Analysis of SQL injection prevention using a proxy server
By: David Rowe
Supervisor: Barry Irwin
Presentation Outline
• Introduction to the problem (SQL injection)
• Motivation for the project (example)
• Block diagram of work focus
• Current status
• Timeline
• Concluding remarks
• Questions
SQL injection
• SQL Injection is a method by which the parameters of a Web-based application are modified in order to change the SQL statements that are passed to a database.
• An attacker is able to insert a series of SQL statements into a 'query' by manipulating data input.
SQL injection
Example
Vulnerable web page
• In ASP, a critical vulnerability is the way in which the query string is created.
• example:
var SQL = "select * from users where
username = ' "+ username +" ' and
password = ' "+ password +" '";
Example
Example
• Username: ‘;drop table users--
• the 'users' table will be deleted, denying access to the application for all users
ExampleQuery executed:select * from users where username = “ drop table users
Example
Implementation Step
Current Status
• Analyse the structure of SQL query commands• Build a filter that will check allowable patterns of SQL
statements• Create a proxy server that will filter SQL commands. • Prevent a SQL injection attack to a database using this
proxy server.• Prove that SQL injection can be prevented using the
filter developed to work on the proxy server.• Produce a list of best practices for
– Web design– Database administration
Current Status
• Working proxy server– Extracts the SQL from a TDS packet– Prevents SQL injection attacks
• White list• Black list• Gray list
– Logs• Extracted SQL queries• Halted SQL
• Work in progress:– Benchmarking– Error reporting to database administrator– Project write up
Results - Filter
Results - Filter• diagrams; : ;• Sql injection attempt with: “diagrams; in design - in this
section we design the class diagrams; this is because the class”
• Found with search signature: ;• found match using black list• by : by• Sql injection attempt with: “by in diagrams define the data
structure required by an application. We also look at”• Found with search signature: by• found match using white list, so this query is safe
• Query Count: 950• bad query count: 150• took 45.4673 seconds• average time to process a query: 0.0478603 seconds
Performance issues
• Advantages– Independent of flaws in application coding
and database privileges– Separate server with real time analysis
• Disadvantages– False positives also filtered out too– Won’t work if data is encrypted– May turn out to be resource intensive
Timeline
• First semester:– Project proposal– Presentation 1– Literature survey– Project website and Honours Blog– Design and implementation
• Second Semester– Benchmarking– Final write up
• thesis • short paper
– Project poster
Questions