earn the highest salary in the company, the statement "ORDER BY salary desc" to list the salary of the staff in descending order then directly access the profile of the boss.
Figure 11 the detail of the boss
Normal SQL injection is relying on the reverse query to the database, by the feedback of the erroneous information from the database to achieve the database injection. However, even if there is no error message, or a different error message displayed, the attacker still could do some injection to the database (Spett, 2005). By varying the SQL query, the attacker may get the "true / false" information from the database then reason and analysis the data of the SQL database.
Figure 12 Blind Injection to find the username
The Blind Injection part of the Webgoat, depend on a true / false test check of the back-end database to analysis which user's ID is 15613.
Figure 13 JHijack to test the letters one by one
Generally, the people's name just consists of 26 letters. In the injection test, according to the content displayed "Account number is valid" returned by the database and the ASCII of the letters, use the JHijack to conduct the test to the 26 letters one by one. In the test, the correct user's name is Joseph.
Compared with the common injection, the blind injection will consume a lot of time, a large number of tests needed in the course of the attack, the administrators may aware of the testing process. However, when the blind injection succeeds, it will have a more powerful attack forces, even there will not any trace in the process of the attack.
The prevention and solution of the SQL injection
The server's security measures not be effectively to prevent SQL injection, but can reduce the threat of SQL, to prevent the disclosure of confidential data. If the safety coefficient of the server is not sufficient the hacker may directly penetrate the server. Typically, there are 4 different technologies to prevent the SQL injection.
Based On the Normal Behavior Model AMNESIA
The core idea of the algorithm is in advance to find all dynamic SQL statements in the source code in the constructor point, build the automata model profiler to all the SQL statements (Balasundaram & Ramaraj, 2011), to monitor the programs' SQL statements submitted whether satisfies to the Profiler. If it is satisfied then a normal operation, otherwise, the SQL injection attacks occurred.
Based On the Digital Signature SQL Rand
The main idea of the algorithm is: randomized encoding the dynamic SQL statements keywords in the source code, the attacker cannot predict the random encoding rules. When the program is running, the randomized coding SQL statements will be decode, if the decoding id failed, then the SQL injection attacks happened.
Jointly determine of the above two methods, based on the modification of the source code, it is an intrusive solution, the deployment of the solution is more responsible to a simple website.
Based On The keywords Of the Signature
The keywords of the Signature are based on the IDPS (Kadirvelu & Arputharaj, 2011). Firstly, extract the special characters and keywords appeared in the SQL injection, make the special characters and keywords as the voucher of the SQL injection. Secondly, Rely on the voucher to set up the SQL Injection feature library make the comparison between the current and the stored, if not match then the injection occurred. However, the relatively high rate of false positives and misdiagnosed, the technology is not widely used.
Web-Firewall-based anomaly detection
The Web-Firewall-based anomaly detection is widely used in Small and Medium Enterprises. The core of the technology is to establish the parameters of the normal use model for Web applications automatically through the learning phase of training (such as URL, COOKIE) (Shi & Kong, 2009). In the real detection process, it is based on the model to determine the various lines in the actual network which is abnormalities. The strength of the method is the ability to unrestricted discovery of abnormal behavior.
There are variety kinds of modus and technology be used to prevent the SQL injection. However, the artificial factors are the most important. The administrator plays a significant role in design and maintenance the database.
Almost injection attacks are attempt to execute the malformed SQL statement then based on the IIS server returning error messages to determine the attack. The administrator force to setting the IIS server, whether what types of the malformed SQL statement, just return the error message, the attacker will not gain the valuable content from the error prompt.
In SQL server, the configuration should be strictly accurate to user authority to operate each table in a database. Generally, users should just use database role not the server roles group.
File encryption is an effective way to protect the database file. In order to prevent the attacker bypass authentication to access and modify the connected database files, even though the database files is stolen, the attacker still cannot get the content of the database.
As an administrator of the system and database apply the latest patches to DBMS and operating system is an indispensable thing.
Cross-Site Scriptingï¼ŒXSS, allow a malicious Web site operator to abuse the trust of Web users on unrelated third-party sites, execute arbitrary script on the end-user system (Jeremiah, 2007). When XSS attack occurred the attacker could run malicious in other user's browser.
When a Cross-Site Scripting succeeds, the attacker can do three things:
Steal a cookie, cookies generally control access to Web applications, if an attacker to steal the victim's cookie, the attacker can use the victim's cookies to completely control the victim's account.
Counterfeit Web applications, the attacker can make use of the XSS to social engineering. When XSS attacks occurred, the attacker is able to completely control the appearance of the Web application. It can be used to vilify the web; the attacker can be used to launch a phishing attack: force the user to provide confidential information to an attacker (Kevin, 2005). By using the document.body.innerHTML the attacker able to provide a login page extremely similar to the real one to trick the users to offer banking or credit card information, but when the form submitted, the data already sent to the site of the attacker's server.
By the XSS, the hackers can impersonate legitimate users of the Web application to do some things:
Send e-mail on behalf of the user
Get the user's contact list
Edit the privacy / logging settings
Apply for credit cards
Change of Address
Stored Cross-Site Scripting
Stored cross-site scripting vulnerability appeared in the case of the data provided by the web application. Mainly refers to stored, persistent or the vulnerability attacked twice (Kirda, et al, 2006). The attacker needs to some way to enduring saved the code on the server, whenever the codes are read and displayed on the dynamic pages, the user who browse the webpage will be attacked.
In terms of a management platform the ordinary staff can view and modify their own data, the administrator could just view the information of the general staff
Figure 14 the login window of a management platform
In the management platform login as Larry, no any detection to the strings, attacker could simply insert the injection code in the street field. Login as Moe, the manager of the system when Moe view Larry's profiles Moe will be attacked by the cross site script.
The reflected cross-site vulnerability is the most common cross-site scripting vulnerabilities, it is appeared in the web client using server-side script to generate page then provide the data to users (Kirda, et, al, 2006). Mainly, it is a non-persistent or reflected vulnerability. If the user data contains in a page without html entity encoding, the client code may injected into the dynamic page.
The Webgoat provide a management platform, the employees could use the search staff to find the different staff in the system. In the test, there is no any measure to detect the data entered by the user; the intruder successfully injected the invasion code.
The Prevention and Solution of the Cross Site Scripting
Prevent application code injection and XSS key is to ensure that the dynamically generated page content does not contain unwanted HTML tags.
In most cases, the remote code injection attacks are likely to be submitted by the user through the HTML form data. A valid method to reduce XSS is just allows the HTTP POST request to submit the form to the servers (Günter, 2002). In the HTTP GET request, will allow potential attackers to assign a new URL that contains the problematic code. When writing server-side applications, it is extremely important to ensure that the client data can just submit through an HTTP POST variable.
Many applications depend on cookies to manage the communication, make the user information stored locally. The application developers must be thorough inspection and filtering to ensure all of the cookie information then inserted into the HTML file. Otherwise, the attacker just needs simple modifications to the cookies to make their attacks persistence.
In some cases, using a unique URL for each active user session identifier to prevent an attacker using a remote URL code insertion to attack the website (Günter, 2002). When the site accessed by user, it will automatically assigned a unique session ID to the user, if a visitor tries to access a URL without valid session ID in the URL, it will be automatically redirected to the start page and issued one. In addition, the session ID also could be contains a hash function or checksum of the user IP address.
HttpOnly was initially proposed by Microsoft. Currently a variety of popular web browser vendors use it to address the Cross Site Scripting. The function of HttpOnly is not to filter XSS cross-site scripting attacks. Instead, the browser will be banned Java script access to the page with HttpOnly attribute cookies, to solve the Cross Site Scripting attacks cookie session hijacking behavior.
In the Microsoft Internet Explorer 8 it contains the XSS (cross-site scripting attacks) filter. In IE8's XSS filter, it is automatically monitor all requests and respond to the browser, when XSS found automatically defense the attack.
Basically, for the client users could take the following methods to prevent the occurrence of the cross-site scripting.
Prudently access the hyperlink provided in the e-mail and webpages, when necessary use the search engines to looking for some relevant information to verify the authenticity and legitimacy.
For individual concerned, there are certain difficulties in preventing cross-site scripting. Generally by improving the security level of the browser to blocks those scripts not signed and certified by the companies or organization.
Enhance the safety awareness. It is essential to install anti-virus software and upgrade the software.
An attacker using the cross-site scripting vulnerability in the victim's browser must allow some form of embedded scripting language, the proper filter user submitted data, can reduce the successful rate of the cross-site scripting.
The responsibility to the web page developers to modify and update their web pages, in order to eliminate the attacks to the website. While this does not completely address the threat of cross-site scripting attacks, but the emergence of cross-site scripting attacks can be reduced to a large extent. Even if a small cross-site scripting vulnerability will endanger the security of the entire Web server.
The main point of this paper is the SQL injection and Cross site Scripting. In this research, many typical SQL injection and Cross Site Scripting vulnerability has been listed. Both of the SQL injection attacks and Cross-site Scripting injection mainly depends on the programming flaws in the development process, such attacks could easily bypass most traditional firewall. Go back to the research and analysis of the injections; almost the SQL injection and Cross-site Scripting injection just rely on the simple vulnerability of the database and website. The main point to the prevention of the SQL injection and Cross-site Scripting is to pay much attention to the details of the database and websites, most of the attacks are caused by the imperfect of the details of the database and website.