International Journal of Applied Engineering Research ISSN 0973-4562 Volume 15, Number 6 (2020) pp. 569-580 ©Research India Publications. http://www.ripublication.com SQL Injection Attack Detection and Prevention Techniques Using Machine Learning Ines Jemal1, Omar Cheikhrouhou2, Habib Hamam3 and Adel Mahfoudhi4 1University of Sfax, ENIS, CES, LR11ES49, 3038 Sfax, Tunisia. E-mail: [email protected] 2University of Sfax, ENIS, CES, LR11ES49, 3038 Sfax, Tunisia. University of Mounastir, ISIMA, Mahdia, Tunisia. E-mail: [email protected] 3Faculty of Engineering, University of Moncton, NB, E1A 3E9, Canada. E-mail: [email protected] 4University of Sfax, ENIS, CES, LR11ES49, 3038 Sfax, Tunisia. E-mail: [email protected] Abstract to retrieve information selected by the users. Interaction Web application attacks are incessantly increasing in number with these users are generally achieved through forms and and in severity. The big data available on the internet cookies. Hackers try to exploit this characteristic by injecting motivates hackers to launch new kind of attacks. In this malicious code into these user inputs that will be used later context, intensive research on web application security have to construct the SQL queries. Improper validation of the been conducted. The most dangerous attack that target web user inputs can lead to the success of the SQLI attack and, applications is the Structured Query Language Injection therefore, can have catastrophic consequences such as the (SQLI). This attack represents a serious threat to the web deletion of the database or the gathering of sensitive and applications. Several research works have been conducted confidential data of the web application clients. to mitigate this attack either by preventing it from an early Due to its sensitive impact, several works have addressed the stage or detecting it when it occurs. In this paper, we present SQLI attack. Some of these works try only to detect the SQLI an overview of the SQL injection attack and a classification once occurred. Other works try to prevent it before occurring. of the newly proposed detection and prevention solutions. Although, several techniques are proposed to fight against We classify the different attack sources, goals, and types. SQLI attack, none of these solutions have addressed the full Moreover, we discuss and classify the most important and scope of the attack. Therefore, there is no solutions that can recent proposed solutions to mitigate this attack especially prevent or detect all the different types of the SQLI attack. those based on ontology and machine learning. Recently, researchers try to benefit from the machine learning techniques to propose more sophisticated solutions. Keywords: SQL injection, Web security, Ontology, Machine In this paper, we present a survey on the SQL injection Learning. attacks. We present the main attack sources, types and goals. Moreover, the main proposed solutions that address this attack were discussed and compared. I. INTRODUCTION The main contributions of this paper are as follows: The increase in the development and spread of the web applications has also lead to an increase in the number and 1) An overview of the SQLI attack was presented. The severity of the web attacks. According to Statista [1], in 2018, different attack sources, goals and types are described 953 thousand web attacks were blocked on a daily basis, and discussed. up from 611 thousand daily blocked attacks in the previous 2) A classification of the different SQLI attack detection year. According to the Open Web Application Security Project and prevention countermeasures are presented and (OWASP) [2], the injection vulnerability continues to be the discussed. most found vulnerability in web applications. 3) A comparative table between the different proposed The Structured Query Language Injection (SQLI) attack is SQLI attack countermeasures was presented. considered as the most dangerous attacks of the injection 4) Newly proposed solutions, such as those based on category because it compromises the main security services: ontology and machine learning, are described and confidentiality, authentication, authorization and integrity [3]. discussed. Roughly speaking, SQLI attack consists in injecting The remainder of this paper is as following. In Section II, (inserting) malicious SQL commands into input forms or we present a description of the SQLI attack by enumerating queries to get access to a database or manipulate its data its possible sources, goals and types. Then, in Section III (e.g. send the database contents to the attacker, modify or we classify the different existing countermeasures that was delete the database content, etc.) [4], [5]. proposed to either detect or prevent the SQLI attack. Finally, Indeed, today, most of the web applications use a back-end we give a discussion about the presented solutions and we database to store data collected from the users and/or conclude the paper. 569 International Journal of Applied Engineering Research ISSN 0973-4562 Volume 15, Number 6 (2020) pp. 569-580 ©Research India Publications. http://www.ripublication.com II. SQLI ATTACK OVERVIEW In this section, we present a general overview of the SQLI attack. We start by discussing the SQLI sources, then classify their goals and types. Table I classifies and summarizes the main ideas and points discussed in this section. A. SQLI Attack Sources Fig. 1: verbose error message SQL injection vulnerabilities may be found in any application parameter that can be used in a database query. The authors UPDATE users SET password=”newpwd” in [6] cited four sources, through which the SQL Injection WHERE userName= ”admin” - - ” AND Attack (SQLIA) can start. These sources are user input, password=”oldpwd” cookies, server variables and stored injection. • Injection through user input: Web applications, Because ”- -” is the SQL comment operator, everything generally, use forms to collect data from users (such as after it is ignored, the result of this query is that registration, login, etc.) or to permit users to specify the the database changes the password of the administrator data to be retrieved (such as search, adapted view, etc.). (“admin”) to an attacker-specified value. These forms containing ”text field” could be exploited by attackers to inject malicious code, which results in B. SQLI Attack Goals gaining an indented data (retrieve secret data, etc.) or Hackers can have different intend and goals for launching the making an indented actions (manipulate database, etc.). SQLI attack. The main SQLI attack goals are: Common fields are Login Name, Password, Address, • Identifying injectable parameters: As a first step, Phone Number, Credit Card Number, and Search. hackers try to identify which parameters could be used to • Injection through cookies: Recent web applications inject malicious code. These parameters could be present use cookies to store users preferences. Cookies are in one of the sources described in Subsection II-A. More files stored on the client machine, which contain state precisely, these parameter could be a ”username” field information generated by the web applications. An in a form, a ”card number” in a cookie, etc. An attacker attacker could embed malicious code into the cookies can modify the logic of the statement by injecting SQL contents stored in his computer, and therefore, putting code, so that when executed it performs another action. web application using the cookies contents to build SQL For example, injecting a single quote that is used in queries vulnerable to attacks [7]. SQL to delimit the start or end of a string value could • Injection through server variables : Server variables disrupt the pairing of string delimiters and generate an are a set of parameters that contain network headers, application error, indicating a potential vulnerability to HTTP metadata, and environmental variables. Generally, SQL injection. web applications use these server variables for auditing • Performing database fingerprinting: To construct a usage statistics and identifying browsing trends. If these query format supported by the target database engine, variables are stored to a database without validation, the attacker needs to know the database finger-print. attackers can exploit this vulnerability by placing an Database finger-print is the information that identifies SQLIA directly into the server variables. a precise type and edition of a database system. • Stored injection: In stored injection (called also Each database system uses a different proprietary SQL second-order injection), attackers embed malicious language syntax. For example, Microsoft SQL server inputs into a database to indirectly launch an SQLIA uses T-SQL while Oracle SQL server uses PL/SQL. each time that input is used. The following code, shows As a consequence, the attacker must first find out an example of second-order SQL injection. In this the type and version of the database used in a web example, the attacker as a normal user of the website, application, and then craft malicious SQL input for that firstly registers to the application with a seeded username database. Moreover, default vulnerability associated with like ”admin’- -”. Then, the attacker will try to change that version of database can be exploited by attackers. his password. The SQL query to change a user password • Determining database schema: To successfully extract has generally the following form: data from a database, the attacker needs to know the queryString=”UPDATE users SET password=’” database schema information, such as table names, + newPassword +”’ WHERE userName=’” + column number and names, and column data types. The userName + ”’ AND password=’” +oldPassword database schema is used by hackers to create an accurate + ”’” consequent attack with the purpose of extract or modify data from database. Figure 1 presents an error message Assume that newPassword and oldPassword returned by the database system that shows different are “newpwd” and “oldpwd”, which are information related to the database schema (such as chosen by the attacker, the query that will number and name of columns) and system (such as be sent to the database is the following: ODBC).