Combinatorial Approach for Preventing SQL Injection Attacks
A combinatorial approach for protecting Web applications against SQL injection is discussed in this paper, which is a novel idea of incorporating the uniqueness of Signature based method and auditing method. The major issue of web application security is the SQL Injection, which can give the attackers unrestricted access to the database that underlie Web applications.Many software systems have evolved to include a Web-based component that makes them available to the public via the Internet and can expose them to a variety of Web-based attacks. One of these attacks is SQL injection, which can give attackers unrestricted access to the databases that underlie Web applications and has become increasingly frequent and serious. This paper presents a new highly automated approach for protecting Web applications against SQL injection that has both conceptual and practical advantages over most existing techniques. From a conceptual standpoint, the approach is based on the novel idea of positive tainting and on the concept of syntax-aware evaluation. From a practical standpoint, our technique is precise and efficient, has minimal deployment requirements, and incurs a negligible performance overhead in most cases. We have implemented our techniques in the Web Application SQL-injection Preventer (WASP) tool, which we used to perform an empirical evaluation on a wide range of Web applications that we subjected to a large and varied set of attacks and legitimate accesses. WASP was able to stop all of the otherwise successful attacks and did not generate any false positives.
In existing the checked only the untrusted data dynamic tainting approaches mark certain untrusted data (typicallyuser input) as tainted, track the flow of tainted data at runtime, and prevent this data from being used in potentially harmful ways
Researchers have proposed a wide range of alternative techniques to address SQLIAs, but many of these solutions have limitations that affect their effectiveness and practicality. For example, one common class of solutions is based on defensive coding practices, which have been less than successful for three main reasons. First, it is difficult to implement and enforce a rigorous defensive coding discipline. Second, many solutions based on defensive coding address only a subset of the possible attacks. Third, legacy software poses particularly difficult problem because of the cost and complexity of retrofitting existing code so that it is compliant with defensive coding practices .In this paper, we propose a new highly automated approach for dynamic detection and prevention of SQLIAs. Intuitively, our approach works by identifying “trusted” strings in an application and allowing only these trusted strings to be used to create the semantically relevant parts of a SQL query such as keywords or operators. The general mechanism that we use to implement this approach is based on dynamic tainting, which marks and tracks certain data in a program at run time .The kind of dynamic tainting that we use gives our approach several important advantages over techniques based on other mechanisms. Many techniques rely on complex static analyses in order to find potential vulnerabilities in the code These kinds of conservative static analyses can generate high rates of false positives and can have scalability issues when Compared to other existing techniques based on dynamic tainting our approach makes several conceptual and practical improvements that take advantage of the specific characteristics of SQLIAs. The first conceptual advantage of our approach is the use of positive tainting. Positive tainting identifies and tracks trusted data, whereas traditional (“negative”) tainting focuses on untrusted data. In the context of SQLIAs, there are several reasons why positive tainting is more effective than negative tainting. First, in Web applications, sources of trusted data can more easily and accurately be identified than untrusted data sources. Therefore, the use of positive tainting leads to increased automation. Second, the two approaches significantly differ in how they are affected by incompleteness. With negative tainting, failure to identify th e complete set of untrusted data sources can result in false negatives, that is, successful and undetected attacks. With positive tainting, missing trusted data sources can result in false positives (that is, legitimate accesses can be prevented from completing). False positives that occur in the field would be problematic. Using our approach, however, false positives are likely to be detected during prerelease testing. Our approach provides specific mechanisms for helping developers detect false positives early, identify their sources, and easily eliminate them in future runs by tagging the identified sources as trusted. The second conceptual advantage of our approach is the use of flexible syntax-aware evaluation. Syntax-aware evaluation lets us address security problems that are derived from mixing data and code while still allowing for this mixing to occur. More precisely, it gives developers a mechanism for regulating the usage of string data based not only on its source but also on its syntactical role in a query string. This way, developers can use a wide range of external input sources to build queries while protecting the application from possible attacks introduced via these sources. The practical advantages of our approach are that it imposes a low overhead on the application and it has minimal
deployment requirements. Efficiency is achieved by using a specialized library, called MetaStrings, that accurately and efficiently assigns and tracks trust markings at runtime. The only deployment requirements for our approach are that the Web application must be instrumented and it must be deployed with our MetaStrings library, which is done automatically. The approach does not require any customized runtime system or additional infrastructure.
First, it is difficult to implement and enforce a rigorous defensive coding discipline
Second, many solutions based on defensive coding address only a subset of the possible attacks.
Third, legacy software poses a particularly difficult problem because of the cost and complexity of retrofitting existing code so that it is compliant with defensive coding practices
First, unlike existing dynamic tainting techniques, our approach is based on the novel concept of positive tainting, that is, the identification and marking of trusted, instead of untrusted
Second, our approach performs accurate and efficient taint propagation by precisely tracking trust markings at the character level.
Third, it performs syntax-aware evaluation of query strings before they are sent to the database and blocks all queries whose nonliteral parts
In this it contains three techniques by use of this technique we can find the injection data’s and send the correct query to the sqlserver.
2. Character-level tainting.
3. Syntax aware
3. Credit Card
Processor : Any Processor above 500 MHz.
Ram : 128Mb.
Hard Disk : 10 GB.
Input device : Standard Keyboard and Mouse.
Output device : VGA and High Resolution Monitor.
Operating System : Windows Family.
Pages developed using : Java Server Pages and HTML.
Techniques : Apache Tomcat Web Server 5.0, JDK 1.5 or higher
Web Browser : Microsoft Internet Explorer.
Data Bases : SQlServer 2000
Client Side Scripting : Java Script