DOCSLIB.ORG

SQL Injection Attack Detection and Prevention Techniques Using Machine Learning

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
SQL Injection Attack Detection and Prevention Techniques Using Machine Learning International Journal of Applied Engineering Research ISSN 0973-4562 Volume 15, Number 6 (2020) pp. 569-580 ©Research India Publications. http://www.ripublication.com SQL Injection Attack Detection and Prevention Techniques Using Machine Learning Ines Jemal1, Omar Cheikhrouhou2, Habib Hamam3 and Adel Mahfoudhi4 1University of Sfax, ENIS, CES, LR11ES49, 3038 Sfax, Tunisia. E-mail: [email protected] 2University of Sfax, ENIS, CES, LR11ES49, 3038 Sfax, Tunisia. University of Mounastir, ISIMA, Mahdia, Tunisia. E-mail: [email protected] 3Faculty of Engineering, University of Moncton, NB, E1A 3E9, Canada. E-mail: [email protected] 4University of Sfax, ENIS, CES, LR11ES49, 3038 Sfax, Tunisia. E-mail: [email protected] Abstract to retrieve information selected by the users. Interaction Web application attacks are incessantly increasing in number with these users are generally achieved through forms and and in severity. The big data available on the internet cookies. Hackers try to exploit this characteristic by injecting motivates hackers to launch new kind of attacks. In this malicious code into these user inputs that will be used later context, intensive research on web application security have to construct the SQL queries. Improper validation of the been conducted. The most dangerous attack that target web user inputs can lead to the success of the SQLI attack and, applications is the Structured Query Language Injection therefore, can have catastrophic consequences such as the (SQLI). This attack represents a serious threat to the web deletion of the database or the gathering of sensitive and applications. Several research works have been conducted confidential data of the web application clients. to mitigate this attack either by preventing it from an early Due to its sensitive impact, several works have addressed the stage or detecting it when it occurs. In this paper, we present SQLI attack. Some of these works try only to detect the SQLI an overview of the SQL injection attack and a classification once occurred. Other works try to prevent it before occurring. of the newly proposed detection and prevention solutions. Although, several techniques are proposed to fight against We classify the different attack sources, goals, and types. SQLI attack, none of these solutions have addressed the full Moreover, we discuss and classify the most important and scope of the attack. Therefore, there is no solutions that can recent proposed solutions to mitigate this attack especially prevent or detect all the different types of the SQLI attack. those based on ontology and machine learning. Recently, researchers try to benefit from the machine learning techniques to propose more sophisticated solutions. Keywords: SQL injection, Web security, Ontology, Machine In this paper, we present a survey on the SQL injection Learning. attacks. We present the main attack sources, types and goals. Moreover, the main proposed solutions that address this attack were discussed and compared. I. INTRODUCTION The main contributions of this paper are as follows: The increase in the development and spread of the web applications has also lead to an increase in the number and 1) An overview of the SQLI attack was presented. The severity of the web attacks. According to Statista [1], in 2018, different attack sources, goals and types are described 953 thousand web attacks were blocked on a daily basis, and discussed. up from 611 thousand daily blocked attacks in the previous 2) A classification of the different SQLI attack detection year. According to the Open Web Application Security Project and prevention countermeasures are presented and (OWASP) [2], the injection vulnerability continues to be the discussed. most found vulnerability in web applications. 3) A comparative table between the different proposed The Structured Query Language Injection (SQLI) attack is SQLI attack countermeasures was presented. considered as the most dangerous attacks of the injection 4) Newly proposed solutions, such as those based on category because it compromises the main security services: ontology and machine learning, are described and confidentiality, authentication, authorization and integrity [3]. discussed. Roughly speaking, SQLI attack consists in injecting The remainder of this paper is as following. In Section II, (inserting) malicious SQL commands into input forms or we present a description of the SQLI attack by enumerating queries to get access to a database or manipulate its data its possible sources, goals and types. Then, in Section III (e.g. send the database contents to the attacker, modify or we classify the different existing countermeasures that was delete the database content, etc.) [4], [5]. proposed to either detect or prevent the SQLI attack. Finally, Indeed, today, most of the web applications use a back-end we give a discussion about the presented solutions and we database to store data collected from the users and/or conclude the paper. 569 International Journal of Applied Engineering Research ISSN 0973-4562 Volume 15, Number 6 (2020) pp. 569-580 ©Research India Publications. http://www.ripublication.com II. SQLI ATTACK OVERVIEW In this section, we present a general overview of the SQLI attack. We start by discussing the SQLI sources, then classify their goals and types. Table I classifies and summarizes the main ideas and points discussed in this section. A. SQLI Attack Sources Fig. 1: verbose error message SQL injection vulnerabilities may be found in any application parameter that can be used in a database query. The authors UPDATE users SET password=”newpwd” in [6] cited four sources, through which the SQL Injection WHERE userName= ”admin” - - ” AND Attack (SQLIA) can start. These sources are user input, password=”oldpwd” cookies, server variables and stored injection. • Injection through user input: Web applications, Because ”- -” is the SQL comment operator, everything generally, use forms to collect data from users (such as after it is ignored, the result of this query is that registration, login, etc.) or to permit users to specify the the database changes the password of the administrator data to be retrieved (such as search, adapted view, etc.). (“admin”) to an attacker-specified value. These forms containing ”text field” could be exploited by attackers to inject malicious code, which results in B. SQLI Attack Goals gaining an indented data (retrieve secret data, etc.) or Hackers can have different intend and goals for launching the making an indented actions (manipulate database, etc.). SQLI attack. The main SQLI attack goals are: Common fields are Login Name, Password, Address, • Identifying injectable parameters: As a first step, Phone Number, Credit Card Number, and Search. hackers try to identify which parameters could be used to • Injection through cookies: Recent web applications inject malicious code. These parameters could be present use cookies to store users preferences. Cookies are in one of the sources described in Subsection II-A. More files stored on the client machine, which contain state precisely, these parameter could be a ”username” field information generated by the web applications. An in a form, a ”card number” in a cookie, etc. An attacker attacker could embed malicious code into the cookies can modify the logic of the statement by injecting SQL contents stored in his computer, and therefore, putting code, so that when executed it performs another action. web application using the cookies contents to build SQL For example, injecting a single quote that is used in queries vulnerable to attacks [7]. SQL to delimit the start or end of a string value could • Injection through server variables : Server variables disrupt the pairing of string delimiters and generate an are a set of parameters that contain network headers, application error, indicating a potential vulnerability to HTTP metadata, and environmental variables. Generally, SQL injection. web applications use these server variables for auditing • Performing database fingerprinting: To construct a usage statistics and identifying browsing trends. If these query format supported by the target database engine, variables are stored to a database without validation, the attacker needs to know the database finger-print. attackers can exploit this vulnerability by placing an Database finger-print is the information that identifies SQLIA directly into the server variables. a precise type and edition of a database system. • Stored injection: In stored injection (called also Each database system uses a different proprietary SQL second-order injection), attackers embed malicious language syntax. For example, Microsoft SQL server inputs into a database to indirectly launch an SQLIA uses T-SQL while Oracle SQL server uses PL/SQL. each time that input is used. The following code, shows As a consequence, the attacker must first find out an example of second-order SQL injection. In this the type and version of the database used in a web example, the attacker as a normal user of the website, application, and then craft malicious SQL input for that firstly registers to the application with a seeded username database. Moreover, default vulnerability associated with like ”admin’- -”. Then, the attacker will try to change that version of database can be exploited by attackers. his password. The SQL query to change a user password • Determining database schema: To successfully extract has generally the following form: data from a database, the attacker needs to know the queryString=”UPDATE users SET password=’” database schema information, such as table names, + newPassword +”’ WHERE userName=’” + column number and names, and column data types. The userName + ”’ AND password=’” +oldPassword database schema is used by hackers to create an accurate + ”’” consequent attack with the purpose of extract or modify data from database. Figure 1 presents an error message Assume that newPassword and oldPassword returned by the database system that shows different are “newpwd” and “oldpwd”, which are information related to the database schema (such as chosen by the attacker, the query that will number and name of columns) and system (such as be sent to the database is the following: ODBC).
Load more

Recommended publications
  • ITEE Journal
    Volume 3, Issue 6 ISSN: - 2306-708X December 201 4 ITEE Jo urnal Information Technology & Electrical Engineering ©2012-14 International Journal of Information Technology and Electrical Engineering Malware Contaminated Website Detection by Scanning Page Links 1 Mehdi Dadkhah, 2 Amin Dadkhah, 3 Jie Deng 1 Lecturer of Tiran Branch, Islamic Azad University, Isfahan, Iran. 2 Student of Tiran Branch, Islamic Azad University, Isfahan, Iran. 3 Queen Mary University London, London, UK. E-mail: [email protected], [email protected], 3 [email protected] ABSTRACT With increasing growth of communication networks, social interactions and financial transactions have been migrate to virtual environments. Internet is one of the most substantial platform for most people's social interactions and transactions. However, the notable challenge in online transactions is security in cyber environments and to understand the hazards accompanied with this communication platform. Because of the increased use of Internet and virtual environments in daily affairs such as financial transactions, this platform has become the focus of attackers and swindlers, for example the stealing of users' passwords. In this paper, we introduce main methods which attackers use to contaminate websites by malware. Even though several articles have been written on the subject, our main goal is introducing the advanced type of these frauds conducted by professional attackers which includes contaminating websites by any kind of malware like using phishing attacks, security vulnerability in web, social engineering and click hijacking. Finally we present our approach for confronting frauds conducted by installing spyware by contaminated websites attack and malware behavior. Keywords: Online fraud, cyber environment, phishing, web vulnerability, spyware.
    [Show full text]
  • Protecting Against the Top 5 Attack Vectors Stay Secure from the Most Common Threats Seen by Arctic Wolf’S Security Team
    Protecting Against the Top 5 Attack Vectors Stay secure from the most common threats seen by Arctic Wolf’s security team ©2019 Arctic Wolf Networks, Inc. All rights reserved. | Public PERSONAL | PREDICTABLE | PROTECTION CONTENTS Major Cyberattacks in the News ......................................................................................................................................3 The Top 5 Attack Vectors ...................................................................................................................................................4 The Cyber Kill Chain .............................................................................................................................................................7 Protecting Against the Top 5 Attacks Malware/Ransomware ....................................................................................................................................8 Phishing Attack ...................................................................................................................................................9 PUP/Adware ..................................................................................................................................................... 10 Account Hijacking ........................................................................................................................................... 11 Unpatched/Outdated Software .................................................................................................................
    [Show full text]
  • Introduction to Measurements & Error Analysis
    Introduction to Measurements & Error Analysis The Uncertainty of Measurements Some numerical statements are exact: Mary has 3 brothers, and 2 + 2 = 4. However, all measurements have some degree of uncertainty that may come from a variety of sources. The process of evaluating this uncertainty associated with a measurement result is often called uncertainty analysis or error analysis. The complete statement of a measured value should include an estimate of the level of confidence associated with the value. Properly reporting an experimental result along with its uncertainty allows other people to make judgments about the quality of the experiment, and it facilitates meaningful comparisons with other similar values or a theoretical prediction. Without an uncertainty estimate, it is impossible to answer the basic scientific question: “Does my result agree with a theoretical prediction or results from other experiments?” This question is fundamental for deciding if a scientific hypothesis is confirmed or refuted. When we make a measurement, we generally assume that some exact or true value exists based on how we define what is being measured. While we may never know this true value exactly, we attempt to find this ideal quantity to the best of our ability with the time and resources available. As we make measurements by different methods, or even when making multiple measurements using the same method, we may obtain slightly different results. So how do we report our findings for our best estimate of this elusive true value? The most common way to show the range of values that we believe includes the true value is: measurement = best estimate ± uncertainty (units) Let’s take an example.
    [Show full text]
  • SQL Injection Authored By: Stephanie Reetz, SOC Analyst
    TLP: WHITE Technical White Paper January 2013 SQL Injection Authored by: Stephanie Reetz, SOC Analyst INTRODUCTION Web applications are everywhere on the Internet. Almost everything you do online is done through a web application whether you know it or not. They come in the form of web-based email, forums, bulletin boards, bill payment, recruitment systems, health benefit and payroll systems. It is important to understand that these types of websites are all database driven. Databases are an essential element of web applications because they are able to store user preferences, personal identifiable information, and other sensitive user information Web applications interact with databases to dynamically build customized content for each user. The web application communicates with the database using Structured Query Language (SQL). SQL is a programming language for managing databases that allows you to read and manipulate data in MySQL, SQL Server, Access, Oracle, DB2, and other database systems. The relationship between the web application and the database is commonly abused by attackers through SQL injection. SQL injection is a type of injection attack in which SQL commands are supplied in user-input variables, such as a web form entry field, in an attempt to trick the web application into executing the attacker's code on the database. SQL injection was one of the primary attack vectors responsible for many of 2011’s high profile compromises including Sony Pictures, HBGary, and PBS. It was also responsible for the more recent Adobe data breach in which names, email addresses, and password hashes were stolen from one of their customer databases.
    [Show full text]
  • Blindfolded SQL Injection
    Blindfolded SQL Injection Written By: Ofer Maor Amichai Shulman Table of Contents Overview ......................................................................................................................3 Identifying Injections ................................................................................................5 Recognizing Errors ...........................................................................................................................5 Locating Errors............................................................................................................................... ...6 Identifying SQL Injection Vulnerable Parameters ........................................................................6 Performing the Injection ..........................................................................................8 Getting the Syntax Right..................................................................................................................8 Identifying the Database ..................................................................................................................9 Exploiting the Injection ...................................................................................................................10 UNION SELECT Injections ....................................................................................11 Counting the Columns....................................................................................................................11 Identifying Columns Types
    [Show full text]
  • Software Testing
    Software Testing PURPOSE OF TESTING CONTENTS I. Software Testing Background II. Software Error Case Studies 1. Disney Lion King 2. Intel Pentium Floating Point Division Bug 3. NASA Mars Polar Lander 4. Patriot Missile Defense System 5. Y2K Bug III. What is Bug? 1. Terms for Software Failure 2. Software Bug: A Formal Definition 3. Why do Bugs occur? and cost of bug. 4. What exactly does a Software Tester do? 5. What makes a good Software Tester? IV. Software Development Process 1. Product Components 2. What Effort Goes into a Software Product? 3. What parts make up a Software Product? 4. Software Project Staff V. Software Development Lifecycle Models 1. Big Bang Model 2. Code and Fix Model 3. Waterfall Model 4. Spiral Model VI. The Realities of Software Testing VII. Software Testing Terms and Definition 1. Precision and Accuracy 2. Verification and Validation 3. Quality Assurance and Quality Control Anuradha Bhatia Software Testing I. Software Testing Background 1. Software is a set of instructions to perform some task. 2. Software is used in many applications of the real world. 3. Some of the examples are Application software, such as word processors, firmware in an embedded system, middleware, which controls and co-ordinates distributed systems, system software such as operating systems, video games, and websites. 4. All of these applications need to run without any error and provide a quality service to the user of the application. 5. The software has to be tested for its accurate and correct working. Software Testing: Testing can be defined in simple words as “Performing Verification and Validation of the Software Product” for its correctness and accuracy of working.
    [Show full text]
  • Breathe London-NPL-Statistical Methods for Characterisation Of
    Statistical methods for performance characterisation of lower-cost sensors J D Hayward, A Forbes, N A Martin, S Bell, G Coppin, G Garcia and D Fryer 1.1 Introduction This appendix summarises the progress of employing the Breathe London monitoring data together with regulated reference measurements to investigate the application of machine learning tools to extract information with a view to quantifying measurement uncertainty. The Breathe London project generates substantial data from the instrumentation deployed, and the analysis requires a comparison against the established reference methods. The first task was to develop programs to extract the various datasets being employed from different providers and to store them in a stan- dardised format for further processing. This data curation allowed us to audit the data, establishing errors in the AQMesh data and the AirView cars as well as monitor any variances in the data sets caused by conditions such as fog/extreme temperatures. This includes writing a program to parse the raw AirView data files from the high quality refer- ence grade instruments installed in the mobile platforms (Google AirView cars), programs to commu- nicate with and download data from the Applications Program Interfaces (APIs) provided by both Air Monitors (AQMesh sensor systems) and Imperial College London (formerly King’s College London) (London Air Quality Network), and a program that automatically downloads CSV files from the DE- FRA website, which contains the air quality data from the Automatic Urban Rural Network (AURN). This part of the development has had to overcome significant challenges including the accommo- dation of different pollutant concentration units from the different database sources, different file formats, and the incorporation of data flags to describe the data ratification status.
    [Show full text]
  • EXPERIMENTAL METHOD Linear Dimension, Weight and Density
    UNIVERSITI TEKNIKAL No Dokumen: No. Isu/Tarikh: MALAYSIA MELAKA SB/MTU/T1/BMCU1022/1 4/06-07-2009 EXPERIMENTAL METHOD No. Semakan/Tarikh Jumlah Muka Surat Linear Dimension, Weight and Density 4/09-09-2009 4 OBJECTIVE Investigation of different types of equipment for linear dimension measurements and to study measurement accuracy and precision using commonly used measuring equipments. LEARNING OUTCOME At the end of this laboratory session, students should be able to 1. Identify various dimensional measuring equipments commonly used in a basic engineering laboratory. 2. Apply dimensional measuring equipments to measure various objects accurately. 3. Compare the measured data measured using different measuring equipments. 4. Determine the measured dimensional difference using different equipments correctly. 5. Answer basic questions related to the made measurement correctly. 6. Present the measured data in form of report writing according to the normal technical report standard and make clear conclusions of the undertaken tasks. THEORY Basic physical quantity is referred to a quantity which is measurable such as weight, length and time. These quantities could be combined and formed what one called the derived quantities. Some of the examples of derived quantities include parameter such as area, volume, density, velocity, force and many others. Measurement is a comparison process between standard quantities (true value) with measured quantity. Measurement apparatus complete with unit and dimension must be used in order to make a good and correct measurement. Accuracy means how close the measured value to the standard (true) value. Precision of measurement refers to repeatable values of the measurement and the results showed that its uncertainty is of the lowest degree.
    [Show full text]
  • Choosing a WCM That Strengthens Your Cybersecurity Strategy
    CHOOSING A WCM THAT STRENGTHENS (NOT WEAKENS) YOUR CYBERSECURIT Y STRATEGY Find out what Web Content Management system features are critical in an evolving cyber threat landscape. CONTENTS 1. Introduction: A New World of Cybercrime 2. The Role of Your WCM When It Comes to Security 3. The Threat of Crippling DDoS attacks 4. Vulnerability Exploits 5. Raising Your WCM defenses - 6. What to Look for in a Secure WCM 7. Summary CHOOSING A WCM THAT STRENGTHENS (NOT WEAKENS) YOUR CYBERSECURITY STRATEGY 02 INTRODUCTION: A NEW WORLD OF CYBERCRIME On Friday, May 12, 2017, the WannaCry ransomware cryptoworm first reared its ugly head, and within 24 hours had infected over 230,000 computers in over 150 coun- tries. Britain's National Health Service (NHS), Spain's Telefónica, FedEx and Deutsche Bahn were hit, as well as many other nations and companies around the world, in what became one of the biggest cybercrime exploits in history. WannaCry is only the latest tip of the cyber threat iceberg to break the surface. According to just one cybersecurity firm, ThreatMetrix, they detected 130 million online fraud attacks alone in the first quarter of 2017, up 23% from the same period the year before. (Source: "Cybercrime: US Tops Priority, Europe Tops Production" Security Intelligence) The sophistication and proliferation of cyber threats – viruses, ransomware, DDoS attacks and more – has grown startlingly, fueled by malice, political machinations or greed, with actual “cybercriminal web stores” sprouting up where criminals buy and sell credit card data and other stolen personal information, according to security researchers. (Source: Palmer, Danny, "Super-expensive Ransomware Linked to Online Cybercrime Market, Say Security Researchers" ZDNet) Other sobering stats about the rise of various types of cybercrime? 97% of web applications contain at least one vulnerability.
    [Show full text]
  • SQL Injection Attack, Attackers Exploit Web Application Vulnerability in Order to Access the Organization’S Data in an Unauthorized Manner
    January 2013 Hacker Intelligence Initiative, Monthly Trend Report #15 Lessons Learned From the Yahoo! Hack How SQL Injection Vulnerabilities in Third-Party Code Can Make for Security Cloudy 1. Executive Summary On December 2012, an Egyptian hacker who calls himself ViruS_HimA, claimed to have breached Yahoo!’s security systems and acquired full access to certain Yahoo! databases, leading to full access on the server for that domain. Technically, we found that the hacker was able to determine the allegedly vulnerable Yahoo! application and the exact attack method – error message based SQL injection for the MSSQL (Microsoft SQL Server) database (DB). From a business perspective, this attack underscores the security problem posed by hosting third-party code – as is often done with cloud-based services. In fact, according to a survey from PricewaterhouseCoopers, 23.6% of respondents say that cloud computing has increased vulnerabilities, and the largest perceived risk is the uncertain ability to enforce provider security policies.1 In the Yahoo! incident, the vulnerable application was probably not coded by the Yahoo! team, and not even hosted on Yahoo!’s server farm. This left Yahoo! with full responsibility for securing the application on one hand, and a very limited capability to actually control the code, on the other hand. This episode underscores technical and business urgencies: Technically, security teams should: › Protect third-party Web applications against SQL injection and other Web attacks: Incorporate security into the software development life cycle, perform penetration tests and vulnerability assessments on the application, and deploy the application behind a Web Application Firewall (WAF). › Harden your system: When the application is promoted from development to production, the system configuration must be hardened to disable any irrelevant parts that may help the attacker.
    [Show full text]
  • Preventing SQL Injections in Online Applications: Study, Recommendations and Java Solution Prototype Based on the SQL DOM
    Preventing SQL Injections in Online Applications: Study, Recommendations and Java Solution Prototype Based on the SQL DOM Etienne Janot, Pavol Zavarsky Concordia University College of Alberta, Department of Information Systems Security, 7128 Ada Boulevard, Edmonton, AB, T5B 4E4, Canada [email protected], [email protected] Abstract. SQL Injection Attacks are a relatively recent threat to the confidentiality, integrity and availability of online applications and their technical infrastructure, accounting for nearly a fourth of web vulnerabilities [1]. In this paper based on a master thesis [2], and numerous references therein, we present our study on the prevention of SQL Injections: overview of proposed approaches and existing solutions, and recommendations on preventive coding techniques for Java-powered web applications and other environments. Then, we review McClure’s SQL DOM [3] approach for the prevention of SQL Injections in object-oriented applications. We also present our solution for Java-based online applications, SQLDOM4J, which is freely based on the SQL DOM but attempts to address some of our criticisms toward it, and evaluate its performance. Keywords: Java, Prevention, SQL, SQLDOM4J, SQL Injection, Web Security. 1 Introduction Online data theft has recently become a very serious issue, and recent cases have been widely publicized over concerns for the confidentiality of personally identifiable information (PII). As a consequence, database extrusion prevention (DBEP) products have been rising lately. As early as 2002, the CSI & FBI survey reported that more than 50% of online databases experience a security breach each year [4]. As a matter of fact, Injection Flaws – and particularly SQL Injections – appear among the OWASP’s Top Ten most critical web applications vulnerabilities list [5].
    [Show full text]
  • Web Application Security by SQL Injection Detectiontools
    IJCSI International Journal of Computer Science Issues, Vol. 9, Issue 2, No 3, March 2012 ISSN (Online): 1694-0814 www.IJCSI.org 332 Web Application Security by SQL Injection DetectionTools Atefeh Tajpour , Suhaimi Ibrahim, Mohammad Sharifi Advanced Informatics School University Technology Malaysia Malaysia Abstract— SQL injection is a type of attack which the attacker adds Structured Query Language code to a web form input Researchers have proposed some tools to help developers box to gain access or make changes to data. SQL injection to compensate the shortcoming of the defensive coding [7, vulnerability allows an attacker to flow commands directly to a 10, 12]. The problem is that some current tools could not web application's underlying database and destroy address all attack types or some of them need special functionality or confidentiality. Researchers have proposed deployment requirements. different tools to detect and prevent this vulnerability. In this paper we present all SQL injection attack types and also The paper is organized as follows. In section 2 we define current tools which can detect or prevent these attacks. Finally we evaluate these tools. SQL Injection attack. In section3 we present different SQLI attack types. In section 4 we review current tools against Keyword: SQL Injection Attacks, detection, prevention, tool, SQLI. In section 5 we evaluate SQL Injection detection evaluation. or/and prevention tools against all types of SQL injection attacks and deployment requirements. Conclusion and future 1. INTRODUCTION work is provided in section 6. Web applications are often vulnerable to attacks, which can give attackers easily access to the application's 2.
    [Show full text]