Review of Tools against Vulnerabilities in
Web Applications
Nilesh Kunhare
Department of Computer Science
Research Scholar MANIT
Bhopal, India
[email protected]
Abstract—We know that nowadays many of our
daily activities takes place by using web
applications such as shopping, communications,
research etc. The attackers target the victims either
for commercial reason or for personal gain. This is
why they are often vulnerable to attacks like
HTML Embedding, Buffer Overflow, SQL
Injection, Cross-site Scripting etc. Research data
shows that about 90% of web applications are
vulnerable to SQL Injection (SQLI) and Cross-site
Scripting (XSS) attacks. Many tools and techniques
have been developed to prevent and detect these
attacks. In this paper we will review about these
tools with their strength and weaknesses. We will
also discuss about the XSS attack and its types
which is considered to be more dangerous than
SQLI attacks.
Keywords—Web applications, Victims,
Vulnerable, SQL Injection, Cross-site Scripting.
I. INTRODUCTION
Two types of attacks are most common and
damaging. SQL Injection attack occurs when the
attacker is able to insert a series of SQL
statements into a query by manipulating data
input into an application. SQLI attack is among
the most common database attacks which try to
access the sensitive data directly. Whereas XSS
attack occurs when a user clicks on crafted
malicious URLs or visit the infected page. The
malicious script is executed on client’s web
server. XSS attack results in cookie stealing,
changing user’s account information and its
privileges etc. The XSS attack is similar to SQLI
as they follow the same attacking style of code
injection, but they are different from each other.
The SQLI attack performs to access and
manipulate the application’s database whereas in
XSS attack, the attacker focuses on injecting
malicious code to application’s users. Previous
approaches identifying against SQLI and XSS
vulnerabilities and preventing exploits include
Prof. B.N.Roy
Department of Computer Science
MANIT
Bhopal, India
static analysis, defensive coding, test generation
and dynamic monitoring. Each of these
approaches has its own merits, but there are
possibilities for improvement. Static analysis
tools can produce false warnings and do not
create concrete examples of inputs that exploit
the vulnerabilities. Defensive coding is error-
prone and requires rewriting existing software to
use safe libraries. Black-box test generation does
not take advantage of the application’s internals,
whereas previous White- box techniques have
not been shown to discover unknown
vulnerabilities. Dynamic monitoring tools
outcomes in runtime overhead on the running
application and do not detect vulnerabilities until
the code has been deployed.
II. BACKGROUND
The SQL injection attack used to exploit the web
application remotely without any application or
database authentication. By sending crafted input
a malicious user can change the SQL statement
structure and execute arbitrary SQL commands
on the vulnerable system. Consider the following
username and password example, in order to
login to the web site, the user inputs his
username and password, by clicking on the
submit button the following SQL query is
generated:-
SELECT * FROM emptable WHERE eid =‘e#1’
and password = ‘54321’
The query will be executed when user input the
following password:
‘Or 1=1 –
The SQL query will become:
SELECT * FROM emptable WHERE eid=‘e#1’
and password = ‘54321’ or 1=1 --'. The query
will return all rows from the database regardless
of whether eid=’e#1’ and
password=’54321’.This is because the ‘1’=’1’
will always return true result and OR statement
appended to the WHERE clause. Therefore, the
query will return a non-empty result set without
any error. SQL injection problem can be solved
by checking all SQL statements before sending
them to the database. There are various SQL
injection prevention and detection techniques
developed [2]. In this paper we will review about
these techniques with their strength and
weaknesses. First we will discuss about various
SQL Injection attack types then we will discuss
about the tools developed for protecting against
these attack types.
SQL INJECTION ATTACK TYPES
There are different methods of attacks that
depending on the goal of attacker are performed
together or sequentially. For a successful SQLIA
the attacker should append a syntactically correct
command to the original SQL query. Now the
following classification of SQLIAs in
accordance to the Halfond, Viegas and Orso
researcher will be presented.
1. IIIegal/Logically Incorrect Queries: Finding
vulnerabilities through error messages.
2. Piggy-backed Queries: In this type of attack,
the original query is appended by the query
delimiter such as”;” to append extra query.
3. Tautologies: the conditional query statement is
evaluated always true like exploiting
vulnerabilities in the database using WHERE
clause.
4. Union Query: the attacker use the SQL tokens
with the word UNION to injected query and
then get data about other tables from the
application.
5. Inference: By this type of attack, intruders
change the behavior of a database or application.
(a) Blind injection: stealing data by asking a
series of True False questions through SQL
statements.
(b) Timing attacks: By observing timing delays
in the database's responses.
6. Alternate Encodings: modify the injection
query by using alternate encoding, such as
hexadecimal, ASCII, and Unicode. Because by
this way they can escape from developer's filter
which scan input queries for special known "bad
character".
7. Stored Procedure: Stored procedure is a part
of database that programmer could set an extra
abstraction layer on the database.
SQL INJECTION DETECTION AND
PREVENTION TECHNIQUES
We discussed about various types of SQL
Injection attack types. Now we will discuss
about the prevention and detection tools [3] for
such attack types.
Wassermann and Su propose Tautology Checker
that uses static analysis to stop tautology attack.
The weakness of this tool is that its scope is
limited to tautology and cannot detect or prevent
other types of attacks.
CANDID modifies web applications written in
Java through a program transformation. This tool
dynamically mines the programmer-intended
query structure on any input and detects attacks
by comparing it against the structure of the
actual query issued. It’ natural and simple
approaches turns out to be very powerful for
detection of SQL injection attacks.
AMNESIA combines static analysis and runtime
monitoring. In static phase, it builds models of
the different types of queries which an
application can legally generate at each point of
access to the database. Queries are intercepted
before they are sent to the database and are
checked against the statically built models, in
dynamic phase. Queries that violate the model
are prevented from accessing to the database.
The primary limitation of this tool is that its
success is dependent on the accuracy of its static
analysis for building query models.
Two similar approaches by Nguyen-Tuong and
Pietraszek, modify a PHP interpreter to track
precise per-character taint information. A context
sensitive analysis is used to detect and reject
queries if certain types of SQL tokens has been
constructed by illegitimate input. Limitation of
these two approaches is that they require
rewriting code.
Livshits and Lam use static analysis techniques
to detect vulnerabilities in software. Java Static
Tainting uses information flow techniques to
detect when tainted input has been used to make
a SQLIA. The primary limitation of this
approach is that it can detect only known
patterns of SQLIAs and it can generate a
relatively high amount of false positives because
it uses a conservative analysis.
SQLPrevent is consists of an HTTP request
interceptor. The original data flow is modified
when SQLPrevent is deployed into a web server.
The HTTP requests are saved into the current
thread-local storage. Then, SQL interceptor
intercepts the SQL statements that are made by
web application and pass them to the SQLIA
detector module. Consequently, HTTP request
from thread local storage is fetched and
examined to determine whether it contains an
SQLIA. The malicious SQL statement would be
prevented to be sent to database, if it is
suspicious to SQLIA.
JDBC-Checker was not developed with the
intent of detecting and preventing general
SQLIAs, but can be used to prevent attacks that
take advantage of type mismatches in a
dynamically-generated query string. As most of
the SQLIAs consist of syntactically and type
correct queries so this technique would not catch
more general forms of these attacks.
Xiang Fu and Kai Qian proposed the design of a
static analysis framework, called SAFELI for
identifying SQLIA vulnerabilities at compile
time. SAFELI statically monitor the MSIL
(Microsoft Symbolic intermediate language) byte
code of an ASP .NET Web application, using
symbolic execution. SAFELI can analyze the
source code and will be able to identify delicate
vulnerabilities that cannot be discovered by
black-box vulnerability scanners. The main
drawback of this technique is that this approach
can discover the SQL injection attacks only on
Microsoft based product.
Two approaches, SQL DOM and Safe Query
Objects, use database queries encapsulation for
trustable access to databases. They use a type-
checked API which cause query building process
is systematic. Consequently by API they apply
coding best practices such as input filtering and
strict user input type checking. The drawback of
the approaches is that developer should learn
new programming paradigm or query-
development process.
Java Dynamic Tainting and SecuriFly is another
tool that was implemented for java. We
discussed about the tools used for protecting
against SQL Injection attack. Now we will
discuss about another type of attack which is
considered to be most dangerous than SQLI for
web applications. We discussed about SQLI
attack types, their prevention and detection
techniques. Now further we will discuss about
XSS attack and its types, which is considered to
be more dangerous than SQLI attack.
Cross-Site Scripting Attack: (or XSS attack) is
one of the most common application-layer web
attacks. It commonly targets script embedded in
a page which are executed on the client-side (in
the user’s web browser) rather than on the
server-side. XSS attack itself is a threat which is
brought about by the internet security
weaknesses of client-side scripting languages,
with HTML and JavaScript (other being
VBScript, ActiveX, or Flash) as the prime
culprits for this exploit. The concept of XSS is to
manipulate client-side scripts of a web
application to execute in the manner desired by
the malicious user. Such a manipulation can
embed a script in a page which can be executed
every time the page is loaded, or whenever an
associated event is performed. There are
different types of XSS attacks.
1. Non-Persistent or Reflected Attack (First
Order XSS): The most common attack,
Considered less dangerous. Usually used in
phishing attempts. Attack requires to persuade
the victim to click on a prepared URL (Social
Engineering).It can steal credential, deface a
website, create a fake page or spam email,
observe user request etc.
2. Persistent XSS Attack (or Stored or Second
Order XSS Attack): Similar to Non-persistent,
but even more effective. It is Stored in the
attacked web server’s database. Second-order
XSS is much more damaging than first order
XSS, for two reasons: (a) social engineering is
not required (the attacker can directly supply the
malicious input without tricking users into
clicking on a URL), and (b) a single malicious
script planted once into a database executes on
the browsers of many victim users.
III. RELATED WORK
XSS has proven to be dangerous enough to
consider and researches on Cross-site scripting
attacks has been ongoing for a number of years
now, and a large number of protection methods
have been researched and tested, such as
Modularized and configured solution to block
XSS vulnerabilities based on service oriented
architecture [4], Static Detection of Cross-Site
Scripting Vulnerabilities [5] but these researches
are helpful to avoid simple XSS attack, they are
not able to detect Persistent XSS attack which is
considered to be more dangerous than simple
and first order attack. So our work area will be
focus on persistent XSS attack. In order to detect
persistent XSS attack we will study about the
attacker’s scenario and understanding its
behavior by simply creating an environment
where attacker can intrudes some malicious code
on to the webpage in order to steal the cookies,
redirect the user on another website, can do port
scanning and may also display or steal the
content of the database. We also evaluate the
attacker’s behavior in order to prevent the
persistent XSS attack.
 IV. CONCLUSION

In this paper we reviewed about the various

types of SQLI attacks. Then we investigated the
strength and weaknesses of the tools used for
protection and detection of SQL injection attack
and its types. We conclude that some tools need
improvement regarding their efficiency and
performance. The tools and techniques used are
limited to prevent and detect only particular type
of SQLI attack not for group of attacks. Some
technique must be developed which detect all
kinds of SQLI attack. After that we discussed
about XSS attack and types of XSS (first order
and second order) attack. We found that second
order XSS attack is more dangerous than first
order attack. In our future work we create
mechanism for finding second order XSS
(persistent XSS attack).

V. REFERNCES

[1] Automatic Creation of SQL Injection and Cross-Site

Scripting Attacks
Adam Kie˙zun (MIT), Philip J. Guo (Stanford University)
Karthick Jayaraman (Syracuse University)
Michael D. Ernst (University of Washington)
[2] Evaluation of SQL Injection Detection and Prevention
Techniques
Atefeh Tajpour and Mohammad JorJor zade Shooshtari
(CASE Center University Technology Malaysia Kuala)
Lumpur, Malaysia
2010 2nd International Conference on Education Technology
and Computer (ICETC)
[3] SQL Injection Detection and Prevention Tools
Assessment
Atefeh Tajpour and Maslin Masrom (CASE Center
University Technology Malaysia Kuala) Lumpur, Malaysia
[4] A solution to block Cross Site Scripting Vulnerabilities
based on Service Oriented Architecture
Jayamsakthi Shanmugam Research Student, BITS, Pilani,
Dr.M.Ponnavaikko, Director of Research and Virtual
Education, SRM University, Chennai
[5] Static Detection of Cross-Site Scripting Vulnerabilities
Gary Wassermann and Zhendong Su (University of
California), Davis