Providing
Security against SQL Injection Attack in Web Application
Author Jae-Chul
Park1 and Bong-Nam Noh2
Internet is widely used
all over the world and its use is increasing day by day. A web
application is an application that
is accessed over a network such as the Internet .In
this new generation everything is to be done so fast and without much overhead.
So, the web applications are used widely by the organizations to provide their
broad range of services to the people.
The web applications
are widely deployed on the Internet. With this deployment various anomalies
also occurs, and questions are arises regarding to security when one uses
Internet. Security may be related to system vulnerability like worms and
viruses and may be in case of unauthorized access in system [1]. Now a day’s
problems regarding to cyber Attacks that is unauthorized access increases very
much. Many cyber hackers are continuously inventing new mechanisms to harm the
website security.
A capable mechanism is required to
prevent such kind of problems so that the use of Internet can be done in more
secure ways.
Problem Statement
This project is
proposed to implement a method which helps to detect and prevent SQL Injection
Attacks in web application.
Project Objectives
The project has
following objectives:-
1) To analyze different
queries frequently used in web applications
2) To analyze different
methods for detecting SQL Injection Attacks.
3) To generate the
sequences of queries generated by the Web Application.
4) To calculate
alignment between two sequences using Needleman Wunsch algorithm.
5) To analyze the
output to determine whether the query is malicious or not.
6) To facilitate the
organizations to use a security system. This prevents unauthorized persons to
access their databases using the pair wise sequences alignment.
SQL Injection
SQL
Injection is a way to Attack the data in a database through a firewall
protecting it. It is a method by which the parameters of a Web-based
application are modified in order to change the SQL statements that are passed
to a database to return data. For example, by adding a single quote (‘) to the
parameters, it is possible to cause a second query to be executed with the
first.
Types of SQL Injection
Attacks
Different types of SQL
Injection Attacks are discussed below.
1. Piggy-backed Queries
2. Tautologies
3. Union Query
4. Alternate Encodings
5. Illegal/Logically
Incorrect Queries
6. Stored Procedure
Basic Concepts
Here for SQL Injection
detection we are using pair-wise sequence alignment method. This is commonly
used in bioinformatics. Pair-wise sequence alignment methods are used to find
the best-matching piecewise (local) or global alignments of two query
sequences. One of the approach is used in pair-wise sequence analysis is
dynamic programming. There are two algorithms based on dynamic programming that
can be used for sequence alignment [10] [12]. These are
1.
Smith–Waterman
algorithm
Step 1: Parameter Data Collection
Parameter data has specific features for each
application and service, there is a common rule and keyword to send user's
input value to web server via web browser. Upon sending it, web applications
use POST or GET command. POST command delivers web user's request by standard
input of application program while GET command send it by environmental
variables
Step 2: Keyword Replacement Matrix
Collected data is transformed
into amino acid code referring to Keyword Replacement Matrix made by
designation of keyword for extraction. Keyword Replacement Matrix consists of
database query mainly used for web Attacks, operators such as plus (+) and
minus (-), and special characters including hash (#) or hyphen (-). Keyword
Replacement Matrix is 20x20 matrixes.
Step
3: Producing Normal Parameter Profile
Profile is
comprised of the total length of sequence, the replaced amino acid codes and the
query-string. For any web
application there are fixed number of queries are used. These queries are
transferred into amino acid code by Keyword replacement matrix. After this we
got amino acid code within this some amino acid code is identical and that are
eliminated. All the amino acid code is kept in the profile including the length
and then give each amino acid code sequence, a number.
Step
4: Alignment
In this step, here amino acid code ‘A’ of query
which want to execute and take second amino acid code ‘P’; from the profile,
which has the same length as ‘A’. And identity is calculated between them. For
calculating the identity first performs alignment between them. For per forming
the alignment use Needleman-Wunsch Algorithm
Development
Tool Kit
1 Apache Tomcat
Apache Tomcat
(or simply Tomcat) is an open
source servlet container developed by the Apache Software Foundation (ASF).
Tomcat implements the Java Servlet and the JavaServer Pages (JSP).
2 MySQL Database
MySQL is a relational
database management system (RDBMS) that runs as a server providing multi-user
access to a number of databases.
Java Scripts
JavaScript is
a scripting language used to enable programmatic access to objects within both
the client application and other applications. It is primarily used in the form
of client-side JavaScript
4 Servlets
Servlets are
mainly used as a controller between the jsp and java classes.
This servlet comes into action when we need to call a java class from the jsp
page.
5 Java Server Pages
JSP is mainly used for providing web based user
interface. In jsp the java code and HTML code use simultaneously. Regular HTML
writes in the normal manner, using familiar Web-page-building tools.
Java Database Connectivity
JDBC
stands for Java Database Connectivity. Java enables programmers to write code
that uses SQL queries to access the in relational database system.
1
Design Goals
Certain design goals
are identified and prioritize that may help or drive in designing the system.
Design architecture of the system should achieve maximum design goals. Design
goals identified and prioritize to design this system has been listed below:
(i)
Most important design goal is to achieve
all the functional requirement of the system.
(ii)
Flexibility to add or extend the design.
(iii)
System should be modifiable or loosely
coupled.
(iv)
System must be secure.
Conclusion
This project
describes the challenges that Internet applications (that make use of a
database system)face
in terms of security and protection the private data. SQL-I attacks
is a legitimate
threat that endangers the confidentiality of data and may cost an
organization a great deal of money and
even their reputation. We have covered the discussion about
the SQL Injection attacks and its detection methods.
We have discussed two methods to detect sql
injection attack.
1.
IDS system
2.
pair wise sequence alignment
3. In
IDS method attack pattern is already stored in the database and user’s input
are checked against the database.If the input are already stored then they are
not passed further otherwise we allow to
the user to do the required transaction. This algorithm is not able to block
all the type of attack pattern thus we aquired an other method.
No comments:
Post a Comment