Neutralizing SQL Injection Attack on Web Application Using Server Side Code Modification

Authors

  • Sarjiyus O.  Department of Computer Science, Adamawa State University, Mubi, Nigeria
  • El-Yakub M. B.   Department of Computer Science, Adamawa State University, Mubi, Nigeria

DOI:

https://doi.org//10.32628/CSEIT1952339

Keywords:

Injection, Vulnerability, Modification, Attacks, Database.

Abstract

SQL Injection attacks pose a very serious security threat to Web applications and web servers. They allow attackers to obtain unrestricted access to the databases underlying the applications and to the potentially sensitive and important information these databases contain. This research, “Neutralizing SQL Injection attack on web application using server side code modification” proposes a method for boosting web security by detecting SQL Injection attacks on web applications by modification on the server code so as to minimize vulnerability and mitigate fraudulent and malicious activities. This method has been implemented on a simple website with a database to register users with an admin that has control privileges. The server used is a local server and the server code was written with PHP as the back end. The front end was designed using MySQL. PHP server side scripting language was used to modify codes. ‘PDO prepare’ a tool to prepare parameters to be executed. The proposed method proved to be efficient in the context of its ability to prevent all types of SQL injection attacks. Acunetix was used to test the vulnerability of the code, and the code was implemented on a simple website with a simple database. Some popular SQL injection attack tools and web application security datasets have been used to validate the model. Unlike most approaches, the proposed method is quite simple to implement yet highly effective. The results obtained are promising with a high accuracy rate for detection of SQL injection attack.

References

  1. OWASP (2010). Open Web Application-Top-Ten-Projects.
  2. Curtis S. (2012). “Barclays: 97 percent of data breaches still due to SQL injection”, http://news.techworld.com/security/3331283/barclays-97-percent-of-data-breaches-still-due-sqlinjection
  3. Hossain Shahriar, Sarah North, and Wei-Chuen Chen, (2017).“Early Detection of SQL Injection Attacks”.
  4. Shanmughaneethi V.and Swamynathan S. (2012). “Detection of SQL Injection Attack in Web Applications using Web Services”.
  5. Johns M., BeyerleinC., GieseckeR., PoseggaJ., “Secure Code Generation for Web Applications,”Proc. of the 2nd International Symposium on Engineering Secure Software and Systems (ESSoS '10),Pisa, Italy, LNCS 5965, pp. 96-113, Springer.
  6. Dalai A. K. and Jena S. K. (2017). “Neutralizing SQL Injection Attack in Web Applications Using Server Side Code Modification”.
  7. Prokhorenko V., Chook. R., and Ashman H., (2016). “Context-oriented Web application protection model,” Applied Mathematics and Computation, vol. 285, pp. 59–78.
  8. Guimaraes B. D. A., (2009). Advanced SQL injection to operating˜ system full control, Black Hat Europe, white paper.
  9. Khaimar, C. (2015). “Detection and automatic prevention against SQL Injection Attack and XSS attack performed on web applications”.
  10. Parveen, S. and Chandrakant, S. (2017). “SQL Injection Impact on Web Server and Their Risk Mitigation Policy Implementation Techniques: An Ultimate solution to Prevent Computer Network from Illegal Intrusion”.
  11. Livshits V. and Lam M., (2008). “Finding security vulnerabilities in Java applications with static analysis,” in Proceedings of the 14th Conference on USENIX Security Symposium, pp. 18–25, Baltimore, Md, USA.
  12. Wassermann G. and Su Z., (2004). “An analysis framework for security in Web applications,” in Proceedings of the FSE Workshop on Specification and Verification of Component-Based Systems (SAVCBS ’04), pp. 70–78, Citeseer.
  13. Scott D. and Sharp R., (2003). Abstracting Application-level Web Security. In Proceedings of the 11th International Conference on the World Wide Web, pages 396–407.
  14. Brabrand C., Møller A., Christensen R. M., and Schwartzbach M. I., (2000) “Power Forms: declarative client-side form field validation,” World Wide Web Journal, vol. 7, no. 43, pp. 205–314.
  15. Sanctum Inc, (2002). App Shield 4.0 Whitepaper, http://www .sanctuminc.com.
  16. Kavado I, (2003). InterDo Version 3.0, http://www.protegrity.com/data-security-platform.
  17. Boyd S.W. and Keromytis A.D. (2004). SQLRand: Preventing SQL Injection Attacks. In Proceedings of the 2nd International Conference of Applied Cryptography and Network Security (ACNS ‘04), Yellow Mountain, China, pp. 292 -302.
  18. Lee S., Low W, and Wong P., (2002). “Learning fingerprints for a database intrusion detection system,” in Computer Security— ESORICS 2002, pp. 264–279, Springer.
  19. Halfond W. G. J. and Orso A., (2005). “AMNESIA: analysis and monitoring for Neutralizing SQL-injection attacks,” in Proceedings of the 20th IEEE/ACM international Conference on Automated Software Engineering (ASE ’05), pp. 174–183, ACM, Long Beach, Calif, USA.
  20. Asmawi A., Sidek Z. M., and Razak S. A., (2008). “System architecture for SQL injection and insider misuse detection system for DBMS,” in Proceedings of the International Symposium on Information Technology (ITSim ’08.
  21. Asagba P.O. and Ogheneovo (2011). “A Proposed Architecture for Defending Against Command Injection Attacks in A Distributed Network Environment”
  22. Maor O. and Shulman A. (2005). SQL Injection Signatures Evasion. White Paperof Imperva International.
  23. McClure R.A., and Kruger I.H., (2005). "SQL DOM: compile time checking of dynamic SQL statements," Software Engineering, 2005. ICS 2005. Proceedings. 27th International Conference on, pp. 88- 96, 15-21.
  24. Choudhary, A. S. and Dhore, M.L. (2012) CIDT: Detection of Malicious Code Injection Attacks on Web Application” International Journal of Computer Application, Volume 52-No.2.
  25. Buehrer G., Weide B. W., and Sivilotti P. A. G., (2005). “Using parse tree validation to prevent SQL injection attacks,” in Proceedings of the 5th International Workshop on Software Engineering and Middleware (SEM ’05), pp. 106–113, ACM, Lisbon, Portugal.
  26. Su Z. and Wassermann G. (2006). The Essence of Command Injection Attacks in Web Applications. In Conference Record of the 33rd ACM SIGPLAN—SIGACT Symposium on Principles of Programming Language POPL‘06, New York, NY, pp. 372 – 382.
  27. Bisht P., Madhusudan P. and Venkatarish-nan V.N. (2010). CANDID: Dynamic Candidate Evaluations for Automatic Prevention of SQL Injection Attacks, ACM Transactions on Information and System Security, 13(2),1-39
  28. Putthacharoen, Rattipong, Pratheep Bunyantoparat, (2011). “Protecting Cookies from Cross Site Script Attacks Using Dynamic Cookies Rewriting Technique”, ICACT 2011, pp 1090-1094.
  29. Galan E, Alcaide A, Orfila A, Blasco J., (2010). “A Multi-Agent Scanner to Detect Stored-XSS Vulnerabilities”, Internet Technology ansd Secured Transactions (ICITST) pp 1-6.

IInternational Journal of Scientific Research in Computer Science, Engineering and Information Technology

Downloads

Published

2019-04-30

Issue

Volume 5, Issue 3, May-June-2019

Section

Research Articles

License

Copyright (c) IJSRCSEIT

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to Cite

[1]
Sarjiyus O., El-Yakub M. B. , " Neutralizing SQL Injection Attack on Web Application Using Server Side Code Modification, IInternational Journal of Scientific Research in Computer Science, Engineering and Information Technology(IJSRCSEIT), ISSN : 2456-3307, Volume 5, Issue 3, pp.158-173, May-June-2019. Available at doi : https://doi.org/10.32628/CSEIT1952339