p
   

 

 

   





  


!
"#

!   $ 
%&
 '

Presented to: Presented by:

Prof. B.N. Roy Nilesh Kunhare
092112211

|
 1.Introduction
Web Security
Nowadays many activities are done by dynamic web
application. The private information must be kept
secret and confidentiality and integrity of them must
be provided by developer of web application but
unfortunately there is no any guarantee for preserving
the underlying databases from current attacks.

¦
 Web Security

0Web applications are often vulnerable to attacks, which

attackers intrude easily to the application's underlying
database.


 95% of web apps have vulnerabilities
rross--site
£ rross scripting (80%)
£ SQL injection (62 %)
£ Parameter tampering (60 %)
£ rookie poisoning (37 %)
£ Database server (33 %)
£ Web server (23 %)
£ Buffer overflow (19 %)

^
6WASP( 6pen Web Application Security Project )
Top 10 Web Application Security
Vulnerabilities
1. Invalidated input
2. Broken access control
3. Broken account/session management
4. rross--site scripting (XSS) flaws
rross
5. Buffer overflows
6. Injection flaws
7. Improper error handling
8. Insecure storage
9. Denial--of-
Denial of-service
10. Insecure configuration management
u
 The Pre-
Pre-Thesis work is organized as
follows
£ Section 2 :Definition
:Definition of SQL Injection Attack
through an example.
£ Section 3 :Different
:Different SQLI Attack types.
£ Section 4 :Second
:Second Order Code Injection Attack
£ Section 5 :Review
:Review current techniques against SQLI.
£ Section 6 :Evaluate
:Evaluate SQL Injection Detection or/and
Prevention approaches against SQLIAs.
£ Section 7: ronclusion and Future Work
£ Section 8: References

D
£ Section 2 :Definition
:Definition of SQL Injection Attack

[
 SQL Injection Attack

˜efinition: SQL injection is a type of attack which the attacker

adds Structured Query Language code to input box of a web
form to gain access or make changes to data. SQL injection
vulnerability allows an attacker to flow commands directly to a
web application's underlying database and destroy
functionality or confidentiality.

è
 What is a SQL Injection Attack?
£ pany web applications take user input from a
form
£ 6ften this user input is used literally in the
construction of a SQL query submitted to a
database. For example:
± SELErT productdata FR6p table WHERE
productname = µV
µV
V V

†

V V

†
£ A SQL injection attack involves placing SQL
statements in the user input

An Example SQL Injection Attack

Product Search: m
 

£ This input is put directly into the SQL

statement within the Web application:
± $query = ³SELErT prodinfo FR6p prodtable WHERE prodname = µ´
. $_P6ST[µprod_search†
. ³†´
£ rreates the following SQL:
± SELErT prodinfo FR6p prodtable WHERE prodname = µ#
µ# (%)(*+,(*†
(%)(*+,(*†
± Attacker has now successfully caused the entire database to be
returned.
|
£ Section 3 :Different
:Different SQLI Attack types.

||
 SQL INJErTI6N ATTArK TYPES
There are different methods of attacks that depending on the goal of attacker
are performed together or sequentially.

|
autologies: This type of attack injects SQL tokens to the

conditional query statement to be evaluated always true. (by
exploiting vulnerable input field which use WHERE clause.)
2 IIIegal/Logically Incorrect Queries: Finding vulnerabilities
through error messages.
3 nion Query: By this technique, attackers join injected
query to the safe query by the word UNI6N and then can
get data about other tables from the application.
4 iggy-backed Queries: In this type of attack, intruders
exploit database by the query delimiter, such as " ", to
append extra query to the original query.

|¦
 SQL INJErTI6N ATTArK TYPES
rontd«
u Stored rocedure: Stored procedure is a part of database that
programmer could set an extra abstraction layer on the
database.
6 Inference: By this type of attack, intruders change the behavior
of a database or application.
(a) blind injection: stealing data by asking a series of True
False questions through SQL statements
(b) timing attacks. by observing timing delays in the database's
responses.
7 Alternate Encodings: modify the injection query by using
alternate encoding, such as hexadecimal, ASrII, and Unicode.
Because by this way they can escape from developer's filter
which scan input queries for special known "bad character".

|
£ Section 4: Second 6rder rode Injection Attack

|^
 Second 6rder rode Injection Attack

£ A second-order code injection attack can be classified as the process in

which malicious code is injected into a web-based application and not
immediately executed, but instead is stored by the application (e.g.
temporarily cached, logged, stored in a database) and then later retrieved,
rendered and executed by the victim.
£ In web environment it may be possible for an attacker to inject malicious
code into a data storage area of vulnerable site that may be executed at a
later date or time. Depending upon the nature of the application and the
way the malicious data is stored or rendered, the attacker may be able to
conduct a second order code injection attack

|u
rategorizing Second-6rder rode Insertion

£ Class |: Frequency-based rimary

Application
£ Class 2: Frequency-based Secondary
Application
£ Class 3: Secondary Support Application
£ Class 4: Cascaded Submission Application

|D
rategorizing Second-6rder rode Insertion

Class |: Frequency-based rimary Application

this class includes applications that present re-
processed client requests using statistical frequency
models. Examples include application functionality that
provides for ³top 10 most searched items´
(Target-Primary Applications)
Example: Shared Search rriteria

|[
rategorizing Second-6rder rode Insertion

Class 2: Frequency-based Secondary Application

this class includes applications that did not initially
receive the injected code, but instead process submissions
from an application and represent this material for
statistical review.
(Target-System Administrators.)
Example: Website Statistics

|è
rategorizing Second-6rder rode Insertion

Class 3: Secondary Support Application

this class includes applications used to internally support
primary applications. These secondary support
applications typically view or manipulate information
obtained by the primary application, and often trust the
data to be secure or already sanitized.
(Target Internal Application Users)
Example: rustomer Services

|
rategorizing Second-6rder rode Insertion

Class 4: Cascaded Submission Application

this class includes applications (or critical application
components) that make use of multiple client
submissions within a single processing statement.
For example, this may include applications that
require visitors to create a user account that includes
address information.
(Target backend database resources)
Example: Second 6rder SQL Injection

¦
£ Section 5: Review rurrent Techniques against
SQLI

¦|
 rode Injection Attack:
Detection And Prevention Techniques

£ WAVES, a black box technique

£ IDBr-rhecker
£ Tautology rheker
£ SAFELI
£ rANDID
£ SQL Guard and SQL rheck queries
£ ApNESIA
£ WebS SARI
£ Livshits and Lam [27
use static analysis techniques to detect
vulnerabilities in software.
£ Java Dynamic Tainting and SecuriFly is another tool
£ IDS use an Intrusion Detection System (IDS) to detect SQLIAs,
£ SQLPrevent
£ Swaddler
£ SQLrand
¦¦
£ Section 6: Evaluation of Detection or/and
Prevention approaches against
SQLIAs.

¦
 Evaluation

The detection or prevention techniques presented in Section IV

would be compared. The attack types which each technique is
able to address are considered.

¦^
 Proposed techniques were compared to assess whether it
was capable of addressing the different attack types
presented in Section III.

Tables 1 summarize the results of this comparison.

The symbol "." is used for technique that can successfully stop
all attacks of that type.
The symbol "-" is used for technique that is not able to stop
attacks of that type.
The symbol "0³ refers to technique that stop the attack type
only partially
because of natural limitations of the underlying approach.

¦u
Table 2 illustrates the addressing percentage of SQL Injection attacks among
SQL Injection detection or prevention techniques. The percentage of
techniques that stop Tautology is calculated using this formula:

Number oftechniques that can stop Tautology *100

Total number oftechniques
= 14/23*(100)=61

¦D
£ Section 7: ronclusion and Future Work

¦[
 ronclusion and Future Work

In this presentation we first identified the various types of SQLIAs. Then we

investigated on SQL injection detection and prevention techniques. After
that we compared these techniques in terms of their ability to stop SQLIA.
In our future work we develop some techniques to prevent and detect the
vulnerabilities present in web based applications as tool then compare
effectiveness, efficiency, stability, flexibility and performance to show the
strength and weakness of the tool and also providing confidentiality and
integrity to them.

¦è
£
ank You!!!

¦