Detecting SQL Injection Attacks: A Thesis, Thesis of Web Programming and Technologies

This thesis explores SQL injection attacks, their impact, and methods to detect them. SQL injection is a growing problem, with attacks becoming more sophisticated. the aim of the project, SQL injection basics, and recent examples. It also provides code snippets and explains how to create databases and store user information. The thesis concludes by proposing an intrusion detection system.

Typology: Thesis

2019/2020

Uploaded on 07/22/2020

faisalmahmood
faisalmahmood 🇵🇰

1 document

1 / 67

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Page 1
IN THE NAME OF ALLAH THE MOST BENEFICENT AND THE MOST MERCIFUL.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43

Partial preview of the text

Download Detecting SQL Injection Attacks: A Thesis and more Thesis Web Programming and Technologies in PDF only on Docsity!

IN THE NAME OF ALLAH THE MOST BENEFICENT AND THE MOST MERCIFUL.

Project Title

Implementation of Intrusion Detection System using Java.

Project Supervisor

Dr. Kashif (PHD in Malaysia)

IMPLEMENTATION OF INUSION DETECTION SYSTEM USING JAVA

C E R T I F I C A T E

This is to certify that thesis/project titled as “Implementation of Intrusion

Detection System using Java” undertaken by the following student, has

been found satisfactory, in partial fulfillment of the requirements for the

degree of B.Sc. Computer Engineering.

Completed By:

Muhammad Noman 2014 - CPE- 15

Muhammad Amjad 2014 - CPE- 08

Supervised by

Dr. Kashif

Head of Department

Dr. Imran Malik

IMPLEMENTATION OF INUSION DETECTION SYSTEM USING JAVA

Dedication

This project is dedicated to The Planner, The Creator of the entire Universe, The

Merciful ALLAH, and his loving messenger Hazrat Muhammad (Peace Be Upon

Him). ALLAH has given me the power to perform this task and facilitating every

possible means to complete this project.

This project also dedicated to love and support of my brother and Dr.kashif who

encouraged me to complete this project.

Abstract

With rapid improvements in the data transfer speeds in the last two

decades the Internet has become a major opportunity to enterprises to

advertise themselves and to maintain their data safely in servers to make it

more accessible. With the improvement in Internet technologies, malicious

activities are threat for enterprises to maintain integrity of their data. The

purpose of this thesis is to capture the data flowing in a network, and to

analyze it to find malicious packets carrying SQL injection attacks. It aims to

detect these attacks as the attacker can compromise a server simply using

the web browser and for it can cause severe damage such as losing data

from a database or even changing the values. The literature review section

shows that previous methods of detection have used anomaly detection,

where as this thesis uses a novel metric-based system, which measures the

threat level of a URL. In creating a prototype of the system, an application

was created to detect malicious packets using the Java language with

Oracle JDeveloper Studio. This application was developed based on the idea

of capturing the packets and comparing them for the malicious keywords

that are used for SQL injection attacks. The keywords, such as SELECT,

DELETE, OR, and FROM are assigned with a malicious metric value, along

with possible threats in the URL from certain characters, such as „=‟ and a

single quote character.

Table of Contents

Abstract ............................................................ Error! Bookmark not defined. Chapter no 1. INTRODUCTION ....................... Error! Bookmark not defined. Introduction ...................................................... Error! Bookmark not defined. 1.1 Intrusion Detection System……………………………..................……….. 1.2 Using web application Hotel Management……………………………….... 1.3 Context: ...................................................... Error! Bookmark not defined. 1.3.1 Aim: ...................................................... Error! Bookmark not defined. 1.3.2Background: .......................................... Error! Bookmark not defined. 1.4 Thesis layout: ............................................. Error! Bookmark not defined. Chapter no 2 Background ............................... Error! Bookmark not defined. 2.1 Introduction ............................................... Error! Bookmark not defined. 2.2 TCP\IP:....................................................... Error! Bookmark not defined. 2.3 HTPP Protocol:........................................... Error! Bookmark not defined. 2.4 Database: ................................................... Error! Bookmark not defined. 2.5 Structured query language(SQL) ............ Error! Bookmark not defined. 2.6: Database administration: ........................... Error! Bookmark not defined. 2.7:winpcap ...................................................... Error! Bookmark not defined. 2.8: conclusions ............................................... Error! Bookmark not defined. Chapter no. 3 Design..................................................................................... 25 3.1 Introduction .............................................................................................. 25 3.2 Outline of SQL injection ........................................................................... 25 3.3 Recent Examples of SQL Injection attacks .............................................. 26 3.4 Web Application Processing .................................................................... 26 3.5 SQL Injection Types ................................................................................. 28 3.5.1 SQL Manipulation .................................................................................. 28 3.5.2 Code Injection ........................................................................................ 29 3.5.3 Function Call Injection ............................................................................ 29 3.5.4 Buffer overflow ....................................................................................... 30

  • 3.6 Existing Technologies to stop SQL Injection
  • 3.6.1 Defensive Programming
  • 3.6.2 Anomaly Detection
  • 3.7 Simple SQL Injection Attack by Example
  • 3.8 Conclusion
    • Chapter no. 4 Implementation
  • 4.1 Introduction
  • 4.2 Design Considerations................................................................................
  • 4.3 IDS Design
  • 4.3.1 Design Pre-requisites
  • 4.3.2 SQL Keywords.........................................................................................
  • 4.4 Programming
  • 4.4.1 Getting Network device List:
  • 4.4.2 On Packet Arrival
  • 4.4.3 Capture the URL String
  • 4.4.4 Comparing The URL string words
  • 4.4.5 The application location
  • 4.5 Conclusions
  • Chapter no. 5 Evaluation....................................................................................
  • 5.1 Introduction
  • 5.2 Application Evaluation:..................................................................................
  • 5.2.1 Example1
  • 5.2.2 Example
  • 5.3 Alerts
  • 5.4 Conclusions
  • Chapter no. 6 Conclusion......................................................................................
  • 6.1 Critical Analysis
  • 6.2 Future Work
  • 6.3 Final Words
  • 7 References

Chapter No .1 INTRODUCTION

  • Set expectations for IDS products accordingly
  • Propose a process for evaluating and selecting an intrusion detection system. The process begins with policy and moves through evaluation, election, and implementation of various types of intrusion detection tools.
  • Provide a good deal of common sense advice about intrusion detection and incident handling
  • Examine many of the common myths of the industry
  • Offer case studies to describe tools in action For anyone interested in the intrusion detection market space, the IDC Market Report section in Part II summarizes an extensive market research report from International Data Corp.

Technology Overview:

The goal of an intrusion detection system is to provide an indication of a potential or real attack. An attack or intrusion is a transient event, whereas a vulnerability represents an exposure, which carries the potential for an attack or intrusion. The difference between an attack and a vulnerability, then, is that an attack exists at a particular time, while a vulnerability exists independently of the time of observation. Another way to think of this is that an attack is an attempt to exploit a vulnerability (or, in some cases, a perceived vulnerability). This leads us to categorize various types of intrusion detection systems. Figure 1 demonstrates the difference between vulnerability scanners and intrusion detection systems. Vulnerability scanning is less time critical than intrusion detection. Subsequently, the deployment of each technology can vary inside organizations. Figure 2 maps IDS types onto the technology landscape of Figure 1. There are five different categories of IDS covered in this guide. Not all of these categories represent “classical intrusion detection” but they play a role in the overall goal of detecting or preventing intrusions on a corporate network. The categories are:

  • Network Based Intrusion Detection System
  • Host Based Intrusion Detection System
  • File Integrity Checker
  • Network Vulnerability Scanner
    • Host Vulnerability Scanner

Figure 1. As shown here, IDS products can be categorized as either preventive or responsive. They can also be categorized according to their emphasis on either system or network scanning. The IDS tools covered in this guide fall into two technology categories: intrusion detection systems and vulnerability scanners. We can further decompose these two categories into host and network-based systems. As shown in Figure 2, vulnerability scanners can be run at any time because we assume that a vulnerability exists until repaired. An intrusion, on the other hand, exploits a specific vulnerability and must be detected as soon as possible after it starts. For this reason, intrusion detection tools must run more frequently than vulnerability scanners. This is why most IDS vendors attempt to make their intrusion detection tools work in real-time.

intrusion detection system. A statistical analysis system builds statistical models of the environment, such as the average length of a telnet session, then looks for deviations from “normal”. After over 10 years of government research, some products are just beginning to incorporate this technology into marketable products. The adaptive systems start with generalized rules for the environment, then learn, or adapt to, local conditions that would otherwise be unusual. After the initial learning period, the system understands how people interact with the environment, and then warn operators about unusual activities. There is a considerable amount of active research in this area. You should keep in mind that any IDS will both miss some kinds of suspicious activity (false negatives) and signal alarms when there is nothing wrong (false positives). This is why organizations must have a strong human process that interacts with the IDS to evaluate the operating environment. The machine intelligence of most intrusion detection systems is still evolving, though current research is working to improve this. Remember, when reading these sections, that the discussion deals with generalizations. Each specific product has strengths and weaknesses, and some tools use multiple technologies to accomplish their goals. For example, a system may use both signature and statistical logic.

Network IDS :

The network IDS usually has two logical components: the sensor and the management station. The sensor sits on a network segment, monitoring it for suspicious traffic. The management station receives alarms from the sensor(s) and displays them to an operator. The sensors are usually dedicated systems that exist only to monitor the network. They have an network interface in promiscuous mode, which means they receive all network traffic, not just that destined for their IP address, and they capture passing network traffic for analysis. If they detect something that looks unusual, they pass it back to the analysis station. The analysis station can display the alarms or do additional analysis. Some displays are simply an interface to a network management tool, like HP Openview, but some are custom GUIs designed to help the operator analyze the problem.

Figure 3. This diagram shows placement of a traditional network based IDS with two sensors on separate network segments that communicate with a monitoring station on the internal network.

Host IDS :

The host-based IDS looks for signs of intrusion on the local host system. These frequently use the host system’s audit and logging mechanism as a source of information for analysis. They look for unusual activity that is confined to the local host such as logins, improper file access, unapproved privilege escalation, or alterations on system privileges. This IDS architecture generally uses rule-based engines for analyzing activity; an example of such a rule might be, “superuser privilege can only be attained through the su command.” Therefore successive login attempts to the root account might be considered an attack.

1.2 Using web application Hotel Management

Standard booking processes:

Phase 1 - Search and evaluation

[A] Date / city entry, select hotel and rate on consecutive screens

Multi-room and uneven occupancy level reservations In section 4.3 we introduced the requirement for a travel website to handle different styles of multi-room reservation. They include:

  • one room for two adults
  • one room for one adult
  • two rooms, both with two adults (same room type / rate, same occupancy level)
  • two rooms, both with one adult (same room type / rate, same occupancy level)
  • two rooms, one with two adults, one with one adult (same room type / rate, different occupancy level)
  • two rooms with two adults in each, one a superior double, one a standard double (different room / rate type, same occupancy level). The key points are:
  • Ensure that all combinations can be booked and, if they can’t, inform the user that they can’t
  • Let users select multiple rooms on all booking pages, not just on an advanced search option
    • When users select multi-rooms and occupancy levels at the start of the booking process, make sure the correct rates (taking occupancy into account) can subsequently be shown.

1.3 Context

Many organizations invest large amounts of money to secure the data of their consumers. If the organization loses its customers data like a credit card number or the identity details, it is likely the organization to lose its customers, such as with TkMaxx (IT ProA, 2008). Thus, it is important for organizations to take care about the data of the customers and to maintain the company profile properly. Normally organizations store their customers and employees profile in databases it is important for the organization to protect the database from all the possible attacks. With an SQL injection, attack the intruder can construct a malicious URL, which contains SQL keywords to attack the database. This is typically caused when the middleware has not properly checked the incoming URL. SQL injection is thus one a type of attack that the administrator cannot identify easily, until the administrator receives mail from the consumers saying that their credit card details are in nonlegitimate hands because of the poor database structure of the organization. This is a growing problem, as in the first six months of 2008 IT Pro highlighted a massive increase in SQL injection attacks. They highlight that Microsoft was responsible for a large-scale attack on 500,000 web servers which involved an SQL injection attack. Other attacks in 2008 have included the NHS and the UN. Tools such as RealPlayer have also been used as an agent of these attacks. A highlight figure is that one page is compromised every five seconds on the Internet (IT ProB, 2008).

Autoweb.co.uk a U.K based advertising and marketing website is attacked by SQL injection in May 2008. The attack has done by injecting a 30 characters to overwrite the comments, by that the attacker able to gain access over the Microsoft SQL database. (Network World, 2008). Databases stores important information related to the organization like consumer credit card numbers, usernames and passwords of the employees and consumers, and it is important for the company to protect the database. If the database is attacked all the information in the database can be lost and this results a big loss to the organization and its customers also. It is thus important to protect the data that is stored in the databases in the coming sections we evaluate how the databases work and how an intruder can attack these databases and the type of the attacks that a hacker can do on the databases, by evaluating these strategies this thesis thus produces a solution to reduce these attacks on the databases. “Whatever can go wrong Will Go wrong and at the worst possible time in the Worst possible way.” (Murphy’s Law)

1.3.1 Aim

The aim of this project is to detect SQL injection attacks that an intruder is trying to do on the database when the code is running as a part of application executing. It includes a number of objectives: Review the database structure. Review the types of attacks that can be done on the databases. Review how the SQL injection attacks can be done practically. Develop an application that can detect the SQL injection attacks. Perform an evaluation of the application. Propose future developments that can be implemented in the application.

1.3.2 Background

The Internet became an integral part of human life and many enterprises dependent on it in different ways like storing employee profiles, accessing the files on remote servers and maintaining user information, and so on. The Internet is also an inexpensive solution for the enterprises to maintain a wide area network, and individual use the Internet for many other uses like shopping, meeting friends, reading news, and so on. Due to the rapid developments in Internet transfer speeds and the flexibility depending on the web applications is improved a lot. Because of the extensive use of internet in day-to-day life it became easier for hackers to attack on personal computers and to theft identity information like credit cards and personnel files.