SQL Injection Attacks: Detection and Prevention in Web Applications, Assignments of Research Methodology

MyTravel Guide has a really high security where users have their personal data as name, email, phone number, credit card number and trip details are confidential and protected.

Typology: Assignments

2020/2021

Uploaded on 06/16/2021

saleh-muataz
saleh-muataz 🇲🇾

4.3

(4)

9 documents

1 / 13

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
INDIVIDUAL ASSIGNMENT
CT098-3-2-RMCT
RESEARCH METHODS FOR COMPUTING AND TECHNOLOGY
NAME:
STUDENT ID:
INTAKE:
TITLE: “The Development of a Secured MyTravel Guide Application with the
Prevention of SQL Injection Attacks.”
LECTURE NAME:
HAND OUT DATE:
HAND IN DATE:
pf3
pf4
pf5
pf8
pf9
pfa
pfd

Partial preview of the text

Download SQL Injection Attacks: Detection and Prevention in Web Applications and more Assignments Research Methodology in PDF only on Docsity!

INDIVIDUAL ASSIGNMENT

CT098-3-2-RMCT

RESEARCH METHODS FOR COMPUTING AND TECHNOLOGY

NAME:

STUDENT ID:

INTAKE:

TITLE: “The Development of a Secured MyTravel Guide Application with the

Prevention of SQL Injection Attacks.”

LECTURE NAME:

HAND OUT DATE:

HAND IN DATE:

1. Introduction

Nowadays mobile devices play a huge rule in our lives and are more present in our everyday lives than ever before and become an important factor in modern travel behavior for how easy they make things for us. MyTravel Guide is a highly secured web and mobile based application which is designed for travelers with intend to make their journey delightful, enjoyable, and satisfying in the overseas. The application provides convenience to users for planning a trip with its various features without going to online travel agencies. It helps in making reservation for hotels and keep updating with the flight and weather details. It is distinct from other travel applications in a way that it offers multiple features to its users at a same time. One of its features is that individual can find the nearby tourist attraction in a country automatically when they will arrive there. With the navigation option in the app, through GPS, they can also see the route planning for traveling either by foot, car or public transportation. Another exceptional feature is PackPoint which is a packing list organizer, it helps in organizing what you need to pack in your luggage and suitcase based on how long you travel would take, weather at your destination, or any other type of activities you planning to make during your trip. Individual can also access to an emergency hotline feature in the app which enables them to view the rules and regulations of places you are visiting plus all emergency digits of the respective countries. Registration of users is needed to allow them accessing the exclusive features of this app. MyTravel Guide has a really high security where users have their personal data as name, email, phone number, credit card number and trip details are confidential and protected. these days, trade of products and services are shown in the web and introduced by E- Commerce. During the method of e-commerce, crucial business transactions are carried which has the involvement of individual’s personal information (Patil, 2017). However, there are many types of attacks on applications that can expose data of users. One of the common types of web application attacks that target databases are SQL Injection. An organization’s database servers are often the primary targets of external and internal attackers (Lazar and Erez, 2018). In such a situation, MyTravel Guide App is protected by all those attacks, specifically from SQL injections attacks and ensures all user personal information is highly safe and secured.

2. Problem Statement

Applications are becoming indispensable part in e-commerce. Most of the time when travelers schedule their trips, they need to use multiple applications such as flight booking apps, trip advisor apps, and navigation apps. On the other hand, there is no such an app that can get all off these accessibilities and also makes sure that the users have gathered everything needed in the luggage. Therefore, MyTravel Guide App provides a solution for all these human errors and problems. Nowadays, web apps are not highly protected of SQL injection attacks, which is easier for attackers to hack the database, the consequences of these attacks, include identity theft, loss of private data, and scam. Customers have security issues such as personal information like credit card details. Matter fact, hackers can easily use an SQL injection vulnerability to take control of and corrupt the system that hosts the Web app.

3. Problem Background

A lot of people use and trust Web apps for performing enormous daily activities. Web services and applications have developed a new landmark of information sharing which has increased the productivity of e-business (Esripress, 2017). The growing fame of web applications has led to an increase in the number of cyber-threats tremendously. Web applications security secure the confidentiality, integrity and availability of resources such as personal information and databases from being attacked in cyberspace (Razzaq, et al., 2014). An investigation was preformed by Gartner Group on over more than three hundred Internet Web apps has resulted that most web app are not well protected of SQL Injections Attacks. (Singh, 2016) Credit card information of more than half a million people was hacked, and over 9,000 of these credit cards have been utilized frequently after being hacked from July to October of 2013. (Walters, 2014). An appropriate contribution of the information and communication technologies (ICTs) in tourism sector can be better and improved socially by economic impacts, from individuals and organizations, and countries to be developed and benefit. The key element of competitiveness

take note that the username and password used for login are crafted by hackers. (Appelt, et al., 2014). SQL injection commands continuing to be discovered at large scale and its effects on databases are enormous (Zhang et al., 2015). To prevent database system being infected from SQLIA, there are following framework can be considered or deployed, According Dimitris Generativist (2015), first approach to prevent SQL injection attacks is to stop randomization because randomization known as most countermeasure method by inserting random input point to access database and initiates other attacks through it. So, preventing the randomization is regarded an effective solution to avoid SQL injection attacks, A framework is proposed to protect from randomization, which is based on three core components “1) Identification of SQL statements, 2) SQL randomization, 3) The run time enforcement”, the first component making some amendments in the current Server-Side Script (SSS), Server-Side Script (SSS) is available with a meta-compiler to assess that all SQL statements are included in it. Once the Statements are identified passed through a function and changes the statements into a “Normal SQL Statement”, otherwise would not execute the statements. The run enforcement functionality insures that there is no access to database source code required (Geneiatakis, 2015). In this paper (Som et al., 2016), two types of approaches are discussed first is Static approach and Dynamic Approach to detect and prevent SQL Injection attacks, two security mechanism are proposed, one is Frontend Phase, second is Backend phase. In Frontend phase , the researchers make amendments in current Client table with Final hash code, current client table for login verification require Client name and Secret key while this frontend phase verifies a valid client by client name, secret key and final hash code which was generated along that client registration. The below shows that how client table will look like: Table 5.1: Client Table CLENT Secret Key Final Hash Code

Mika Mika233 32SDFGHSHDH4T Chamkey Ch123mk 2343J234HJHJ23J In Backend phase, SQLIA would be detected and prevented by tokenization method and Advanced Encryption Standard (AES) Algorithm. Tokenization method fluctuates input query into token, deposit it into a dynamic table and encrypt by AES Algorithm. Then, encrypted query is to be taken-in and out to server side, after that the query is decrypted, and the dynamic table is compared with other dynamic tables. However, if it is found to be same any table it is considered as non-inject query and it shows the output, otherwise it would shows an error message to user stating that incorrect username or password. Figure 5.1 Architecture of Proposed Framework (Som, et al., 2016) The above approach is also proposed by (Kalsi & Kaur, 2015) also suggest 2 approach that are discussed earlier static and dynamic Approach, proposed two phases for detection and prevention. First phase, which is the Static and Dynamic phase while here both phases work distinctly from the approach has already been mentioned and discussed earlier. For the static phase, A pattern matching algorithm is used and this algorithm have the list of cautious queries through, which some objects were infected. SQL query test the static pattern matching algorithm, so if the query matches with the static pattern matching list, then it reject allowing access into database, otherwise the query will be executed. In Dynamic phase, the executed queries will be tracked and monitored, during that if any object is infected or changes made in and an alarm will start then it sends the query to static phase

7.1 Domain Questions What are the benefits of Secured MyTravel Guide application to the users and how can be aware of this application? Compare, how this application is different from other applications? Does the communication between user and application is secured? 7.2 Technical Questions What are the basic hardware and software requirements for a user to run it? What programming language will be used to develop the system and at what platform it going to be develop? What security framework and algorithms will be used to for customers personal information security?

7. Research Design

8.1 Data Gathering Methods Data gathering methods is a tactic to get a qualitative or quantitative amount of data that enables the researcher to find out the answers of questions, target users recommendations, opinions about related to the research area. Later, these answers can be evaluated, and future predication can be made by the researcher. Data gathering techniques are Interviews, observation, questioners and surveys. The data gathering techniques that are chosen for proposed title “Secured MyTravel Guide Application” is questionnaire and interview. Firstly, questioners have been chosen for data gathering because it fills some essential requirements for the proposed system, it helps the researcher to gather the suitable information, reduces biases in asking questions, can make engaging questions and make information equivalent and easy to analyses. Questionnaire Questions Objective

  1. How do you gather information before making any travel plan? (Select any one) o By Yourself o Travel Agent The researcher can obtain information about target users preference on travel plan.
  2. What is the length of your journey? o 1 - 3 days o 4 - 6 days o A week The researcher can get target user’s preference, so the researcher may facilitate best places to visit feature according to that.

o A fortnight

  1. Have you ever been in a situation, when you needed help being in a foreign country? If yes, (Select any one) o 1 - 5 times o 6 - 9 times o 10 and above o Never The researcher wants to find out that emergency hotline feature would be convenient.
  2. What are the most challenging problems that you face when choosing a destination? o Quality of Services o Reliability o Communication Barriers o Cost o Others The researcher wants to find out that what could be the problems user’s mostly faces before planning a trip.
  3. How would you rate this application on a scale of ten? (Select any one) o 0 – 3 o 3 – 5 o 5 – 7 o 7 – 10 The researcher may know the application rating so can make amendment accordingly. Secondly, Interview is choses for data gathering because Interviews are especially valuable for getting the story behind a respondent's encounters. The researcher can depth about the title, adopt different type of interviews as structured, semi-structured, and unstructured. For proposed title, Semi-structured interview is conducted by researchers to gain information from tourists/students/immigrants, which are target users in the system. Semi structured interview enables the researchers to ask combination of opening and closing questions, to help taking an advantage of respondent’s presence, cross investigation and renders high quality responses. Interview Questions
  4. Nowadays, there are many mobile and web applications that helps the people to plan a trip. Mention what are the five characteristics of great Tour Guide?
  5. Secured MyTravel Guide Applications has enormous new enhanced features such as Book and Check Reservations, Packpoint, Navigation, Emergency Hotlines etc. Have you ever encountered any applications with these features and are these features beneficial?
  6. Anything you book or buy online, or you register yourself on application, provide your personal information to be a member. Are you satisfied with the way your personal

8. Personal Reflection:

In this research proposal, the researcher have discussed many detection and prevention methods for SQL injection attacks (SQLIA), one proposed solution is SQL statement randomization , the other methods proposed are based two different approaches, static and dynamic approach, each method having two stages static and dynamic phase or frontend phase and backend phase, using different algorithm to detect SQL injection attacks, once a SQLIA command detected it would reject instantly and system will be protected by SQLIA, it also does not require complicated amendments or any amendments into code, all the proposed solutions can be deployed easily and efficiently. However, discontinuing SQLIA is still an open security issue which could not be solved by enhancing database security, the alternative solution for SQLIA is to propose a methodology that uses randomization along static and dynamic approach and the future enhancement can be made by using machine learning with artificial intelligence, a new algorithm that encrypt the query and would detect the attack much faster by detecting patterns and prevent SQLIA. To conclude, the whole module helped me understand the basics of SQL injection attacks. Additionally, it remarkably helped me understanding the concepts of documenting research from fellow researchers. It also taught me how to search and identify and verify studies from sources that can assist my research as well as generate a good study to identify and integrate this information to create a useful document. Thus, the module provided a platform to search and create an adequate paper.