Hybrid method integrating SQL-IF and Naïve Bayes for SQL injection attack avoidance

Web applications are the objects most targeted by attackers. The technique most often used to attack web applications is SQL injection. This attack is categorized as dangerous because it can be used to illegally retrieve, modify, delete data, and even take over databases and web applications. To prevent SQL injection attacks from being executed by the database, a system that can identify attack patterns and can learn to detect new patterns from various attack patterns that have occurred is required. This study aims to build a system that acts as a proxy to prevent SQL injection attacks using the Hybrid Method which is a combination of SQL Injection Free Secure (SQL-IF) and Naïve Bayes methods. Tests were carried out to determine the level of accuracy, the effect of constants (K) on SQL-IF, and the number of datasets on Naïve Bayes on the accuracy and efficiency (average load time) of web pages. The test results showed that the Hybrid Method can improve the accuracy of SQL injection attack prevention. Smaller K values and larger dataset will produce better accuracy. The Hybrid Method produces a longer average web page load time than using only the SQL-IF or Naïve Bayes methods.

Download Full-text

SQL Injection Attacks Countermeasures

Threats, Countermeasures, and Advances in Applied Information Security - Advances in Information Security, Privacy, and Ethics ◽

10.4018/978-1-4666-0978-5.ch010 ◽

2012 ◽

pp. 194-213

Author(s):

Kasra Amirtahmasebi ◽

Seyed Reza Jalalinia

Keyword(s):

Web Application ◽

Web Applications ◽

Confidential Information ◽

Sql Injection ◽

Unauthorized Access ◽

Injection Attacks ◽

Prevention Techniques ◽

Sql Injection Attack ◽

Sql Injection Attacks ◽

The Web

Due to the huge growth in the need for using Web applications worldwide, there have been huge efforts from programmers to develop and implement new Web applications to be used by companies. Since a number of these applications lack proper security considerations, malicious users will be able to gain unauthorized access to confidential information of organizations. A concept called SQL Injection Attack (SQLIA) is a prevalent method used by attackers to extract the confidential information from organizations’ databases. They work by injecting malicious SQL codes through the web application, and they cause unexpected behavior from the database. There are a number of SQL Injection detection/prevention techniques that must be used in order to prevent unauthorized access to databases.

Download Full-text

SQL Injection Attack on Web Application

Asian Journal of Computer Science and Technology ◽

10.51983/ajcst-2018.7.s1.1814 ◽

2018 ◽

Vol 7 (S1) ◽

pp. 11-15

Author(s):

S. Parameswari ◽

K. Kavitha

Keyword(s):

Web Application ◽

Web Applications ◽

Sql Injection ◽

Injection Attacks ◽

Sql Injection Attack ◽

Simplified Algorithm ◽

Basic Features ◽

Sql Injection Attacks ◽

Almost All ◽

The Web

SQL injection attacks are one of the highest dangers for applications composed for the Web. These attacks are dispatched through uncommonly made client information on web applications that utilizes low level string operations to build SQL queries. An SQL injection weakness permits an assailant to stream summons straightforwardly to a web application’s hidden database and annihilate usefulness or privacy. In this paper we proposed a simplified algorithm which works on the basic features of the SQL Injection attacks and will successfully detect almost all types of SQL Injection attacks. In the paper we have also presented the experiment results in order to acknowledge the proficiency of our algorithm.

Download Full-text

Neutralizing SQL Injection Attack on Web Application Using Server Side Code Modification

International Journal of Scientific Research in Computer Science Engineering and Information Technology ◽

10.32628/cseit1952339 ◽

2019 ◽

pp. 158-173

Author(s):

Sarjiyus O. ◽

El-Yakub M. B.

Keyword(s):

Web Application ◽

Web Applications ◽

Web Security ◽

Security Threat ◽

Sql Injection ◽

Server Side ◽

Injection Attacks ◽

Sql Injection Attack ◽

Sql Injection Attacks ◽

Code Modification

SQL Injection attacks pose a very serious security threat to Web applications and web servers. They allow attackers to obtain unrestricted access to the databases underlying the applications and to the potentially sensitive and important information these databases contain. This research, “Neutralizing SQL Injection attack on web application using server side code modification” proposes a method for boosting web security by detecting SQL Injection attacks on web applications by modification on the server code so as to minimize vulnerability and mitigate fraudulent and malicious activities. This method has been implemented on a simple website with a database to register users with an admin that has control privileges. The server used is a local server and the server code was written with PHP as the back end. The front end was designed using MySQL. PHP server side scripting language was used to modify codes. ‘PDO prepare’ a tool to prepare parameters to be executed. The proposed method proved to be efficient in the context of its ability to prevent all types of SQL injection attacks. Acunetix was used to test the vulnerability of the code, and the code was implemented on a simple website with a simple database. Some popular SQL injection attack tools and web application security datasets have been used to validate the model. Unlike most approaches, the proposed method is quite simple to implement yet highly effective. The results obtained are promising with a high accuracy rate for detection of SQL injection attack.

Download Full-text

Neutralizing SQL Injection Attack Using Server Side Code Modification in Web Applications

Security and Communication Networks ◽

10.1155/2017/3825373 ◽

2017 ◽

Vol 2017 ◽

pp. 1-12 ◽

Cited By ~ 4

Author(s):

Asish Kumar Dalai ◽

Sanjay Kumar Jena

Keyword(s):

Web Application ◽

Web Applications ◽

Large Set ◽

Sql Injection ◽

Web Application Security ◽

Application Security ◽

Server Side ◽

Injection Attacks ◽

Sql Injection Attack ◽

Sql Injection Attacks

Reports on web application security risks show that SQL injection is the top most vulnerability. The journey of static to dynamic web pages leads to the use of database in web applications. Due to the lack of secure coding techniques, SQL injection vulnerability prevails in a large set of web applications. A successful SQL injection attack imposes a serious threat to the database, web application, and the entire web server. In this article, the authors have proposed a novel method for prevention of SQL injection attack. The classification of SQL injection attacks has been done based on the methods used to exploit this vulnerability. The proposed method proves to be efficient in the context of its ability to prevent all types of SQL injection attacks. Some popular SQL injection attack tools and web application security datasets have been used to validate the model. The results obtained are promising with a high accuracy rate for detection of SQL injection attack.

Download Full-text

Model Based Approach to Prevent SQL Injection Attacks on .NET Applications

International Journal of Computer Science and Informatics ◽

10.47893/ijcsi.2011.1026 ◽

2011 ◽

pp. 143-147

Author(s):

Shikhar Jain ◽

Alwyn R. Pais

Keyword(s):

Dynamic Analysis ◽

Web Applications ◽

Sql Injection ◽

Static And Dynamic Analysis ◽

Model Based ◽

Injection Attacks ◽

Sql Injection Attack ◽

Sql Injection Attacks ◽

Query Model ◽

Dynamic Query

Web applications support static and dynamic queries to access the database. Dynamic queries take input from the user and use that input to form the query. A user can give malicious input to the application which results in an incorrect query or an unauthorized query and performs vulnerable action on the database. In this paper, we presented an approach to prevent SQL injection attack (SQLIA) on .Net applications using static and dynamic analysis of the queries. The paper explains comparison of Dynamic query model and static query model in order to validate the query before sending it to the database. The result obtained proves that our designed tool has achieved prevention from SQL injection at greater extend.

Download Full-text

Retrofitting Existing Web Applications with Effective Dynamic Protection Against SQL Injection Attacks

International Journal of Secure Software Engineering ◽

10.4018/jsse.2010102002 ◽

2010 ◽

Vol 1 (1) ◽

pp. 20-40 ◽

Cited By ~ 1

Author(s):

San-Tsai Sun ◽

Konstantin Beznosov

Keyword(s):

Web Applications ◽

False Positives ◽

Sql Injection ◽

Injection Attacks ◽

Track Parameter ◽

Effective Dynamic ◽

Protection Mechanisms ◽

Sql Injection Attacks ◽

Application Developers ◽

Parameter Values

This article presents an approach for retrofitting existing Web applications with run-time protection against known, as well as unseen, SQL injection attacks (SQLIAs) without the involvement of application developers. The precision of the approach is also enhanced with a method for reducing the rate of false positives in the SQLIA detection logic, via runtime discovery of the developers’ intention for individual SQL statements made by Web applications. The proposed approach is implemented in the form of protection mechanisms for J2EE, ASP.NET, and ASP applications. Named SQLPrevent, these mechanisms intercept HTTP requests and SQL statements, mark and track parameter values originating from HTTP requests, and perform SQLIA detection and prevention on the intercepted SQL statements. The AMNESIA testbed is extended to contain false-positive testing traces, and is used to evaluate SQLPrevent. In our experiments, SQLPrevent produced no false positives or false negatives, and imposed a maximum 3.6% performance overhead with 30 milliseconds response time for the tested applications.

Download Full-text

Secure Online Election System

International Journal of Innovative Technology and Exploring Engineering - Special Issue ◽

10.35940/ijitee.k1235.09811s19 ◽

2019 ◽

Vol 8 (11S) ◽

pp. 1166-1171

Keyword(s):

Web Application ◽

Control Unit ◽

Sql Injection ◽

Stored Procedure ◽

Injection Attacks ◽

Election System ◽

Sql Injection Attack ◽

Online Voting ◽

One Way Function ◽

Sql Injection Attacks

India, the biggest democratic ruling system in terms of population utilises the Electronic Voting Machine or EVM for their general elections. Any EVM comprises of two units: The Control unit and the Ballot unit. O n g o i n g re s e a rc h h a s i n d i c a t e d m a n y disadvantages in the system. One of the main disadvantages we encounter is that many researchers have claimed that the EVM can easily be tampered with. EVMs also encounter many physical threats. To prevent these drawbacks, we have proposed an online voting s y s t e m w h i c h c o u n t e r m a n y p h y s i c a l difficulties faced by the EVM. One main difficulty in the online system is the SQL Injection attack. SQL injection is messing with the database and controlling it with the help of SQL Queries. Our project focuses on the Tautology based SQL Injection attack. In this attack, a statement whose value will always be true or 1 is passed instead of username and password by the hacker. This allows access to t h e d a t a b a s e w h i c h a l l o w s h i m / h e r t o manipulate it. Manipulation can be of several kinds. Web based Voting is another innovation that is rising which has the possibility of countering numerous downsides looked by the EVMs. The online voting application works as any other web application. Each voter who wants to vote needs to fill all the required details and create an account on the website first. On the day of voting, when voters cast their vote, they need to sign in with their respective credentials. When the credentials match with the data from database, the voter can get to the voting page and make his choice. An affirmation mail is the sent to the client after effectively making the choice. The votes cast by the voters are sent to a separate database which is viewed in the administration s i d e . We u s e s t o r e d p r o c e d u r e s a n d parameterized queries to prevent the Tautology based SQL attack. If a malicious user enters any query which has a value, it will simply be passed as a parameter to the SQL statement and wont be a component of the SQL statement itself, thus rendering the stored procedure invulnerable to SQL injection attacks. We also use the Secure Hash Algorithm 256 (SHA-256). It is a type of cryptographic hash function which generates a unique 256 bit long hash key for each vote. It is a one way function and so it cannot be decrypted. This ensures that the votes are not manipulated.

Download Full-text

Analysis of SQL Injection Attack

International Journal of Computer Science and Informatics ◽

10.47893/ijcsi.2013.1102 ◽

2013 ◽

pp. 260-264

Author(s):

Jayeeta Majumder ◽

Gargi Saha

Keyword(s):

Web Applications ◽

Sensitive Information ◽

Security Model ◽

Security Threat ◽

Sql Injection ◽

Stored Procedure ◽

Injection Attacks ◽

Unrestricted Access ◽

Sql Injection Attacks ◽

Input Validation

SQL injection attacks are a serious security threat to Web applications. They allow attackers to obtain unrestricted access to the databases underlying the applications and to the potentially sensitive information these database contain. Various researchers and practitioners have proposed various methods to address the SQL injection problem. To address this problem, we present an extensive review of the various types of SQL injection attacks known to date. For each type of attack, we provide descriptions and examples of how attacks of that type could be performed. We also present a methodology to prevent SQL injection attacks. It concentrates on the SQL queries and SQL stored procedure where input parameters are injected by the attacker. After a rigorous input validation with our proposed SQL security model will ensure input validation.

Download Full-text

Bind but Dynamic Technique

Handbook of Research on Innovations in Database Technologies and Applications ◽

10.4018/978-1-60566-242-8.ch093 ◽

2009 ◽

pp. 880-890

Author(s):

Ahmad Hammoud ◽

Ramzi A. Haraty

Keyword(s):

Web Application ◽

Efficient Solution ◽

Web Applications ◽

Query Language ◽

Sql Injection ◽

Injection Attacks ◽

Dynamic Technique ◽

Structured Query Language ◽

Sql Injection Attacks ◽

Web Developers

Most Web developers underestimate the risk and the level of damage that might be caused when Web applications are vulnerable to SQL (structured query language) injections. Unfortunately, Web applications with such vulnerability constitute a large part of today’s Web application landscape. This article aims at highlighting the risk of SQL injection attacks and provides an efficient solution.

Download Full-text

Method to Detect SQL Injection Attacks for Complex Network Environment

Advanced Materials Research ◽

10.4028/www.scientific.net/amr.651.841 ◽

2013 ◽

Vol 651 ◽

pp. 841-845

Author(s):

Wu Min Pan

Keyword(s):

Operating Systems ◽

Web Application ◽

Security Risk ◽

Defense System ◽

Sql Injection ◽

Injection Attacks ◽

Test Application ◽

Sql Injection Attack ◽

Sql Injection Attacks ◽

The Web

SQL injection has become a serious security risk among all the attacks against Web application. The SQL injection attack allows an attacker to access the underlying database unrestrictedly, and furthermore, retrieves the confidential information of the corporation and the network user. We found that most of the existing researches are able to detect most of the attacks, but they do not consider the complexity involved in using the defense system and the eventual cost of modification of the original program. For this reason, we conducts an in-depth research on SQL injection and defense: requires no modification of the web application code,and can be adapted to different usage scenarios,involving also different operating systems and server applications,and can be able to detect all the known injection points for the test application

Download Full-text