2009 IEEE International Advance Computing Conference (IACC 2009) Patiala, India, 6-7 March 2009

Combinatorial Approach for Preventing SQL Injection Attacks

Department of Computer Science, Pondicherry University, Puducherry, India. ezumalail984(gmail.com, aghila.csc(pondiuni.edu.in

R. Ezumalai, G. Aghila

involves placing SQL statements in the user input for Abstract - A combinatorial approach for protecting Web applications against SQL injection is discussed in this corrupting or accessing the Database [11]. Even the SQL Injection attacks can bypass the security mechanism such as paper, which is a novel idea of incorporating the uniqueness of Signature based method and auditing Firewall, cryptography and traditional Intrusion detection method. The major issue of web application security is the systems. If the trend of providing web-based services SQL Injection, which can give the attackers unrestricted continues, the prevalence of SQLIVs is likely to increase. access to the database that underlie Web applications and . . has beomecreasigly fequen and srious FromThe most worrying aspect of SQL Injection attack are; it iS i nt very easy to perform, even the developers of the s n methodstand v , signature based of iare well known about thisiftype of attacks. The application basic idea detection mode for SQL injection using pair wise sequence behind in this attack is that the malicious user counterfeits the alignment of amino acid code formulated from web that a web applicaton sends to the database aiming at the application form parameter sent via web server. On the other hand from the Auditing based method standpoint otr hd mdfcto fteSLQeyta ilb xctdb h of software. Input validation issues can allow the view, it analyzes the transaction to find out the malicious atcest ancmlt cest uhdtbss access. In signature based method It uses an approach Technologies vulnerable to SQL Injection attacks are dynamic Hirschb is called Hirschberg algorithm, It IS a divide and conquer and conquer Script languages like ASP, ASP.net, PHP, JSP, CGI, etc. In approach to reduce the time and space complexity. This addition, all types of database have been severely vulnerable system was able to stop all of the successful attacks and did . ' geert an as ostvsn such type of SQL Injection attacks [18]. not generate any false positives. Researchers have proposed a different techniques to Index terms - Security, SQL Injection, Needleman-Wunsch provide a solution for SQLIAs (SQL Injection attacks), but Algorithm, Hirschberg Algorithm, DBMS Auditing. many of these solutions have limitations that affect their effectiveness and practicality. Researchers have indicated that I. INTRODUCTION solution to these types of attacks may be based on defense Today's modem web era, expects the organization to coding practices. But it's not efficient because of three reasons. concentrate more on web application security. This is the First, it is very hard to bring out a rigorous defensive coding faced by all the organization to protect their major challenge discipline. Second, many solutions based on defensive coding address only a subset of the possible attacks. Third, legacy precious data against malicious access or corruptions. software poses a particularly difficult problem because of the Generally the program developers show keen interest in cost and complexity of retrofitting existing code so that it is developing the application with usability rather than incorporating security policy rules. Input validation issue is a compliant with defensive coding practices. In this work, an security issue if an attacker finds that an application makes attempt has been made to increase the efficiency of the above unfounded assumptions about the type, length, format, or techniques by a combinatorial approach for protecting web range of input data. The attacker can then supply a malicious application against SQL Injection attacks. input that compromises an application. When a network and The remainder of the paper is organized as follows: host level entry points are fully secured; the public interfaces Section 2 contains background and related work; Section 3 exposed by an application become the only source of attack. describes our proposed approach. Section 4 describes the The cross site scripting attacks, SQL Injections attacks andc Buffer Overflow are the major threat in the web application security through this input validation security issues [11]. II. BACKGROUND AND RELATED WORK Especially SQL Injection attacks breach the database S. SL InJection iS one of the main issues in database Q It mechanism such as Integration, Authentication, Availability ' It affects the database without the knowledge of the and authorization [8]. Since 2002, nearly 5000 of total cyber -security. adiitao.I.a eeetefl aaaeo daabs vulnrabiitieerinpt vaidaton vlnerbiliies.records or tables without the knowledge of the respective user w

hasignatu basmedmncrethodgly accaeds.In

ofdiew,ritopreses am v

fDBMS

odata

rer balgohm,ith uddes

not~~~~~~~

Since 2002, 20%o of the input validation issues are SQL Injection vulnerabilities (SQLIVS) and, therefore, 10% of total cyber vulnerabilities since 2002 [18]. SQL injection attack

or administrator. It is a technique used to exploit the database system through vulnerable web applications [9]. These attacks not only make the attacker to breach the security and steal the
1212

978-1T-4244-1888-6/08/f$25.00 Q 2008 IEEE

entire content of the database but also, to make arbitrary changes to both the database schema and the contents. SQL injection attack could not be realized about information compromization until long after the attack has passed. In many scenarios, the victims are unaware that their confidential data has been stolen or compromised. With the help of simple web browser, SQL Injection attacks can be performed by attackers [12]. The following section describes the attacks with an example. Generally the Authenticated users have username and password such as Usemname: bala Password: ravil2 The SQL Query format is Select * from table where usrnme='bala' and psswd='ravil2'; The above query fetches the needed records from the database where usmame and psswd is available in the database or it shows some error messages to the browsers. Malicious user injects the following SQL Injection in this field: Username: bala Password: anything' or ' 1=1I Then the dynamic SQL query constructed from the above information is Select *from table where usrnme='bala' and psswd='anything' or '1'=1'; In this SQL statement '1'='1' is always true in the table and this expression connection with 'OR' to another expression will always return true. The result of this query performs SQL Injection attacks.
A. Authorization bypass (SQL manipulation) This attack allows the attacker access to the privileges of the first user in the database [15]. This attack would be used to by pass the log on screen. The example of this attack is discussed in the above section.
B. Exploiting SELECT SQL injection is not only a straight forward attacks but also it has some background trickery attack is present. Most of the time attackers would see some error message and will have to reverse engineer their queries.
Direct Vs Quoted (SQL manipulation) - In SQL manipulation, Direct or quoted are the types of SQL Injection attacks. In direct attack the input data become part of the SQL statement formed by the application. Attacker has to add space (' ') for manipulate the SQL statement and OR to the input. The error message has been returned if the injection was successful.

All the other possible injections are quoted SQL statements. In quoted injection the injected string has following a quote appended to it similar to the statement shown, SQL = "SELECT Title, Author, Publishing from Books WHERE ISBN -' "& strlnput &"'"

In order to manipulate the SQL statement successfully input string must contain a single quote ' before the use of first SQL keyword and ends in a WHERE statement that needs

single quote appended to it.

C.

Exploiting Insert

Insert Basics - Sites like shopping, when registration, it allows the user to feed inputs and store it. INSERT statement allowing the user input is stored in the back end. The misuse of inserts statements by the attacker results in many rows in the database with corrupt data.

Injecting Subselect - Normally an insert statement looks like this: Insert into TableName Values ('eGne', 'eTwo', 'eThree'); Suppose the sample SQL statement is used by the

application.

INSERT INTO Table Values (' " & eOne &" ,' "& eTwo &

and the values that are input by the user are:

Name: '+ (SELECT TOP 1 Fieldname from TableName) +'

Email: --xxx.com

The resulting SQL statement looks like this INSERT INTO tableName values (' " ' + (SELECT TOP 1 Fieldname FROM tableName ) + ','--- @xxx.com') In injecting subselect, the first value in the Field will be displayed in place of the user name in the above attack. If TOP 1 is not used, there will be an error message "subselect returned too many rows". Attacker can go through all the records using NOT In clause. D. Exploiting System StoredProcedures (Function call) Attacker uses stored procedures to corrupt the database system and its an most harmful attacks. Database uses stored procedures to perform database Administrative operations. If attacker is able to inject SQL string successfully then attacker can exploit these stored procedures. Access to these procedures depends on the privileges of the user on the

database.

SELECT proid, cusid, proname from product where prodname like '1' or '1 '=' 1' ;exec master.dbo.xp cmdshell 'dir' The above injected SQL query will return all the rows from the table as well as execute the operating system command DIR. The following subsection describes in detail about the related works based on SQL Injection Attacks. A number of

SQL = "SELECT Title, Author, Publishing from Books ORDER by "&strInput

2009 IEEE International Advance Computing Conference (IACC 2009)

1213

researches had been taken to provide solutions for SQL Injection Attacks.

Xiang Fu et al [1], propose the design of a static analysis framework (called SAFELI) for identifying SIA (SQL Injection attacks) vulnerabilities at compile time. SAFELI statically monitoring the MSIL (Microsoft Symbolic intermediate language) byte code of an ASP.NET Web application, using symbolic execution. SAFELI can analyze the source code information and will be able to identify very delicate vulnerabilities that cannot be discovered by black-box vulnerability scanners. The main limitation of Xiang et al's work is that this approach can discover the SQL injection attacks only on Microsoft based product. Buehrer et al [12], propose the mechanism which filters the SQL Injection in a static manner. The SQL statements by comparing the parse tree of a SQL statement before and after input and only allowing to SQL statements to execute if the parse trees match. They conducted a study using one real world web application and applied their SQLGUARD solution to each application. It is stopped all of the SQLIAs without generating any false positive results, their solution required the developer to rewrite all of their SQL code to use their custom libraries. Wassermann and Su [6], propose a static framework to and analyze as filter theto inpus. accordi riteduser iscover onlyglogb tem, th ed ttaks
approac has restricted to discover only logic-based attacks. i.e. attacks that always result in true or false SQL statements.

basicublocktinthe program. basic bloc the

program

taints and if it finds any suspicious activity, it will generate the alarm. The advantage of this mechanism, that it does not require any modification of the run time system even at application level and imposes a low execution overhead. Marco Cova et al [19], propose a mechanism to the anomaly-based detection of attacks against web applications. Swaddler analyzes the internal state of a web application and learns the relationships between the application's critical execution points and the application's internal state. By doing this, Swaddler is able to identify attacks that attempt to bring an application in an inconsistent, anomalous state, such as violations of the intended workflow of a web application. The main limitation is the overhead grows linearly as the number of executed basic blocks increases. This is due to

instumen

and detctinoreassocia it each

Many authors discussed various techniques to prevent SQL Injection attacks through many ways in static and dynamic analysis and also in DBMS auditing methods. But all these methods reported to have a lot of pros and cons of its own proposal. In this paper, a new attempt has been proposed and worked out against SQL Injection attacks.

Wanalyzerm

Livshits and Lam [21], propose another static analysis approach for finding the SQL injection using vulnerability pattern approach. Vulnerability patterns are described here in this approach. The main issues of this method, is that it cannot detect the SQL injection attacks patterns that are not known beforehand. Konstantinos et al [3], propose a mechanism to detect SQL injection with novel-specification based methodology. This approach utilizes specifications that define the intended syntactic structure of SQL queries that are produced and ba. .fthis the pexecuted the computational time overhead to compares tthe webputappicnaltimeonThemain lttio fp paper is SQL statement with the predefined structure at run time. William G.J. Halfond and Alessandro Orso [2], propose a mechanism to prevent SQL injection at run time. AMNESIA uses a model based approach to detect illegal queries before it sends for execution to database. In its dynamic method, the technique uses run time monitoring method to inspect each and every query which is passed to its techniques. The main issue of the AMNESIA is it requires the modification of the web application's source code. William G.J. Halfond, Alessandro Orso, Panagiotis Manolios [13], proposed the mechanism to keep track of the positive taints and negative taints. This work outlined a new automated technique for preventing SQLIAs based on the
exee

III. OUR APPROACH Our approach against SQLIAs is based on Signature based approach, which has been used to address security problems related to input validation. This approach describes three modules which are used to detect the security issues. Monitoring module has got the statement from the web application which can decide whether it can send the statement to database for execution. Analysis module uses Hirschberg algorithm to compare the statement from the specifications. Specifications comprise the predefined keywords and send it to analyze module for comparisons. It analyzes the comparisons as well as database transaction. If it finds any suspicious activity, it acts as an active agent to stop the transaction and audit the attacks. If both analysis module and auditing module has satisfied, it provides the complete transaction. The following figure 1 clearly depicts the architecture of the system to prevent the SQL Injection attacks using the new combined approach. The following section outlines each module's work in detail.
Web

application
Specifications

Monitoring
module

Database
server

transaction DBMS Auditi

Complete

modul

alyze
SQL Injection n Alert Generation

novel concept of positive tainting and on flexible syntax-

aware evaluation. It will check the SQL statement with this

Figure 1: Combinatorial Approach for Preventing SQL Injection Attacks

12L14

2009 IEEE Internaftionafl Advalnce Computing Conference (IACC 2009)

A. Monitoring Module In monitoring module, it gets an input from the web application and sends it to analysis module for further checking. If analysis module find any suspicious activity, it generate error message to monitoring module to block the further transactions. B. Specifications Specifications comprise the predefined keywords and send it to analysis module for comparisons. These modules have all predefined keywords which is stored in the database.
C. Analysis Module Analysis module gets an input from the monitoring module and it finds a hot spot from the application and it uses Hirschberg algorithm for string comparison. An advantage of Hirschberg algorithm, it uses Divide and conquer methodology to prevent SQL Injection attacks. The time complexity of this algorithm is O(nm) and space complexity is

If x and y are strings, where lxl = n and IyI = m, the Needleman-Wunsch algorithm finds an optimal alignment in O(nm) time, using O(nm) space. Hirschberg's algorithm is a clever modification of the Needleman-Wunsch Algorithm which takes O(nm) time, but needs only O(min{m,n}) space. For pair wise sequence, Needleman-Wunsch algorithm and Smith-Waterman algorithm are mostly used. Both use dynamic programming based on identical Mathematical background(analysis of most common characters) in order to locate the most appropriate sequence alignment,

But in order to reduce the time and space complexity, present a Hirschberg algorithm to provide a comparison of strings. But Hirschberg algorithm takes time complexity as O(nm) in worst case and space complexity is O(min(nm)) for two sequences,

O(min(nm)). Hot Spot Hot spot is that line where it gets the input from the user and vulnerable in execution. This step performs a simple scanning of the application code to identify hotspots. For the example servlet in prg below, the set of hotspots would contain a single element: the statement at line 6,7,8. (In Javabased applications, interactions with the database occur through calls to specific methods in the JDBC library,2 such
as

F(I,j)=Max{F[i-l,j-l)+s(xi,yi),F(i,j-l)+d,F(i-l,j)+d)} Table 1: Hirschberg Algorithm G C T A A F(i,j)

F(I,jF(iF( 11,j-1)

C
T

java.sql.Statement.execute(String).) public class Show extends HttpServlet { 1. public ResultSet getUserlnfo(String login, String password) { 2. Connection co = DriverManager.getConnection ("MyDB"); String queryString = ""; queryString = "SELECT info FROM userTable WHERE " if ((! login.equals("")) && (! password.equals(""))) { queryString += "login=`" + login + "' AND pass="' + password + "'";} 8. ResultSet tempSet = stmt.execute(queryString); 9. return tempSet; } *.. } This step identifies the hot spot(6,7,8)and it divides the hot spot in to tokens and it send it to query validation phase. Hirschberg Algorithm Hirschberg's algorithm is a divide and conquer version of the Needleman-Wunsch algorithm. Hirschberg's algorithm is commonly used in computational biology to find maximal global alignments of DNA and protein sequences. Hirschberg's algorithm is a generally applicable algorithm for finding an optimal sequence alignment. BLAST and FASTA are suboptimal heuristics,
3. 4. 5. 6. 7. Statement stmt = co.createStatementO;

(dgap penalty)

1,j)+d

F(i-

1) +d (dgap(dl penalty)

then: Where Sij is the score at position i in sequence a and position j in sequence b, s(ai bj) is the score for aligning the characters at positions i and j, d is the penalty for a gap of length x in sequence a, and d is the penalty for a gap of length y in sequence b.

The above equation describes the algorithm. There are three paths in the scoring matrix for reaching a particular position i, j: (1) a diagonal move from position i-i, j-1 to position i, j with no gap penalties, (2) a move from any position in column j to i, j, with a gap penalty, or (3) a move from any position in row i to i, j with a gap penalty. But this system could not consider the gap penalty. It directly match between the two sequences. For two sequences a = al a2 ... an and b = bl b2 ... bn, where Sij =S(al a2 ... ai , bi b2 ... bj),

Sij is a type of running best score as the algorithm moves through every position in the matrix. Eventually, all of the matrix positions (all Sij values) are filled. If a global alignment that involves all of the sequences is required, the matrix score in the last row and column is used as the alignment score. Use of the dynamic programming method requires a scoring system for the comparison of symbol pairs, and a scheme for insertion/deletion (GAP) penalties.
1215

2009 IEEE Inxternational Advanxce Computing Conference (IACC 2009)

Table 2: Using Hirschberg Algorithm to find the similarities

SELECT (I,J) 1 SELECT

Prod

Where

Usr

And Pss

From Prod Where Usr

1
AND

s;
DIVIDE

1
CONQUER

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~1
1

s;
And Pss

1This method is based on genetic distances between sequence pairs. The genetic distance between two sequences is the fraction of aligned positions in which the sequence has been changed. In our proposed system, it maintains the table as it is like gene comparison that it contains keywords which are present in horizontal or vertical line and it will compare the incoming tokens with this predefined values using this algorithm for identity. In this SQL statement, this is an hot spot which has been identified by the analyze module and it send to this table for detect and prevent SQL Injection attacks. SQL= "SELECT * FROM prod WHERE Usr= "& tUsemame&"'AND Pss = "'&tPassword&""'; As per the Hirschberg algorithm, it divides the token and it checks the each token with the predefined tokens using divide and conquer methodology.
SQL Injection code Select *from prod where usr="bala" and pss=" anything" or '1=1'
problem with another set to match comparison and it combines the sub problem solutions to main problem solutions. So, it takes time complexity as O(nm) and it needs space complexity is O(min(m,n)).
D. DBMSAudit Auditing is a facility of the DBMS that enables DBAs to track the use of database resources and authority [11]. When auditing is enabled the DBMS will produce an audit trail of database operations. Each audited database operation produces an audit trail of information including what database object was impacted, who performed the operation, and when. Depending on the level of auditing supported by the DBMS, an actual record of what data actually changed also may be recorded. But it has some limited functionality to predict the attacks. It is very useful to find that what type of operation has been made. For example End user is a student that he can log on to the college server that he can see his personal or his academic record. Only option given to the user is to check their information. i.e (Select operation). Instead of select operation, any deletion or update operation is made; attackers could login in to the system and to do some malicious actions. So this auditing method try to block not only SQL Injection attacks and also some other attacks [18]. The restriction of this DBMS auditing method is to prevent the attackers view some other records, that select operation has been made. It never generates any alarms. Signature based method itself work effectively against SQL Injection attacks well and also this DBMS auditing also provides an support to this method to work effectively against SQL Injection attacks. The Integrated system is under development and the partial results shows encouraging output.

This analyzer module detects SQL Injection taken place after (anything") this token to prevent SQL Injection attacks. The above algorithm uses Divide and conquer methodology as described here. X strings are stored in horizontal line where as Y strings are stored in vertical line. Being a divide and conquer methodology, it divide the (one strings) problem in two sub problem. It compares one sub problems with predefined data and it compares another sub

1216

2009 IEEE Internaftionafl Advalnce Computing Conference (IACC 2009)

IV.

CONCLUSION

[9]

This paper presented a novel highly automated approach for protecting Web applications from SQLIAs. Our approach consists of 1) identifying hot spot from the application, 2) using Hirschberg algorithm to find out the SQL Injection attacks. 3) Using DBMS auditing methods to find out the transactions. Hirschberg algorithm uses divide and conquer approach to detect the SQL Injection attacks in order to reduce the time and space complexity and it provides the complete execution after analyzing the DBMS auditing. Our approach also provides advantages over the many existing techniques requires no modification of the runtime system, and imposes a low execution overhead.
REFERENCES
[1] Xiang Fu, Xin Lu, Boris Peltsverger, Shijun Chen, "A Static Analysis Framework For Detecting SQL Injection Vulnerabilities", IEEE Transaction of computer software and application conference, 2007. [2] William G.J. Halfond, Alessandro Orso,Panagiotis Manolios, "WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation", IEEE Transaction of Software Engineering Vol 34, Nol, January/February 2008. [3] Konstantinos Kemalis and Theodoros Tzouramanis, "Specification based approach on SQL Injection detection", ACM, 2008. [4] Stephen Thomas and Laurie Williams "Using Automated Fix Generation to Secure SQL Statements", International workshop on Software engineering and secure system ", IEEE, 2006. [5] V. Benjamin Livshits and Monica S. Lam, "Finding Security Vulnerabilities in Java Applications with Static Analysis", ACM, 2005. [6] Z. Su and G. Wassermann, "The Essence of Command Injection Attacks in Web Applications", 33rd ACM SIGPLAN, SIGACT Symposium on Principles of Programming Languages, Charleston, South Carolina, USA, 2006, pp. 372-382. [7] SruthiBandhakavi, "CANDID: Preventing SQL Injection Attacks using Dynamic Candidate Evaluations", ACM, 2007. [8] Ashish kamra, Elisa Bertino, Guy Lebanon, "Mechanisms for database intrusion detection and response", Data security & privacy, Pages 31-36, ACM, 2008.

Christina Yip Chung, "DEMIDS: A Misuse Detection System for Database Systems", Integrity and internal control information systems,

Pages: 159 - 178, ACM, 2008.

"Securing Web Application Code by Static Analysis and Runtime Protection", In Proc. of the 13th Intl. World Wide Web Conference (WWW 04), pages 40-52, May 2004. [11] David Geer, "Malicious Bots Threaten Network Security", IEEE, Oct 8, 2008.
[12] G.T. Buehrer, B.W.Weide and P.A..G.Sivilotti, "Using Parse tree validation to prevent SQL Injection attacks", In proc. Of the 5th International Workshop on Software Engineering and Middleware(SEM '056), Pages 106-113, Sep. 2005.

[10] Y. Huang, F. Yu, C. Hang, C. H. Tsai, D. T. Lee, and S. Y. Kuo.

[13]

environments: Since, it is defined at the application level,

time

W.G. J. Halfond and A.

workshop on Dynamic Analysis, St. Louis, Missouri, 2005, pp.1.

on

monitoring

to counter

Orso, "Combining Static Analysis and Run 3rd Injection

SQL
attacks",
International

[14] N. Jovanovic, C. Kruegel, and E. Kirda, "Pixy: A Static Analysis tool

[15]
[16] [17]

[18] [19]

[20] Mehdi Kiani, Andrew Clark,George Mohay, "Evaluation of Anomaly Based Character Distribution Models in the Detection of SQL Injection Attacks", Third International Conference on Availability, Reliability and
Security - Volume 00, , Issue, 4-7 Page(s):47-55, IEEE, March 2008. [21] V.B. Livshits and M.S. Lam, "Finding Security vulnerability in java applications with static analysis", In proceedings of the 14th Usenix Security Symposium, Aug 2005.

Security and Privacy, May 2006. 0. Maor and A. Shulman, "SQL Injection Signature Evasion", White paper, Imperva, Apr 2004. R. McClure and I. Kru ger, "SQL DOM: Compile Time Checking of Dynamic SQL Statements", In proc of the 27th Int. Conference on Software engineering (ICSE 05), pages 88-96, May 2005. A. Nguyen-tuong, S. Guarnieri, D. Greene, J.Shirley, and D. Evans, "Automatically hardening web applications using Precise Tainting", In Twentieth IFIP Intl, Information security conference(SEC 2005), May 2005. Xin Jin, Sylvia Losborn, "Architecture for data collection in database intrusion detection system", Secure data management, Springerlink, 2007. Marco Cova, Davide Balzarotti, Viktoria Felmetsger, and Giovanni vigna, " Swaddler: An approach for the anamoly based character distribution models in the detection of SQL Injection attacks", Recent Advances in Intrusion Detection System, Pages 63-86, Springerlink, 2007.

for detecting web application vulnerability", In 2006 IEEE Symposium

2009 IEEE Inxternational Advanxce Computing Conference (IACC 2009)j

1217