Methods of Identifying and Preventing SQL Attacks - Research Paper Example

Methods of Identifying and Preventing SQL Attacks Abstract The paper begins by identifying the organizations which are vulnerable to the SQL attack referred to as an SQL injection attack (SQLIA). The term “SQL injection attack” is defined and a diagram is used to illustrate the way that attack occurs. In another section, the paper identifies the methods used to detect an attack to SQL, whereby the techniques are discussed extensively using relevant diagrams for illustration. The other sections cover the preventive methods, where the methods are also discussed with an illustration using diagrams. Keywords: SQLIA, WebSSARI, WAVE, AMNESIA, SQL DOM, tautology Introduction There are numerous web applications used by various companies and organizations in order to provide services to users, such as online banking and shopping, hence establishing a need to develop a database. These web applications contain confidential information such as the customer’s financial records, thus making these applications frequent targets for attackers. The attack to the SQL is referred to as the SQL injection, which gives attackers unauthorized access to the databases of underlying Web applications (Huang, Yu, Hang, and Tsai 148). Therefore, these attackers are able to leak, modify and delete information which is stored on these databases, thus resulting in problems for the organization. In this case, the paper will discuss issues related to detection and prevention of SQL attacks. Commercial and governmental institutions are the common victims of SQL injection attacks (SQLIAs) due to insufficiency in the input validation. In fact, these cases occur when Web application receives a user input, thus using it for building a database query without ample validation, hence creating a chance for an attacker to utilize the vulnerability. The vulnerability of the databases to SQL injections has been regarded as the most serious threat for a Web application (Wassermann and Su, 78). This creates a form of vulnerability to SQL injection, thus allowing the attacker to have accessibility to the underlying databases, and it results in security violations since the information in these databases is sensitive. The implications of SQL injections are issues such as loss of credentials, theft and fraud, and in other cases the attackers are able to use the vulnerability to acquire control and corrupt the system hosting the Web application. The diagram illustrates an SQL injection, whereby an attacker uses a client through the firewall into the web application where access to SQL server is achieved and sensitive application data is disclosed. Methods of Identifying SQL Attacks Numerous methods can be applied in detecting SQL injection attacks, and one of them is the Intrusion Detection System (IDS), which is based on a machine learning technique and application of a set of distinctive application queries. Moreover, this technique relates to a model of distinctive queries and a function of monitoring application at runtime in order to identify the queries that are not matching the model (Pietraszek and Vanden 2). Therefore, this makes the system have the ability of detecting attacks effectively, though there are basic demerits of learning based techniques since they do not offer guarantee concerning the detection abilities. In fact, the detection abilities are dependent on the quality of the training set applied; thus, a poor training set can result in generation of large numbers of false positive and negative by the learning technique (Valeur, Mutz, and Vigna 40). The diagram shows the locations of the Intrusion Detection System (IDS), whereby there are two sensors located at both sides of the firewall in order to detect any intrusion from the Internet before and after penetrating the firewall. The other way of detecting the SQL injection attack is through the Taint Based Approach, which uses the WebSSARI for the detection of input-validation concerning the errors through an analysis of the information flow. Moreover, this approach uses static analysis in checking the taint flows against preconditions for the sensitive functions. In fact, this analysis detects the points that have failed to meet preconditions, hence suggesting the filters and sanitization function, which is added to the application in order to satisfy the preconditions. The WebSSARI system functions through consideration of sanitizing the input, which as passed through a predefined set of filters. In this way, the system can detect vulnerabilities in the application, though there are drawbacks associated with assumptions of adequacy in preconditions for sensitive functions that are accurately expressed by typing system. The other method is the Black Box Testing, which is used for testing the vulnerabilities of the Web applications for the SQL injection attacks, through a technique that applies the Web crawler to identify the points that can be used by an attacker. The method also builds attack-targeting points that are based on a list of pattern attack techniques, while WAVE monitors the response of application to the attacks by use of machine learning techniques in order to improve the methodology of attacks. Moreover, this attack improves over the penetration testing through approaches of machine learning in order to guide the testing, though its limitation is that testing techniques cannot provide a guarantee of completeness. The diagram indicates the location of the black box, which is at the centre of the network, whereby data values are persistently retrieved and stored. Moreover, in the clear box there are constraints and existing data, which are used to refer to access codes to the database. The other method is the Static Code Checkers which uses techniques of statistically checking correction of SQL queries that are dynamically generated (Gould, Su, and Devanbu 654). This approach was developed for detecting the attacks that exploit the mismatches that occur in the dynamically generate query string (Haldar, Chandra, and Franz 303). The Checker detects the cause of the SQL injection attack vulnerabilities through a improper code form of checking input. Nevertheless, the system lacks the ability to detect general types of SQLIAs since most of the attacks comprise syntactically correct queries. In addition, this approach uses static analysis, which is integrated with automated reasoning for verification of SQL queries that are generated by an application layer that entails a tautology, though the approach is limited to detecting tautologies and not other forms of attacks. The diagram shows an example of a code detected through techniques of statistically checking correction, whereby the code is underlined. Methods of Preventing SQL Attacks There are methods used in order to prevent SQL attacks, and one of them is the use of Proxy Filters, which is a system of enforcing input validation rules on data that are flowing to a web application. The developers offer constraints through the Security Policy Descriptor Language (SPDL), thus specifying the transformations that are applied for application of parameters that relate a Web page to the application server (Boyd and Keromytis, 292). This method also allows developers to express their policies since SPDL is highly expressive, though the approach is human-based and defensive programming, thus requiring the developers to identify the data that require filtering. The diagram depicts the filtering which occurs between the server and the Internet in order to prevent an injection by an attacker using the clients to the web servers with SQL database. The other preventive method relates to the use of Combined Static and Dynamic Analysis through a model referred to as AMNESIA, which is a technique integrating static analysis and monitoring runtime. AMNESIA applies statistical analysis that develops models of different forms of queries that are generated by an application at a point of access to the database (Halfond and Orso 174). In fact, this model intercepts queries sent to the database, and checks query against the model that is built statically, thus providing a basis for identifying the queries that violate the model, hence preventing them from executing on the database, though this model has a constraint associated with dependence on the precision of the static analysis for developing the models. The other preventive method is the New Query Development Paradigms, which entails two resent approaches: SQL DOM and Safe Query Objects, and application of encapsulation of database queries that offer a safe and reliable way of accessing the database. This method provides an effective way of avoiding SQL attacks by altering the process of building the query from an unregulated process that utilizes strings concatenation to a process involving a type check of API (McClure and Krüger 88). Therefore, this method allows a systematic application of best coding practice such as filtering of input and checking of user input; thus, altering the development of paradigm that creates SQL queries can eliminate the coding practice that facilities vulnerabilities of SQLIAs. Nevertheless, this method has a drawback associated with the requirement of a developer to learn and apply a new programming paradigm or query development process. Consequently, focusing on the use of a new development process, there is no provision of any form of protection for a legacy system. In conclusion, the paper has explored issues related to the detection and prevention of SQL injection attacks. Several methods have been identified and discussed, which are aimed at detecting or preventing the attacks. Most of the methods discussed are commonly used by organizations such as commercial and the government institutions, which are more subjected to the risk of SQL attacks; hence, the paper has met the objective set by the thesis statement at the beginning of the paper. Works Cited Boyd, Stephen, and Angelos Keromytis. "SQLrand: Preventing SQL Injection Attacks." In Proc. of the 2nd Applied Cryptography and Network Security. Conf. (ACNS 2004), Jun. 2004. 292–302. Print. Gould, Carl, Zhendong Su, and Premkumar Devanbu . "Static Checking of Dynamically Generated Queries in Database Applications." In Proc. of the 26th Intern. Conf. on Software Engineering (ICSE 2004), May 2004. 645–654. Print. Haldar, Vivek, Deepak Chandra, and Michael Franz. "Dynamic Taint Propagation for Java." In Proc. of the 21st Annual Computer Security Applications. Conf. (ACSAC 2005), Dec. 2005. 303–311. Print. Halfond, William, and Alessandro Orso. "AMNESIA: Analysis and Monitoring for Neutralizing SQL-Injection Attacks." In Proc. of the IEEE and ACM Intern. Conf. on Automated Software Engineering (ASE 2005), Nov. 2005. 174–183. Print. Huang, Yao-Wen, Fang Yu, Christian Hang, and Chung-Hung Tsai. "Web Application Security Assessment by Fault Injection and Behaviour Monitoring." In Proc. of the 12th Intern. World Wide Web Conf. (WWW 2003), May 2003. 148–159. Print. McClure, Russell, and Ingolf Krüger. "SQL DOM: Compile Time Checking of Dynamic SQL Statements." In Proc. of the 27th Intern. Conf. on Software Engineering (ICSE 2005), May 2005. 88–96. Print. Pietraszek, Tadeusz, and Chris Vanden. "Defending Against Injection Attacks through Context-Sensitive String Evaluation." In Proc. of Recent Advances in Intrusion Detection. (RAID 2005), Sep. 2005. Print. Valeur, Fredrik, Darren Mutz, and Giovanni Vigna. "A Learning-Based Approach to the Detection of SQL Attacks." In Proc. of the Conf. on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA 2005), Jul. 2005. Print. Wassermann, Gary, and Zhendong Su. "An Analysis Framework for Security in Web Applications." In Proc. of the FSE Workshop on Specification and Verification of Component-Based Systems (SAVCBS 2004), Oct. 2004. 70–78. Print.       Read More