StudentShare
Contact Us
Sign In / Sign Up for FREE
Search
Go to advanced search...
Free

Methods of Identifying and Preventing SQL Attacks - Report Example

Cite this document
Summary
This report "Methods of Identifying and Preventing SQL Attacks" discusses issues related to the detection and prevention of SQL injection attacks, whereby there are several methods are identified and discussed that are aimed at detecting or preventing the attacks…
Download full paper File format: .doc, available for editing
GRAB THE BEST PAPER92.6% of users find it useful
Methods of Identifying and Preventing SQL Attacks
Read Text Preview

Extract of sample "Methods of Identifying and Preventing SQL Attacks"

Computer sciences and Information technology Methods of identifying and preventing SQL attacks Introduction There are numerousweb applications used by various companies and organizations in order to provide services to users, such as online banking and shopping, hence establishing a need to develop a database. These web applications contain confidential information like the customer’s financial records, thus making these applications frequent targets for attackers. The attack to the SQL is referred to as the SQL injection, which gives attackers unauthorized access to the databases of underlying Web applications (Huang, Yu, Hang and Tsai, 148). Therefore, these attackers are able to leak, modify and delete information, which is stored on these databases, thus resulting to problems for the organization. In this case, the paper will discuss issues related detection and prevention of SQL attacks. Commercial and governmental institutions are the common victims of SQL Injection Attacks (SQLIAs), due to the insufficiency in the input validation. In fact, these cases occur when Web application receives a user input, thus using it for building a database query without ample validation, hence creating a chance for an attacker to utilize the vulnerability. The vulnerability of the databases to SQL injections has been regarded as the most serious threats for Web application (Wassermann and Su, 78). This creates a form of vulnerability to SQL injection, thus allowing the attacker to have accessibility to the underlying databases, and it results to security violations since the information in these databases is sensitive. The implications of SQL injections are issues like loss of credentials, theft and fraud, and in other cases the attackers are able to use the vulnerability to acquire control and corrupt the system hosting the Web application. Methods of identifying SQL attacks Numerous methods can be applied in detecting SQL injection attacks, and one of them is the Intrusion Detection System (IDS), which is based on a machine learning technique and application of a set of distinctive application queries. Moreover, this technique relates to a model of distinctive queries and a function of monitoring application at runtime in order to identify the queries that are not matching the model (Pietraszek and Vanden, 2). Therefore, this makes the system be have the ability of detecting attacks effectively, though there are basic demerits of learning based techniques, since does not offer guarantee concerning the detection abilities. In fact, the detection abilities are dependent on the quality of the training set applied; thus, a poor training set can result to generation large numbers of false positive and negative by the learning technique (Valeur, Mutz, and Vigna, 40). The other way of detecting the SQL injection attacks is through the Taint Based Approach, which uses the WebSSARI for the detection of input-validation concerning the errors through an analysis of the information flow. Moreover, this approach uses static analysis in checking the taint flows against preconditions for the sensitive functions. In fact, this analysis detects the points that have failed to meet preconditions, hence suggesting the filters and sanitization function, which is added to the application in order to satisfy the preconditions. The WebSSARI system functions through consideration of sanitizing the input, which as passed through predefined set of filters. In this way, the system can detect vulnerabilities in the application, though there are drawbacks associated with assumptions of adequacy in preconditions for sensitive functions that are accurately expressed by typing system. The other method is the Black Box Testing, which is used for testing the vulnerabilities of the Web applications for the SQL injection attacks, through a technique that applies the Web crawler too identify the points that can be used by an attacker. The method also builds attack-targeting points that are based on a list of pattern attack techniques, while WAVE monitors the response of application to the attacks, by use of machine learning techniques, in order to improve the methodology of attacks. Moreover, this attack improves over the penetration testing through approaches of machine learning in order to guide the testing, though its limitation is that testing techniques cannot provide a guarantee of completeness. The other method is the Static Code Checkers, which uses techniques of statistically checking correction of SQL queries that are dynamically generated (Gould, Su and Devanbu, 654). This approach was developed for detecting the attacks that exploit the mismatches that occur in the dynamically generate query string (Haldar, Chandra and Franz, 303). The Checker detects the cause of the SQL injection attack vulnerabilities through a code improper form of checking input. Nevertheless, the system lacks the ability to detect general types of SQLIAs, since most of the attacks comprise of syntactically and queries that are correct. In addition, this approach uses static analysis, which is integrated with automated reasoning for verification of SQL queries that are generated by an application layer that entails a tautology, though the approach is limited to detecting tautologies and not other forms of attacks. Methods of preventing SQL attacks There are methods used in order to prevent SQL attacks, and one of them is the use of Proxy Filters, which is a system of enforcing input validation rules on data that are flowing the to a web application. The developers offer constraints through the Security Policy Descriptor Language (SPDL), thus specifying the transformations that are applied for application of parameters that flowing Web page to the application server (Boyd and Keromytis, 292). This method also allows developers to express their policies since SPDL is highly expressive, though the approach is human-based and defensive programming, thus requiring the developers to identify the data that require filtering. The other preventive method relates to the use of Combined Static and Dynamic Analysis, through a model referred to as AMNESIA, which is a technique integrating static analysis and monitoring runtime. AMNESIA applies statistic analysis that develops models of different forms of queries that are generated by an application at a point of access to the database (Halfond and Orso, 174). In fact, this model intercepts queries sent to the database, and checks query against the model that is build statically, thus providing a basis for identifying the queries that violate the model, hence preventing them from executing on the database, though this model has a constraint associated with dependence on the precision of the static analysis for developing the models. The other preventive method is the New Query Development Paradigms, which entails two resent approaches: SQL DOM and Safe Query Objects, and application of encapsulation of database queries that offer a safe and reliable way of accessing the database. This method provide an effective way of avoiding SQL attacks, by altering the process of building the query from an unregulated process that utilizes strings concatenation to a process involving a type check of API (McClure and Krüger, 88). Therefore, this method allows a systematic application of best coding practice like filtering of input and checking of user input, thus altering the development of paradigm that create SQL queries can eliminate the coding practice that facilities vulnerabilities SQLIAs. Nevertheless, this method has a drawback associated with the requirement of a developer to learn and apply new programming paradigm or query development process. Consequently, focusing on the use of a new development process, there is no provision of any form of protection for a legacy system. In conclusion, the paper has explored issues related to the detection and prevention of SQL injection attacks, whereby there are several methods are identified and discussed that are aimed at detecting or preventing the attacks. Most of the methods discussed are commonly used by organizations such as commercial and the government institutions, which are more subjected to the risk of SQL attacks; hence, the paper has met the objective set by the thesis statement at the beginning of the paper. Works Cited Boyd, Stephen, and Keromytis, Angelos. "SQLrand: Preventing SQL injection attacks". In Proc. of the 2nd Applied Cryptography and Network Security. Conf. (ACNS 2004), pages 292–302, Jun. 2004. Gould, Carl, Su, Zhendong and Devanbu Premkumar. "Static Checking of Dynamically Generated Queries in Database Applications". In Proc. of the 26th Intern. Conf. on Software Engineering (ICSE 2004), pages 645–654, May 2004 Haldar, Vivek, Chandra, Deepak and Franz, Michael. "Dynamic taint propagation for java". In Proc. of the 21st Annual Computer Security Applications. Conf. (ACSAC 2005), pages 303–311, Dec. 2005. Halfond, William and Orso Alessandro. "AMNESIA: Analysis and Monitoring for Neutralizing SQL-Injection Attacks". In Proc. of the IEEE and ACM Intern. Conf. on Automated Software Engineering (ASE 2005), pages 174–183, Nov. 2005. Huang Yao-Wen, Yu Fang, Hang Christian and Tsai Chung-Hung. "Web Application Security Assessment by Fault Injection and Behaviour Monitoring". In Proc. of the 12th Intern. World Wide Web Conf. (WWW 2003), pages 148–159, May 2003. McClure Russell, and Krüger, Ingolf. "SQL DOM: Compile Time Checking of Dynamic SQL Statements". In Proc. of the 27th Intern. Conf. on Software Engineering (ICSE 2005), pages 88–96, May 2005. Pietraszek Tadeusz and Vanden Chris. "Defending Against Injection Attacks through Context-Sensitive String Evaluation". In Proc. of Recent Advances in Intrusion Detection. (RAID 2005), Sep. 2005. Valeur Fredrik, Mutz Darren, and Vigna Giovanni. "A Learning-Based Approach to the Detection of SQL Attacks". In Proc. of the Conf. on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA 2005), Jul. 2005. Wassermann Gary and Su Zhendong. "An Analysis Framework for Security in Web Applications". In Proc. of the FSE Workshop on Specification and Verification of Component-Based Systems (SAVCBS 2004), pages 70–78, Oct. 2004.       Read More
Cite this document
  • APA
  • MLA
  • CHICAGO
(Methods of Identifying and Preventing SQL Attacks Report Example | Topics and Well Written Essays - 1250 words - 1, n.d.)
Methods of Identifying and Preventing SQL Attacks Report Example | Topics and Well Written Essays - 1250 words - 1. https://studentshare.org/information-technology/1784124-methods-of-identifying-and-preventing-sql-attacks
(Methods of Identifying and Preventing SQL Attacks Report Example | Topics and Well Written Essays - 1250 Words - 1)
Methods of Identifying and Preventing SQL Attacks Report Example | Topics and Well Written Essays - 1250 Words - 1. https://studentshare.org/information-technology/1784124-methods-of-identifying-and-preventing-sql-attacks.
“Methods of Identifying and Preventing SQL Attacks Report Example | Topics and Well Written Essays - 1250 Words - 1”. https://studentshare.org/information-technology/1784124-methods-of-identifying-and-preventing-sql-attacks.
  • Cited: 0 times

CHECK THESE SAMPLES OF Methods of Identifying and Preventing SQL Attacks

Security Monitoring

This will safeguard internal data against the third party, using firewalls would assist in preventing penetrates and hackers form organizations database.... Name Instructor Course Date Security Monitoring The paper is intended is discuss security monitoring activities in any organization which has both commercial and internal I....
3 Pages (750 words) Research Paper

Preventing of Gouty Arthritis

Colchicine is used for prophylaxis treatment against recurrent attacks of gout.... This article reviews the trial conducted to study different duration of colchicines for preventing recurrence of Gouty arthritis and critique the methodologies used and recommends areas of future research....
4 Pages (1000 words) Essay

Session Hijacking

There are two types of attacks in session hijacking namely; the active and passive attack.... The attack strategy known as the denial of service is used as a common component in these attacks to either crash it or jamming its network connection.... Another form of the hybrid method is where one watches a session and introduces data into the session that is active periodically with no intentions of hijacking the session In perpetrating a session hijack, four methods are used....
5 Pages (1250 words) Essay

How Criminals Are on the Rise to Involve Users in Fraud

Unlike the other types of networks, this allows any computer that is able to access any internet that can be used to share information with others like academic… It is through the computer that different types of people can share information through social networks such as Facebook, email and other chat areas....
2 Pages (500 words) Essay

SABB Internet Banking and Online Phishing

One of the phishing methods is called link manipulation.... Website forgery also forms part of the phishing methods.... The paper "SABB Internet Banking and Online Phishing" highlights that phishing has dire consequences to online banking clients.... Phishing ensures that the fraudster obtains personal information often used in a legitimate organization such as banks, online payment service, and online retailer....
6 Pages (1500 words) Coursework

Prevention of Air Attacks

The author of this article "Prevention of Air attacks" describes events of 9/11, the problem of hijacking, different security measures, reasons, and problems of air attacks.... nbsp;… Enough is being spent on research and new technology to ease the flying experience of the passengers....
6 Pages (1500 words) Essay

Hackers and How to Control Them

This coursework "Hackers and How to Control Them" describes the key aspects of hachers' attacks.... this paper outlines stealing of the password, wireless attacks, social spying, malicius bot sowtware, hackers organizations, ways in which industries and organization use protect themselves from the hackers.... Some of the common methods used by the hackers include; stealing of the password, stealing of the password, exploitation of the existing defaults, wireless attacks, monitoring of research that are vulnerable, Trojan horses, a man in the middle attackers, research on the organization, being persistence and patient, social spying, being on the inside....
9 Pages (2250 words) Coursework

Web Application Security

The paper critically discusses the dangers of SQL injection in terms of website attacks that affects most individuals and organizations.... The incorrectly filtered escape characters are some of the methods that render the websites of the organizations vulnerable to attacks.... The sql injection is one of the techniques used to attack a website and hence rendering it ineffective to the users.... The sql injection is one of the techniques used to attack a website and hence rendering it ineffective to the users....
6 Pages (1500 words) Term Paper
sponsored ads
We use cookies to create the best experience for you. Keep on browsing if you are OK with that, or find out how to manage cookies.
Contact Us