A Two Tier Defense Against SQL Injection

Naresh Duhan Department of CSE, UI.E.T

Kurukshetra University, India naresh _ duhan@rediffinail.com

Abstract- In recent years with increase in ubiquity and

popularity of web based applications, information systems are

frequently migrated to the web, which will jeopardize security

and privacy of the users. One of the most easiest and hazardous security attacks confronted by these systems is SQL injection

attacks (SQLlAs). SQL injection attack is a method that can insert any malevolent query into the original query statement. In

this paper, we demonstrate an efficient approach for Securing

Web Application from SQL injection, which incorporates the

combination of client side validation and identity based

cryptography. To affirm the technique we examine it on some

prototype web applications generated by web developer tools

which ensure that our approach is secure and efficient and also hypothesis testing is done to validate the results.

Keywords-Injection attack; SQL1As; SQL Injection; SQL Query; Web application

I. INTRODUCTION

Due to internet evolution and expansion, most of the applications have now migrated to the web. As a consequence of this, the security risks associated with these web applications also increases proportionately. Most of the web applications have vulnerability in them due to which various attacks are feasible. SQL injection attack is the most serious and topmost attack found among the top ten vulnerability list defined by OWASP [I]. As per Imperva web application attack report 2013 a single website receives around one lakh SQL injection attack requests in a day. SQL injection is a code injection technique done on web applications as it allows bypassing the firewall. With the help of injection a security vulnerability of any web application in the database layer can be exploited. The attack is possible with the help of dynamically generated queries as a part of user input. SQLIAs pose a serious threat to web security, as it grants malicious users the unrestricted access to the databases. To address this problem, variety of methods and techniques are available but inspite of that hacker always find new type of attacks to exploit web applications. In this paper we present background of SQL Injection attacks, a detailed review on various SQL injection vulnerabilities and its prevention approaches and proposes an efficient approach using two circles of defense to detect new attack types and to prevent SQLIAs. The rest of paper is organized as follows: In section II we discuss web application architecture, background of SQLIAs and their types. In section III we surveyed various SQL injection

978-1-4799-3140-8/14/$31.00 ©2014 IEEE

Bharti Saneja Department of CSE, UI.E.T Kurukshetra University, India

bharti.saneja1991@gmail.com

detection and prevention approaches. In section IV design framework of proposed approach is explained, Section V shows results. In section VI testing is done based on results and Section VII ends with conclusion.

II. WEB APPLICA nON ARCHITECTURE AND SQLIAs

In order to understand SQL injection attacks we must have knowledge of web application architecture and types of SQL injection attacks made on these web applications. Every web application is designed based on three tier architecture as shown in Fig. 1 [2].

I.) Presentation Tier: This tier receives input from user and displays output to user. It works as a graphical user interface (GUI) which directly interacts with the user.

2.) CGI Tier: This tier is in between presentation tier and database tier. Data processing is done in this tier i.e. data which user inputs is stored in database, when we have to retrieve that data it is first sent to CGI Tier which then send it to the presentation tier for viewing. This tier can be programmed in any of server scripting languages like JSP, PHP, and ASP etc.

WEB APPLICATION

FIG.I. WEB APPLICATION ARCHITECTURE

3.) Database Tier: This tier stores and manages all the sensitive data of web application. This tier is responsible for access of authenticated users and rejection of malicious users.

SQL Injection attack occurs between the presentation tier and CGI tier of web application. When an authenticated user

415

enter its user name and password presentation tier sends data to CGI tier using get and post method. CGI tier contains SQL queries which helps in connecting with the database and then processes the data. When an authenticated user enters id such as 1 'OR'] = l' --, the query in CGI Tier becomes

Select * from User where UserId = '1' OR 'I=]'--'AND Password=' 11]] ';

As '] = l' is always true the authentication step is bypassed. Many data filters are used for preventing database from malicious users but there are many methods to bypass these filters. So an effective way is required to detect and prevent SQLIAs. There are various types of SQL Injection attacks through which a malicious user can exploit a database [3] i.e.

i. Tautologies

ii. Piggy-Backed Queries

iii. Illegal Queries

iv. Union Query Based Attacks

v. Inference Based Attacks

vi. Alternate Encoding

vii. Stored Procedures

III. EXISTING APPROACHES AND TOOLS FOR SQL INJECTION PREVENTION

Over the past few years, a lot of research work has been done on SQL injection attacks detection and prevention. In order to mitigate SQL Injection vulnerabilities there are various prevention techniques such as manual approach, static analysis, dynamic analysis, penetration testing, automatic testing etc. Below are some SQLIAs detection and prevention mechanisms proposed by various researchers:

Halfond and Orso proposed an approach [4] AMNESIA (Analysis and Monitoring for Neutralizing SQL Injection attacks). It is a fully automated technique for detection and prevention from SQL injection attacks. The technique is divided into two phases i.e. static analysis and runtime analysis. First phase analyzes web application code and automatically generate SQL query mode based on possible legitimate queries and second phase checks all dynamically generated queries and compares it with queries generated in previous phase. If they did not match then SQL injection attack is found. The disadvantages with this approach are that in many situations this approach generates many false positives and negatives, and web applications build in Asp and PHP can't use it.

Cherng Lin et al. suggested a technique [5] for mitigating malicious injection. This method consists of a testing framework and a sanitizing mechanism on security gateway which is placed in between application server and database. In this method an automatic mechanism for input data validation is designed using proper rules for validating attack input. By using this mechanism false positive and negative rates can be reduced and it is more efficient than any other traditional methods for input data handling.

Anyi liu et al. proposed an architectme [6] for preventing SQLIAs. In this approach an SQL proxy based blocker that is SQL prob is developed for dynamic detection of undesirable user inputs. This method is completely modular and does not require any code changes on client, server or database as it uses proxy to detect malicious inputs. SQL prob executes in two steps, the first is data collection step in which input data from user is collected and second is query evaluation in which malicious query is evaluated for measuring performance. A prototype of SQL prob is developed on which attacks are performed. This method detects all the SQL injection attacks and is easily deployable in any enterprise environment.

Haixia and Zhihong proposed a scheme [7] for database security testing. In this scheme a testing model is developed for securing database. Testing steps consists of setting up attack rule library based on injection patterns of hackers. Then whole website is scanned to find vulnerable points. Test cases are generated based on attack rule library and vulnerable points. These test cases are used for testing and corresponding reports for test cases are generated. This scheme detects SQL injection points efficiently but this approach can only detect signatme SQL injection attacks.

Ruse and team members described an approach [8] which uses automatic test case generation. In this technique for any input SQL query an automatic model is developed such that model knows dependencies between various sub queries. This method uses CREST (automatic test generation tool) to identifY attacks. The advantage of this technique is that it is based on semantic structure of query whereas traditional techniques are based on syntactic structure and it can also detect attacks in nested SQL queries. Also this technique has minimum number of false negatives and positives.

Halder and Cortesi proposed an approach [9] to detect SQL injection attacks in which we obfuscate SQL query. This approach consists of three phases: static, dynamic and reconstruction of original query. In first phase SQL queries are replaced by obfuscated query. In second phase we merge obfuscated query with user inputs. After merging a verifier checks this query to detect SQL injection attack. If no SQL injection is found during verification phase then in third phase original query is reconstructed and then this query is submitted to database.

Bisht and colleagues developed a tool [10] CANDID (Candidate Evaluation for Discovering Intent Dynamically) for prevention of SQL injection attacks. This method is to dynamically mine programmer intended query structure to detect SQL injection attacks. This technique is scalable to most web applications but it is difficult to make a set of legitimate inputs for larger web applications.

Pomeroy and Tan suggested a technique [II] for finding vulnerabilities in Web Application such as SQL injection attack by network recording. In this approach network forensic techniques and tools are used to analyze the network packets containing get and post requests of a web application. This approach uses network based Intrusion Detection System (IDS) to trigger network recording of suspected application attacks. Disadvantages that exist with this approach are, it is

416 20 J 4 International Conference on Signal Propagation and Computer Technology (ICSPCT)

difficult to record high volume traffic and packet fragmentation attack can also bypass this approach.

Wenguang et al. described a method [12] using database mining. In this method data acquisition agent is used to store data in local database. This data is then send to mining agent for preprocessing. Attack detection is done through alarm evaluate model which create an alarm for every attack detected. The proposed method is more efficient than traditional intrusion detection system. The limitation with this approach is that for improving efficiency there is need to improve data mining algorithms.

Balasundaram and Ramaraj described an approach [13] for SQL injection prevention in which they used advance encryption standard (AES) and RSA. In this approach two level encryption is applied i.e. to encrypt username and password using symmetric key encryption with the help of secret key of user and to encrypt SQL query using asymmetric key encryption with the help of public key of server. Disadvantages: This approach is not useful in URL based SQL injection attacks and It is very difficult to maintain key for every user at both client and server side.

Jeom- Goo Kim proposed an effective method [2] for SQL injection prevention. In this method combination of static and dynamic analysis is used. This method uses a function which has the capability to detect attribute values of static SQL query and queries generated at run time. In this approach an algorithm is proposed in which attribute values from both static queries and dynamic queries are removed and structure of both queries are compared with each other. If they have same structure then no SQL injection is there. But in this approach developer learning and adjustment of source code is mandatory.

Avireddy et at. proposed an approach [14] based on randomization algorithm to prevent against SQL Injection attacks. This approach consists of three phases i.e. client side validation, random4 algorithm and tool generating random keys for any input. Client side validation includes limiting size of input, type checking and removal of special characters. Random4 algorithm is used to convert input into cipher text incorporating concept of cryptographic salt. In this approach four random values are considered for every character and based on next input character random value is assigned to a character. The four random values for each character is stored in a look up table. Final1y a tool is designed based on random4 look up table to encrypt input into cipher text. The limitations of this approach are use of storage space for look up table and inability to prevent al1 types of SQL injections.

Choudhary and Dhore developed a tool [15] CIDT i.e. Code Injection Detection Tool for detection and prevention of code injection attacks. In this tool, there are two modules; Query Detector and Script Detector. CIDT acts like a proxy between user input and web server. Any request coming from user first goes to query detector for validation. If any invalid character is found request is not forwarded to next module and it is rejected. If user input contains only valid characters then it is passed to script detector to filter invalid tag and encodes it for forwarding to server. This tool is implemented as

windows.net application in c#. The weakness of this approach is it is unable to prevent stored procedure attack.

Mittal and Jena suggested a technique [\6] based on Bitslice AES Encryption for prevention and detection of SQL Injection attacks. In this approach processor is viewed as a SIMD computer that is as 64 paral1el one bit processors computing the instruction. It is based on the concept of paral1el processing. In this technique 128 bit binary key is generated using first eight characters of username and first eight characters of password. If username or password is less than eight characters then O's are appended to make key 128 bit long and encryption is done afterwards. This approach takes into consideration the three phases of a web application that is registration, login and search phase, it encrypts all the fields used in conditional clause of SQL query using Bitslice AES. With this technique it is possible to handle large user requests and is also free from cache timing attack and second order injections.

IV. PROPOSED DESIGN

In this section, we present a potent approach to resolve the notorious SQL injection detection and prevention problem. In the proposed approach for securing web application from SQL injection two methodologies are combined to provide security and efficiency for web users. The first one is client side input validation which is achieved by applying static validation constraints on input fields like type of data, string length and also assures that input field does not bear any invalid characters. The second mechanism is identity based cryptography (IBC) which acts as another circle of defense. The proposed framework is shown in Figure2. The proposed approach can be decomposed into six modules:

STATIC ANALYSIS

PATIERN

YES ! MATCHING

t ______ .. ___________ .liO __________________ _

AND AIRT MODULE

I/P VALIDATION

LIBRARY

FIG.2 PROPOSED ARCHITECTURE

(i) Registration Module:

In this module a user registers itself for a specific web application by storing personal information like name, date of

2014 International Conference on Signal Propagation and Computer Technology (ICSPCT) 417

418

birth, password, email address, phone number and other details relevant to application in the server database. To prevent SQLIAs before storing this information to database, we apply identity based encryption to all the input data in input fields of conditional clauses. Public key for cryptography is generated from the combination of email address i.e. unique id of individual user and password or the data of input fields required to login i.e. a different key is generated at run time for every user based on user's information.

(iij User Interface Module:

In user interface module a user have to enter username and password. It is basically a graphical user interface to validate user's information as in fig.3. Also in this module client side validation is done based on input validation library. If input string contains any of invalidated characters, then intruder will be taken to anomaly score comparator and airt module, otherwise data goes to IBC module.

(iii) IBC Module:

This module is used as a second defense to SQLIAs i.e. if a new type of attack occurs or any attack bypasses input filtering then with the aid of this module our data remain confidential. Here again key is generated based on IBC and then login fields are encrypted with the help of that key. After encryption field values are compared with values stored in database, if they are same then database connection is established otherwise control goes to attack analyzer module.

(ivj Attack Analyzer Module:

Fourth module is, attack analyzer module which analyzes the attack based on the response of IBC module output when compared with corresponding data stored in database. If data does not match then that login attempt is analyzed as attack, input validation library is updated and control goes to anomaly score comparator and airt module.

T ABLE I : REDIRECTION TABLE

RESPONSE REDIRECTION ANOMAL Y SCORE

Alarm page 1-5

Email (0 admin 5-10

Block that IP address More (han 10

(vj Anomaly Score Comparator and Airt Module:

This module maintains two tables, one for the records of values of anomaly score corresponding to different IP addresses and another is redirection table which redirects IP addresses to various pages based on their anomaly score as shown in Table I. When for a particular IP address control from any module comes to this module then anomaly score in table 1 corresponding to that IP address is automatically increased by one.

V. EXPERIMENTAL RESUL TS

We implemented an approach for securing web application from SQL injection by implementing a two tier defense i.e. defense at client as well as server side. Our assumption for implementing backend defense is made to increase security and to detect new type of attacks so that preventive measures will be taken against them. Also post method is applied for sending data to secure web application from uri based attacks. The prototype web application is deliberately implemented with weakest coding technique and proposed mechanism is applied for testing of results.

We experiment the concept of our approach on web application designed in asp.net framework. The various attacks tested on this prototype application are as follows:

a.) Implementing attack through tautology b.) Dropping tables from database c.) Implementing URL based attacks d.) Attacking through UNION queries e.) Attacking through stored procedures

Web Application Prototype

UserName

Password

Login

}, "et r a, s" rd

FIG.3 USER INTERFACE

Whenever attacks are detected the IP address, attack score and attack category are stored in the database. The dataset for web application not using proposed approach and web application using proposed approach are collected and Chi Square test is performed on it for validation testing. The benefit of implementing the proposed technique in any web application is that there is no need of developer training and additional infrastructure. Also with the help of this approach it is possible to detect new type of attacks.

VI. HYPOTHESIS TESTING

A non-parametric test, chi square test(X2) is used for hypothesis testing. It is a stastical hypothesis test for finding dependency between two types of data. Hypothesis tests are used basically to accept or reject the assumption about a certain dataset. We performed this test to show the importance of the technique. The dataset of this hypothesis testing is represented in the form of a R*C table. Generally two types of chi square test are mainly used i.e.

20 J 4 International Conference on Signal Propagation and Computer Technology (ICSPCT)

i. ) For Goodness of Fit: This test is performed in case of nominal data that is when our answer is in the form of yes or no format. In this type observed and expected frequencies of a single attribute is compared from the population.

ii.) For Independence:

This test is performed when we have to compare frequencies of one classified variable with other from the same population to find association between them.

Table 2: Chi Square Dataset

Web No. of No. of No. of False Total Application Inputs Attacks Positives and

Negatives

Without 50 100 40 190 Proposed Approach

With 65 10 5 80 Proposed Approach

Total 115 110 45 270

Chi square test for independence is used here for finding association among number of inputs, attacks, false positives and negatives. The test is performed to determine the impact of approach on web application attacks. Here Ho is null hypothesis and HI is alternate hypothesis.

Table 3: Chi Square Test for Independence

(0,) (E,) OJ- (0,. (OJ.Ej)2

Ej Ei IEj Without

Proposed Approach

No. of Inputs 50 81 - 961 11.86 31

No. of Attacks 100 77 23 529 6.87

False Positive 40 32 8 64 2 and Negative

Rate With

Proposed Approach

No. of Inputs 65 34 31 961 28.26

No. of Attacks 10 32 - 484 15.12 22

False Positive 5 13 -8 64 4.92 and Negative

Rate Total 69.03

Step]: State of Hypothesis Ho = Proposed approach have no effect on web application attacks HI = Proposed approach reduces web application attacks

Step2: Level of Significance The significance value of 5% is chosen for testing. The degree of freedom for dataset is (r-I)( c-I) i.e. 2 chi square value at significance level .05 and df 2 is 5.99 from given table[17].

E, = rowtotal * columntotall total

Here OJ is observed frequency and Ej is expected frequency. The calculated chi square value is 69.03 which is much greater than value from chi square table. Hence our test rejects null hypothesis and accepts alternate hypothesis which means that web application attacks can be reduced using this technique.

100 90 80 70 60 50 40 30 20 10

o

No. of Inputs

No. of False Attacks Positive and

Negative Rate

Fig.4 Comparative analysis

• Web Application Without Proposed Approach

• Web Application With Proposed Approach

VII. CONCLUSION

In this paper, we present an efficient approach i.e. two tiered defense against SQLIAs by applying client side validation and identity based cryptography. If attack is detected initially then there is no need to go to second tier. IBC is basically used for confidentiality of data in case of new attack. Instead of various approaches existing to prevent SQLIAs it is still a major security threat as hackers invariably discover new vulnerabilities to attack. The proposed mechanism modifies its input validation library according to new kind of attack and secures web application from further exploitation. The efficiency is evaluated with the help of a prototype web application. In future we will try to integrate this approach with other types of web application attacks.

REFERENCES

[1] The open Web Application Security Project, "Top ten most critical Web Application Security Risks" https:llwww.owasp.orgiindex.php/SQL_Injection.

2014 International Conference on Signal Propagation and Computer Technology (ICSPCT) 419

[2] Jeom-Goo Kim, "Injection Attack Detection using the Removal of SQL Query Attribute Values" 2011 International Conference in Information Science and Application(lCISA), 26-29 April 2011.

[3] http://www.ijcem.oeg/papers102011/ijcem_102011_19.pdf

[4] Halfond, W .G.J. and A. Orso, "AMNESIA: analysis and monitoring for Neutralizing SQl-injection attacks." in Proceedings of the 20th IEEE/ACM international Conference on Automated software

Engineering, pp. 174-183, 15-21 May 2005.

[5] Jin-Cherng Lin , Jan-Min Chen , Cheng-Hsiung Liu , "An Automatic Mechanism For Sanitizing Malicious Injection", IEEE 9th International Conference For Young Computer Scientists, pp 1470-1475, 18-21 Nov. 2008.

[6] Anyi liu, yi yuan, "SQLProb: A Proxy based Architecture towards preventing SQL injection attacks", ACM , pp.2054-2061, March 2009.

[7] Yang Haixia And Nan Zhihon� , "A Database Security Testing Scheme Of Web Application", IEEE 4t' International Conference On Computer Science And Education, pp .953-955, 25-28 July 2009.

[8] M. Ruse, T. Sarkar and S. Basu "Analysis & Detection of SQL Injection Vulnerabilities via Automatic Test Case Generation of Programs" 10th

Annual International Symposium on Applications and the Internet pp. 31 - 37,19-23 July 2010.

[9] Raju Halder and Agostino Cortesi, "Obfuscation-based Analysis of SQL

Injection Attacks", IEEE Symposim on Computers and Communications, pp. 931-938, 22-25 June 20 JO.

[10] P.Bisht, P.Madhusudan and V.N. Venkatakrishan "CANDID: Dynamic Candidate Evaluations for Automatic Prevention of SQL Injection Attacks" ACM Trans. Inf. Syst. Secur. , pp.I-39, 20 I O.

[11] Pomeroy, A Qing Tan Sch. of Comput. & Inf. Syst., Athabasca Univ., Athabasca, AB, Canada " Effective SQL Injection Attack Reconstruction Using Network Recording" in Computer and Information Technology (CIT), 2011 IEEE 11th International conference Issue , pp: 552 - 556, 31 Aug.-2 Sept. 20 II.

[12] Chai Wenguuang, Tan Chunhui, Duan Yuting, "Research Of Intelligent Intrusion Detection System Based On Web Data Mining Technology", IEEE 4th International Conference On Business Intelligence And Financial Engg. pp. 14-17, 17-18 Oct. 2011.

[13] Indrani Balasundram, E. Ramaraj "An Authentication scheme for Preventing SQL Injection Attack Using Hybrid Encryption (PSQL1-HBE)" , ISSN 1450-216 X Vol.53 No 3, pp. 359-368,20 II.

[14] Srinivas Avireddy,Varalakshmi Perumal, Narayan Gowraj, Ram Srivatsa Kannan, Prashanth Thinakaran, Sundaravadanam Ganapathi, Jashwant Raj Gunasekaran, Sruthi Prabhu, " Random4: An Application Specific Randomized Encryption Algorithm to prevent SQL injection ", IEEE II th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp 1327-1333, 25-27 June 2012.

[15] Atul S. Choudhary And M.L Dhore, "CIDT: Detection Of Malicious Code Injection Attacks On Web Application", International Journal Of Computing Applications Volume-52-NO.2, pp. 19-25, August 2012.

[16] Piyush Mittal, Sanjay Kumar Jena "A Fast and Secure Way to Prevent SQL Injection Attacks" Proc. of 2013 IEEE Conference on Information and Communication Technologies (lCT 2013) ,pp. 730-734, 11-12 April 2013.

[17] http://www.unc.edu/-farkouh/usefulllchi.html

420 20 J 4 International Conference on Signal Propagation and Computer Technology (ICSPCT)