StudentShare
Contact Us
Sign In / Sign Up for FREE
Search
Go to advanced search...
Free

Methods of Identifying and Preventing SQL Attacks - Research Paper Example

Cite this document
Summary
The paper “Methods of Identifying and Preventing SQL Attacks? begins by identifying the organizations which are vulnerable to the SQL attack referred to as an SQL injection attack. There are numerous web applications used by various companies and organizations in order to provide services to users…
Download full paper File format: .doc, available for editing
GRAB THE BEST PAPER98.6% of users find it useful
Methods of Identifying and Preventing SQL Attacks
Read Text Preview

Extract of sample "Methods of Identifying and Preventing SQL Attacks"

Methods of Identifying and Preventing SQL Attacks Abstract The paper begins by identifying the organizations which are vulnerable to the SQL attack referred to as an SQL injection attack (SQLIA). The term “SQL injection attack” is defined and a diagram is used to illustrate the way that attack occurs. In another section, the paper identifies the methods used to detect an attack to SQL, whereby the techniques are discussed extensively using relevant diagrams for illustration. The other sections cover the preventive methods, where the methods are also discussed with an illustration using diagrams. Keywords: SQLIA, WebSSARI, WAVE, AMNESIA, SQL DOM, tautology Introduction There are numerous web applications used by various companies and organizations in order to provide services to users, such as online banking and shopping, hence establishing a need to develop a database. These web applications contain confidential information such as the customer’s financial records, thus making these applications frequent targets for attackers. The attack to the SQL is referred to as the SQL injection, which gives attackers unauthorized access to the databases of underlying Web applications (Huang, Yu, Hang, and Tsai 148). Therefore, these attackers are able to leak, modify and delete information which is stored on these databases, thus resulting in problems for the organization. In this case, the paper will discuss issues related to detection and prevention of SQL attacks. Commercial and governmental institutions are the common victims of SQL injection attacks (SQLIAs) due to insufficiency in the input validation. In fact, these cases occur when Web application receives a user input, thus using it for building a database query without ample validation, hence creating a chance for an attacker to utilize the vulnerability. The vulnerability of the databases to SQL injections has been regarded as the most serious threat for a Web application (Wassermann and Su, 78). This creates a form of vulnerability to SQL injection, thus allowing the attacker to have accessibility to the underlying databases, and it results in security violations since the information in these databases is sensitive. The implications of SQL injections are issues such as loss of credentials, theft and fraud, and in other cases the attackers are able to use the vulnerability to acquire control and corrupt the system hosting the Web application. The diagram illustrates an SQL injection, whereby an attacker uses a client through the firewall into the web application where access to SQL server is achieved and sensitive application data is disclosed. Methods of Identifying SQL Attacks Numerous methods can be applied in detecting SQL injection attacks, and one of them is the Intrusion Detection System (IDS), which is based on a machine learning technique and application of a set of distinctive application queries. Moreover, this technique relates to a model of distinctive queries and a function of monitoring application at runtime in order to identify the queries that are not matching the model (Pietraszek and Vanden 2). Therefore, this makes the system have the ability of detecting attacks effectively, though there are basic demerits of learning based techniques since they do not offer guarantee concerning the detection abilities. In fact, the detection abilities are dependent on the quality of the training set applied; thus, a poor training set can result in generation of large numbers of false positive and negative by the learning technique (Valeur, Mutz, and Vigna 40). The diagram shows the locations of the Intrusion Detection System (IDS), whereby there are two sensors located at both sides of the firewall in order to detect any intrusion from the Internet before and after penetrating the firewall. The other way of detecting the SQL injection attack is through the Taint Based Approach, which uses the WebSSARI for the detection of input-validation concerning the errors through an analysis of the information flow. Moreover, this approach uses static analysis in checking the taint flows against preconditions for the sensitive functions. In fact, this analysis detects the points that have failed to meet preconditions, hence suggesting the filters and sanitization function, which is added to the application in order to satisfy the preconditions. The WebSSARI system functions through consideration of sanitizing the input, which as passed through a predefined set of filters. In this way, the system can detect vulnerabilities in the application, though there are drawbacks associated with assumptions of adequacy in preconditions for sensitive functions that are accurately expressed by typing system. The other method is the Black Box Testing, which is used for testing the vulnerabilities of the Web applications for the SQL injection attacks, through a technique that applies the Web crawler to identify the points that can be used by an attacker. The method also builds attack-targeting points that are based on a list of pattern attack techniques, while WAVE monitors the response of application to the attacks by use of machine learning techniques in order to improve the methodology of attacks. Moreover, this attack improves over the penetration testing through approaches of machine learning in order to guide the testing, though its limitation is that testing techniques cannot provide a guarantee of completeness. The diagram indicates the location of the black box, which is at the centre of the network, whereby data values are persistently retrieved and stored. Moreover, in the clear box there are constraints and existing data, which are used to refer to access codes to the database. The other method is the Static Code Checkers which uses techniques of statistically checking correction of SQL queries that are dynamically generated (Gould, Su, and Devanbu 654). This approach was developed for detecting the attacks that exploit the mismatches that occur in the dynamically generate query string (Haldar, Chandra, and Franz 303). The Checker detects the cause of the SQL injection attack vulnerabilities through a improper code form of checking input. Nevertheless, the system lacks the ability to detect general types of SQLIAs since most of the attacks comprise syntactically correct queries. In addition, this approach uses static analysis, which is integrated with automated reasoning for verification of SQL queries that are generated by an application layer that entails a tautology, though the approach is limited to detecting tautologies and not other forms of attacks. The diagram shows an example of a code detected through techniques of statistically checking correction, whereby the code is underlined. Methods of Preventing SQL Attacks There are methods used in order to prevent SQL attacks, and one of them is the use of Proxy Filters, which is a system of enforcing input validation rules on data that are flowing to a web application. The developers offer constraints through the Security Policy Descriptor Language (SPDL), thus specifying the transformations that are applied for application of parameters that relate a Web page to the application server (Boyd and Keromytis, 292). This method also allows developers to express their policies since SPDL is highly expressive, though the approach is human-based and defensive programming, thus requiring the developers to identify the data that require filtering. The diagram depicts the filtering which occurs between the server and the Internet in order to prevent an injection by an attacker using the clients to the web servers with SQL database. The other preventive method relates to the use of Combined Static and Dynamic Analysis through a model referred to as AMNESIA, which is a technique integrating static analysis and monitoring runtime. AMNESIA applies statistical analysis that develops models of different forms of queries that are generated by an application at a point of access to the database (Halfond and Orso 174). In fact, this model intercepts queries sent to the database, and checks query against the model that is built statically, thus providing a basis for identifying the queries that violate the model, hence preventing them from executing on the database, though this model has a constraint associated with dependence on the precision of the static analysis for developing the models. The other preventive method is the New Query Development Paradigms, which entails two resent approaches: SQL DOM and Safe Query Objects, and application of encapsulation of database queries that offer a safe and reliable way of accessing the database. This method provides an effective way of avoiding SQL attacks by altering the process of building the query from an unregulated process that utilizes strings concatenation to a process involving a type check of API (McClure and Krüger 88). Therefore, this method allows a systematic application of best coding practice such as filtering of input and checking of user input; thus, altering the development of paradigm that creates SQL queries can eliminate the coding practice that facilities vulnerabilities of SQLIAs. Nevertheless, this method has a drawback associated with the requirement of a developer to learn and apply a new programming paradigm or query development process. Consequently, focusing on the use of a new development process, there is no provision of any form of protection for a legacy system. In conclusion, the paper has explored issues related to the detection and prevention of SQL injection attacks. Several methods have been identified and discussed, which are aimed at detecting or preventing the attacks. Most of the methods discussed are commonly used by organizations such as commercial and the government institutions, which are more subjected to the risk of SQL attacks; hence, the paper has met the objective set by the thesis statement at the beginning of the paper. Works Cited Boyd, Stephen, and Angelos Keromytis. "SQLrand: Preventing SQL Injection Attacks." In Proc. of the 2nd Applied Cryptography and Network Security. Conf. (ACNS 2004), Jun. 2004. 292–302. Print. Gould, Carl, Zhendong Su, and Premkumar Devanbu . "Static Checking of Dynamically Generated Queries in Database Applications." In Proc. of the 26th Intern. Conf. on Software Engineering (ICSE 2004), May 2004. 645–654. Print. Haldar, Vivek, Deepak Chandra, and Michael Franz. "Dynamic Taint Propagation for Java." In Proc. of the 21st Annual Computer Security Applications. Conf. (ACSAC 2005), Dec. 2005. 303–311. Print. Halfond, William, and Alessandro Orso. "AMNESIA: Analysis and Monitoring for Neutralizing SQL-Injection Attacks." In Proc. of the IEEE and ACM Intern. Conf. on Automated Software Engineering (ASE 2005), Nov. 2005. 174–183. Print. Huang, Yao-Wen, Fang Yu, Christian Hang, and Chung-Hung Tsai. "Web Application Security Assessment by Fault Injection and Behaviour Monitoring." In Proc. of the 12th Intern. World Wide Web Conf. (WWW 2003), May 2003. 148–159. Print. McClure, Russell, and Ingolf Krüger. "SQL DOM: Compile Time Checking of Dynamic SQL Statements." In Proc. of the 27th Intern. Conf. on Software Engineering (ICSE 2005), May 2005. 88–96. Print. Pietraszek, Tadeusz, and Chris Vanden. "Defending Against Injection Attacks through Context-Sensitive String Evaluation." In Proc. of Recent Advances in Intrusion Detection. (RAID 2005), Sep. 2005. Print. Valeur, Fredrik, Darren Mutz, and Giovanni Vigna. "A Learning-Based Approach to the Detection of SQL Attacks." In Proc. of the Conf. on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA 2005), Jul. 2005. Print. Wassermann, Gary, and Zhendong Su. "An Analysis Framework for Security in Web Applications." In Proc. of the FSE Workshop on Specification and Verification of Component-Based Systems (SAVCBS 2004), Oct. 2004. 70–78. Print.       Read More
Cite this document
  • APA
  • MLA
  • CHICAGO
(“Methods of Identifying and Preventing SQL Attacks Research Paper”, n.d.)
Methods of Identifying and Preventing SQL Attacks Research Paper. Retrieved from https://studentshare.org/information-technology/1458887-methods-of-identifying-and-preventing-sql-attacks
(Methods of Identifying and Preventing SQL Attacks Research Paper)
Methods of Identifying and Preventing SQL Attacks Research Paper. https://studentshare.org/information-technology/1458887-methods-of-identifying-and-preventing-sql-attacks.
“Methods of Identifying and Preventing SQL Attacks Research Paper”, n.d. https://studentshare.org/information-technology/1458887-methods-of-identifying-and-preventing-sql-attacks.
  • Cited: 0 times

CHECK THESE SAMPLES OF Methods of Identifying and Preventing SQL Attacks

Data Privacy and Security

Cyber attacks are a deliberate or unintentional unauthorized task, which cannot be avoided or is in avoidable that that is capable of causing a vagary on the cyberspace resources.... Scope of the problem The different types of attacks that amount to cybercrime and are detriment to cybersecurity are keylogging and spyware.... There was also a provision of extensive security to a media group that gave hand to the police while carrying out the investigation while the vulnerable attacks that were frequent were blacklisted so that more security concerns were availed in those areas (Middleton, 2005)....
12 Pages (3000 words) Research Paper

Database Forensics and Auditing

After describing these terms, we will incorporate Microsoft Log miner tool for collecting forensic evidence from a database and for auditing or reviewing database current state, sql auditing will be incorporated.... This paper ''Database Forensics and Auditing'' has focus on the definition of database forensic and database auditing, the regulation under database auditing, the meaning of Data Access Auditing, and Data Monitoring by analyzing some of their features....
8 Pages (2000 words) Report

Computer Attacks and Their Counter Measures

The paper "Computer attacks and Their Counter Measures" describes that to be able to mitigate the issues presented by the hacking of a wireless network, it would be necessary to use all the accessible tools in the router.... Some of these attacks are passive, in that there is the monitoring of the information, while others can be termed as active implying that the data within the system is manipulated with the intent to destroy or corrupt the network or data itself....
6 Pages (1500 words) Essay

Security Architecture, Quality of Hertford Fashions Service Applications and System Infrastructure

It documents the findings for the security… The purpose of the test was to use exploitation capacity in identifying and validating potential vulnerabilities across the network infrastructure within scope. HertfordFashion is a leading This has made it critical to take countermeasures to avert any exploits that can cause losses.... Network-based attacks are security incidences on network infrastructure (computer & network components and applications) utilising network protocol functions....
16 Pages (4000 words) Essay

An Effective Technologies in Providing Effective Defense to Businesses

Earlier efforts at patching entry points to a network and preventing anonymous accesses by outsides have encouraged intruders to develop sophisticated techniques to penetrate networks and cause harm in several forms that include anything from corrupting data, destroying networks and IT infrastructure to preventing users from accessing their files and terminals.... In fact, a major chunk of the work of today's software and network specialists is aimed at identifying and mitigating all such possible risks and attacks that a network is capable of being attacked within a proactive manner....
17 Pages (4250 words) Research Paper

Web Security Importance

The threats posed by malicious internet users have driven the technocrats into developing methods such as secure web applications and procedures such as SWEET that ensure people have their data safe when they are transmitting them over the internet.... The final report has elucidated some of these methods and procedures that have been developed all over the years as the world of information technology is open-ended and is open to so many changes as the years go by....
12 Pages (3000 words) Coursework

What Are Advanced Persistent Threats and How to Prevent Them

APTs are levels of attacks, gradually referred by IT security companies, sufferers and law implementation agencies.... With the emergence of a networked system, companies have faced several malicious attacks.... To cite a few of them, social engineering, hacking and denial of services attacks are experienced by several IT security professionals.... In order to deal with such attacks, multiple preventive measures have also emerged, making it difficult for attackers with malicious aims to infiltrate a company's network....
20 Pages (5000 words) Research Paper

The Idea of Sandboxing and Its Techniques

This coursework "The Idea of Sandboxing and Its Techniques" focuses on the main function of the sandbox that generates a remote atmosphere in which the applications run to block malware attacks.... The applications that are run by sandbox include IM consumers, Web browsers, Online games, Emails, and other applications that are open for malware attacks.... The virtualization methods have made the sandboxing procedure easier and hassle-free....
14 Pages (3500 words) Coursework
sponsored ads
We use cookies to create the best experience for you. Keep on browsing if you are OK with that, or find out how to manage cookies.
Contact Us