A Novel System For Detecting and Preventing SQL Injection and Cross-Site-Script
A Novel System For Detecting and Preventing SQL Injection and Cross-Site-Script
Abstract— SQL Injection and Cross-Site Scripting are the two applications, the entire database and system/ network
most common attacks in database-based web applications. In this infrastructure that hosts these applications. In OWASP Top 10
paper we propose a system to detect different types of SQL injection for 2010, OWASP Top 10 for 2013, and OWASP Top 10 for
and XSS attacks associated with a web application, without the 2017, SQL injection was ranked, three times, as the top
existence of any firewall, while significantly reducing the network
overhead. We use properly modifications of the Nginx Reverse Proxy
challenge to Web application systems. [3]
protocols and Suricata NIDS/ IPS rules. Pure work has been done XSS is an original form of injection code that can exploit
from other researchers based on the capabilities of Nginx and an application’s output function that references poorly sanitized
Suricata and our approach with the experimental results provided in user input [6]. XSS is the second most common issue in
the paper demonstrate the efficiency of our system. OWASP Top 10 and is found in two out of three of all
applications. SQL injection aims to create a query for execution
Keywords-— SQL Injection, Cross Site Script, Reverse Proxy,
Network Intrusion Detection System (NIDS), Intrusion Prevention in the database, while the XSS exploits vulnerabilities in the
System (IPS) HTML execution that sends data to the browser.
The purpose of XSS attacks is to inject special characters
I. INTRODUCTION that can affect Web browser interpreters so that they will
The ubiquity of Information and Communication recognize the text as a code object. For example, when an
Technologies (ICT) has led to high security risks and the HTML page references a user input as data, an attacker might
number of successful penetration efforts against the security of include the tag <script>, which can invoke the JavaScript
critical infrastructures. The perpetrators’ goals are, commonly, interpreter.
the destruction, alteration and unauthorized use of data and Success of a XSS attack depends on the lack of character-
computing resources. The consequences of such actions can specific filters in the web application, allowing the attacker to
cause significant damage to computer systems and to data take advantage of exploits, such as account hijacking, cookies
integrity, as well as pose risks to user’s privacy. poisoning, denial of service (DoS), and Web content
Malware, which is one of the most frequently used attack manipulation [6]. Typical input sources that attackers
technique, mainly targets application and system manipulate include HTML forms, cookies, URLs, and external
vulnerabilities. In cyber security terminology, a vulnerability is files. Attackers often favor JavaScript, but other kinds of client-
a weakness that can be exploited by a malicious entity, such as side scripts such as VBScript and Flash, which browsers can
an attacker, to gain unauthorized access or perform interpret, could cause XSS.
unauthorized actions on ICT Infrastructures. Vulnerabilities In this paper we will present a system to efficiently detect
can be exploited by a variety of methods [1, 2]. and prevent SQL injection and XSS vulnerabilities and the
The programming language using which everyone interact corresponding attacks [1, 2]. The purpose is to analyze
with databases is the SQL (Structured Query Language). SQL cybersecurity attacks based on SQL Injection and XSS.
derives from relational algebra and was designed to define data Towards this purpose, a system for detecting and preventing
(DDL- Data Definition) and to manipulate data (DML- Data these attacks is proposed and evaluated. Our proposed system
Manipulation) in databases management systems [13]. The is based on the use of properly modified the necessary and
reserved statements of the SQL operates either as DDL and appropriate protocols of Nginx Reverse Proxy and rules
DML manner depending on the intention of the developer. Suricata NIDS/ IPS. The experimental results evinced the
As one of the most common security vulnerabilities via completed success of the proposed system. The combination of
web, SQL injection attacks cannot be ignored [7]. SQL component of our system can detect different types of attacks
injection vulnerabilities compromise the protection of web (SQL injection and XSS) associated with a web application,
Authorized licensed use limited to: University of Hyderabad IG Memorial Library. Downloaded on November 11,2022 at 06:38:45 UTC from IEEE Xplore. Restrictions apply.
without existence of any firewall, while significantly reducing III. SQL AND XSS ATTACKS MECHANISMS
the network overhead.
A. SQL Injection
Nginx used by 38% of sites, and it enables to have both a
web server and a reverse proxy [1, 2]. It is widely used because SQL (Structured Query Language) is a programming
it provides great convenience to users for customization. language used to query a database. SQL is based on relational
Suricata provides both signature base and anomaly base algebra and was designed to manage data in a Relational
detection. There is no corresponding work, with experimental Database Management System (RDBMS) [13]. Some of the
most essential SQL commands are CREATE, INSERT,
results. Very little work has been done much more with
UPDATE, DELETE, SELECT and DROP.
experimental results, which highlights the possibilities in a
combined architectural approach for detecting and preventing SQL Injection refers to a category of injection attacks where
SQL Injection and Cross-Site-Script. the data provided by the user are included in an SQL query. The
purpose of this query is to acknowledge the user input as a SQL
II. RELATED WORK code. Utilizing this vulnerability, an attacker could submit SQL
Attempts have been made at the level of programming commands directly to the database. These attacks are some of
languages for treatment the SQL vulnerabilities, using PHP the most serious threats to any Web application that takes data-
Data Object (PDO) and Prepared Statement to connect to the input from users and integrates it into SQL queries. Most web
database SQL statements via Web forms. The experimental applications work as mentioned above and therefore could be
vulnerable to SQL injection attacks.
research of these approaches highlighted that SQL injection
attacks were not traceable from the PHP Data Object and
Prepared Statement of websites. Additionally, interconnected
websites to the initial infected website are vulnerable and
unfortified into SQL Injection using PHP approaches [4, 5].
Many auxiliary programming tools and algorithmic techniques
based on grammatical and structural patterns (i.e. syntax trees)
for discovering vulnerabilities in SQL injection attacks were
tried on [4, 7]. A Gap Weighted String Subsection Algorithm
for detecting correct and safe SQL statements based on the
extraction properties of a string match, used training and testing
to detect and prevent the SQL injections dynamically [4].
Reverse proxy server placement was used between the
client and the web server. The reverse proxy server runs a tool
for detecting and preventing infected user’s requests to the web
server. There is installed a tool that works as a valuator based Fig. 1. SQL Injection examples
on attack vector repository consisting of some special symbols,
often found in malicious code for SQL Injection. If the user’s As shown in Figure 1 the user in the login form of the web
HTTP request contains these special symbols, redirects the application injects the code “1' or '0'='0”. This SQL attack is
request from the web server to reverse proxy server, without based on the data tautology and its introduction produces the
executes them on the web server. If a request is proved valid, is following query:
released to the web server, otherwise it is blocked [5]. “ SELECT * FROM users WHERE login=1’ or ‘0’=’0 AND
Several works [6] focused on snort IDS to detect network pass=’’ AND pin= “
probe attack, such as Denial-of-Service (DOS), XSS, etc. IDS
detect anomalies using signature attack; it contains rules for With the above query, code is injected under the condition
OR 0 = 0, converting the entire WHERE term into a tautology.
each type of vulnerability, necessary to update with new threats.
The database uses the above condition as a basis for evaluating
It is possible to split the traffic between sensors using any each line and deciding which ones to return to the application.
dedicated policy and mechanism. Data collected for checking, Because the condition is based on a tautology, the query is
usually lead to Nmap [9, 16, 18]. evaluated as true for each row in the array, resulting in a return
Another approach for accurate SQL injection detection all the rows (records) in the database table.
based on machine and deep learning techniques, was shown as
effective, and practical, but require access to log trusted and In this attack the returned set is evaluated at a non-zero value,
correct data, which are not always available [8]. which makes the application conclude that the user
The innovation of our work is the combination of SQL authentication was successful. This attack causes the application
Injection and Cross-Site-Script (XSS) using the Reverse Proxy to call the method, which returns a table with all the records in
the database.
(Nginx) and Suricata NIDS/ IPS tools for improving the
effectiveness of detecting and preventing cybersecurity risks. B. Cross-Site-Script
Cross-site Scripting (XSS) is a security vulnerability where
an attacker injects code into a web page. XSS attacks are
performed in VBScript, ActiveX, Flash, CSS, however they are
Authorized licensed use limited to: University of Hyderabad IG Memorial Library. Downloaded on November 11,2022 at 06:38:45 UTC from IEEE Xplore. Restrictions apply.
more common in JavaScript [14]. During the XSS attack browser. Figure 2 presents an example of DOM XSS. It shows
process, the attacker injects code into the application, so that this the results when the attacker deceives the user. An example of
code is executed in the browser of the user who visits the hacked this is sending a well-formed email which includes a link to a
or bogus website. malicious script. When the user runs an attacker’s link with
malicious XSS script, this request is sent to the Web Application
One of the most important consequences of this type of Server. The Web application receives the request and replies
attacks is bypassing applications’ access controls or policies, with malicious script. When the process is completed, the
such as the Same-Origin Policy. The results of these attacks can malicious script will be executed on the user’s browser. The
range from a minor change to the web application that may result of this process is the following: when the user’s browser
affect a user experience to more serious consequences, with executes the malicious script, cookies with sensitive data are
severe impact on users, depending on the sensitivity of the data sent to the attacker’s server.
handled by the vulnerable web application.
XSS attacks fall into three broad categories: non-permanent,
permanent, and Document Object Model (DOM) attacks. The
first two categories, the non-permanent and the permanent, are
usually called traditional and are caused by the server. While
DOM XSS attacks are more complex and result from the user-
side (client-side).
Stored or persistent XSS attacks occur when the attacker
injects script on the target server, such as in a database, in a
message forum, in a visitor log, in a comment field, etc. The
purpose of this action is to store the malicious code of XSS. The
server includes the injected script from the database in response
and sends it to the user’s browser. With the advent of HTML5
and other browser technologies, attack payloads are
permanently stored in the victim's browser, such as an HTML5
database, and are never sent to the server [11]. Fig. 2. DOM Cross-Site-Script examples
Reflected or nonpersistent XSS occurs when web There are many ways to deal with these attacks. In the next
application server does not have proper sanitation. An example chapter we will present our approach.
of non-proper sanitation is when the server accepts all the input
contexts from users. Therefore, improperly checking the data IV. THE PROPOSED SYSTEM
entered by the user can lead to these attacks. Our proposed system to enhance the detection and
In Reflected XSS, the attacker creates a URL containing a prevention of SQL and XSS attacks combines the use of a
malicious script and sends it to the user browser via email or properly modified the necessary and appropriate protocols of
through a neutral website. The attacker deceives the user to run Nginx Reverse Proxy and rules Suricata NIDS/ IPS in order to
the attacker’s link with malicious XSS script and to send the find SQL injection and XSS vulnerabilities.
request to the Web Application Server. Subsequently, the web
application contains the malicious script from the URL in the
reply. The result of this process is to execute malicious script on
the user’s browser and to send users cookies to the attacker's
server.
DOM Based XSS as defined by Amit Klein [17] is an XSS
format based on the DOM model and was created by the
development of Web 2.0 applications. DOM-based attacks are
performed during processing of user-executed content. This can
lead to the insertion of the malicious script into the JavaScript
code that runs on the user's browser.
DOM XSS attacks are named by the Document Object
Model (DOM), that represent the way of HTML or XML
objects. There are many ways to prevent these attacks and there
are similar to other XSS attacks (Stored and Reflected). These
are mainly based on the correct configuration of the JavaScript
code that exists within web pages. In addition, there are several
JavaScript frameworks for dealing with this type of attack and
similar others (e.g. the Angular framework).
DOM XSS is one of the most dangerous XSS attacks
because it explores successfully sensitive data from victim’s Fig. 3. Τhe architecture of the proposed system
Authorized licensed use limited to: University of Hyderabad IG Memorial Library. Downloaded on November 11,2022 at 06:38:45 UTC from IEEE Xplore. Restrictions apply.
Figure 3 shows the main components and their operation of Facebook, Target, Citrix Systems , Twitter, Apple, Intel and
the proposed system: when the user logs in, the request is sent many others [12].
to the Nginx proxy server; the proxy server checks if the request
Based on the publication of Netcraft, we notice that NGINX
meets all the prerequisites, protocols, filters and conditions that
Plus and NGINX are the most popular web servers and
we have set; finally it sends the request to the appropriate
application delivery solutions used by major websites, such as
database. If the conditions are not met, a corresponding error is
Dropbox, Netflix and Zynga. More than 400 million websites
returned.
worldwide rely on NGINX Plus and NGINX Open Source to
When the request is sent from the proxy server to the deliver their content quickly, reliably, and securely.
database, the Suricata NIDS/IPS checks if the request respects
The Nginx reverse proxy in Linux environment was used to
all the rules that have been activated. If a rule is violated, the
implement the proposed system. Because Nginx does not
connection process is terminated, a corresponding error is sent,
support PHP script execution, PHP-FPM (PHP-FastCGI process
and the administrator is informed. If all rules are observed, the
manager) was used. CGI communicates to the shared gateway
connection process, with the dispatch of the request to the
interface, which acts as an interface between the web server and
database, continues. Α crucial feature of Suricata NIDS/IPS is
dynamic content servers. It listens to a port, such as the web
the combined use of a signature base and a statistical anomaly
server itself does, and passes the request between PHP and the
base. Consequently, for the duration of the connection between
web server.
the client and the web application the Suricata NIDS/IPS checks
for any statistical anomaly alerting, if necessary, the After completing the installation, we modified the Nginx
administrator. configuration file accordingly, introducing the appropriate
protocols to prevent SQL injection and Cross-Site-Script (XSS)
The application was used to test the proposed system is the
attacks.
Damn Vulnerable Web App (DVWA). Damn Vulnerable Web
App (DVWA) is a Web application in PHP / MySQL. The tools
used to test the proposed system are:
Nginx Reverse Proxy;
To run a PHP script was used PHP-FPM (PHP-FastCGI
process manager);
Suricata (IDS και IPS);
Damn Vulnerable Web App (DVWA);
MySQL 5.2 Database (MariaDB).
The environment used to implement the system is kali-linux-
2021.1-amd64.
A. Reverse Proxy
A reverse proxy server, as shown in Figure 3, is located in
front of a web server and receives all requests before they reach
Fig. 4. Reverse Proxy Protocol execute.
the source server. This server works similar to a forward proxy
server [12]. Reverse proxies are commonly used in a Web Server Αs shown in the above code we used a feature of Nginx to
to improve: accept the command “if”. In this case we used the “if” command
Processing, by checking the parameters $query_string, $request_uri, and
$uri and returning the suggested error (we use error 444).
Security, Therefore, the above code works like the definition of the
Reliability. protocols in a firewall.
As mentioned earlier, in our system we used Nginx Reverse As soon as the import of the appropriately modified
Proxy. Nginx is open-source software for web applications, protocols is completed, the XSS filter suggested by OWASP is
reverse mediation, caching, load balancing, media streaming, introduced which is present in all modern web browsers such as
and more. In addition to the HTTP server capabilities, NGINX Chrome, IE and Safari. This filter stops loading pages when they
can also act as an email proxy server (IMAP, POP3 and SMTP) detect XSS attacks by blocking full-page download.
and as a reverse load proxy and balance server for HTTP, TCP B. Suricata NIDS/ IPS
and UDP servers.
An Intrusion Detection Systems (IDS) is an event monitoring
Nginx was originally created by Igor Sysoev, with its first and analysis system. This can be either a device, or a software
public release in October 2004. Some of the most well-known application that monitors a network, or systems for detecting
companies that use Nginx are Autodesk, Atlassian, Intuit, T- malicious activity. Any intrusion or breach activity is usually
Mobile, GitLab, DuckDuckGo, Microsoft, IBM, Google, reported either to the administrator or collected centrally using a
Adobe, Salesforce, VMWare, Xerox, LinkedIn, Cisco, Security and Event Management Information System (SIEM).
Authorized licensed use limited to: University of Hyderabad IG Memorial Library. Downloaded on November 11,2022 at 06:38:45 UTC from IEEE Xplore. Restrictions apply.
A SIEM system combines outputs from multiple sources and be “TCP”, the source address and Port and the destination Port
uses alarm filtering techniques to distinguish malicious activity can de any address and port in the network, and the destination
from false alarms [13, 14]. address will be “80” port.
IDSs are used in both simple and large-scale systems, such In case of an attack, the rule blocks the attack, and produces
as PCs, computer networks, etc. [13, 14]. the message [msg: “Return Error”; sid: 1000011;), Figure 5] in
which included the type of the attack. In this case the type of the
IDS systems are usually divided into two categories, attack is an SQL Injection and the type of XSS with specific
network intrusion detection systems (NIDS) and host-based content that can cover each type of an attack. The part where the
intrusion detection systems (HIDS). HIDS are systems that rule will be saved is placed in the end of the Rule Option.
monitor important operating system files, while NIDS are
systems that analyze incoming network traffic. V. RESULT
IDS systems are classified into two broad categories based In our proposed system, that its architecture was described
on the detection technique: signature-based detection based on in figure 3, we executed combined attack scenarios either
bad pattern recognition, such as malware, and anomaly-based directly into the application by injecting SQL, or indirectly,
detection, that is, the detection of deviations from a model, using the automatic SQL injection and database takeover tool,
mostly based on machine learning techniques. An additional sqlmap. It is initially observed that Nginx as error 444 properly
IDS system is a hybrid IDS that uses both anomalies based and prevented direct SQL code injection attacks with direct code
signature-based detection. This allows the detection of more input. These attacks were specified in its configuration folder
potential attacks with a lower error rate than using a single and occurred in all cases. As Table 1 shows the Reverse Proxy
system. Some IDS systems, such us Suricata, have the ability to detects and prevents all SQL Injection types except Timing
respond to detected intrusions. Response systems are called attacks.
Intrusion Prevention System IPS [13, 14].
TABLE I. PREVENTION ABILITY OF NGINX AND SURICATA
Suricata NIDS / IPS uses the following detection methods:
SQL INJECTION REVERSE SURICATA
Signature-based detection: Signature IDS monitors packets ATTACKS PROXY (Nginx) IDS/IPS
on the Network and compares them to predefined packets as
well as predefined attack patterns known as signatures. Tautology * *
Fig. 5. Example of Rule Header and Rule Option in Suricata IDS/IPS. Fig. 6. Example of sqlmap.
The rule has a specific configuration, as it shows in figure 5 In the process of these attacks, it is observed that the system
in the Rule Header, the action will be “alert”, the protocol will presented prevented all kinds of attacks without giving any basic
Authorized licensed use limited to: University of Hyderabad IG Memorial Library. Downloaded on November 11,2022 at 06:38:45 UTC from IEEE Xplore. Restrictions apply.
information to the intruders. The only information that leaked [2] The Ten Most Critical Web Application Security Risks
from the system was the type of WEB application, i.e. that “https://owasp.org/www-project-top-ten/” [Sep 2021]
Nginx is used. [3] OWASP Top 10 - 2017 “https://owasp.org/www-project-top-
ten/2017/Top_10” [Sep 2021]
Upon the completion of more than 3500 attacks in each [4] F. Q. Kareem, S. Y. Ameen, A. A. Salih, D. M. Ahmed, S. F. Kak, H. M.
category using sqlmap, it was observed that the system proposed Yasin, I. M. Ibrahim, A. M. Ahmed, Z. N. Rashid, and N. Omar, "SQL
is effective. The only information that was leaked was about the injection attacks prevention system technology", Asian Journal of
Research in Computer Science (2021): 13-32.
type of application and the database without giving any essential
[5] T. S. Mule, A. S. Mahajan, S. Kamble, and O. Khatavkar, "Intrusion
information to the attacker. Therefore, the operation of the Protection against SQL Injection And Cross Site Scripting Attacks Using
proposed system is successful. In addition, there was no need to a Reverse Proxy", International Journal of Computer Science and
use a firewall, which could impose overhead on the computer Information Technologies, Vol. 5 (3) , 2014, 2846-2850
system. [6] S. F. Hidhaya, and A. Geetha, "Intrusion Protection against SQL Injection
and Cross Site Scripting Attacks Using a Reverse Proxy", International
VI. CONCLUSION AND FUTURE WORK Conference on Security in Computer Networks and Distributed Systems,
SNDS 2012: Recent Trends in Computer Networks and Distributed
This paper introduced the ability to modify Nginx and Systems Security, pp 252-263
Suricata IDS/ IPS to detect and prevent SQL and Cross-Site- [7] Q. Xue, and P. He, "On Defense and Detection of SQL SERVER Injection
Script injection attacks. Our proposed system combines a Attack", 2011 7th International Conference on Wireless
properly modified Reverse Proxy, Nginx with Suricata IDS/ Communications, Networking and Mobile Computing,
IPS, placing the necessary protocols and rules, in order to detect [8] D. Chen, Q. Yan, C. Wu1, and J. Zhao, "Sql injection attack detection and
and prevent SQL injection and XSS attacks. In the process of prevention techniques using deep learning", Journal of Physics:
these attacks, it is observed that the system prevented all kinds Conference Series, Vol. 1757, No. 1, IOP Publishing,, 2021.
of attacks without giving any basic information to the intruders. [9] L. K. Shar, and H. B. K. Tan, "Defending against cross-site scripting
attacks", Research Collection School Of Information Systems, Computer
The only information that leaked from the system was the type 45, 3 (2011): 55-62.
of WEB application. [10] W. Kießling, and G. Köstler, "Preference SQL-design, implementation,
Regarding future research work, additional protocols and experiences", VLDB'02: Proceedings of the 28th International
Conference on Very Large Databases. Morgan Kaufmann, 2002.
rules to deal with attacks, such as Broken Access Control and
[11] OWASP Cross Site Scripting (XSS) “https://owasp.org/www-
Insecure Deserialization, as well as the ability to detect and community/attacks/xss/” [Sep 2021]
prevent new attacks, such as the mutated XSS will be evaluated. [12] How to Set up a Reverse Proxy (Step-By-Steps for Nginx and Apache)
It is also important to study additional anomaly detection models “https://kinsta.com/blog/reverse-proxy/” [Sep 2021]
in Suricata IDS/ IPS for better and immediate detection of [13] S. Axelsson, "Intrusion detection systems: A survey and taxonomy", Vol.
attacks. Moreover, it would be of particular interest to explore 99, Technical report, 2000.
and compare our proposed architecture with more resource- [14] R. C. Newman, "Computer security: Protecting digital resources", Jones
intensive tools such as snort, Zeek and firewalls. & Bartlett Publishers, 2009.
[15] “https://www.snort.org”
ACKNOWLEDGMENT [16] S. Syaifuddin, D. Risqiwati, and H. A. Sidharta, "Automation Snort Rule
The authors are grateful for the financial support provided for XSS Detection with Honeypot", 5th International Conference on
Electrical Engineering, Computer Science and Informatics (EECSI).
by the European Commission for the Horizon 2020 under grant IEEE, 2018.
agreement No 952690 project CYRENE; and from the national
[17] A. Klein, "DOM based cross site scripting or XSS of the third kind", Web
programme, EPAnEK, in the No. T2EΔ/03488 project Application Security Consortium, Articles 4 (2005): 365-372.
CYSMET. [18] Q. Temeiza, M. Temeiza, and J. Itmazi, "A novel method for preventing
SQL injection using SHA-1 algorithm and syntax-awareness", 2017 Joint
REFERENCES International Conference on Information and Communication
[1] W. G. J. Halfond, J. Viegas, and A. Orso, "A classification of SQL- Technologies for Education and Training and International Conference on
injection attacks and countermeasures", Proceedings of the IEEE Computing in Arabic (ICCA-TICET).
international symposium on secure software engineering. Vol. 1. IEEE,
2006.
Authorized licensed use limited to: University of Hyderabad IG Memorial Library. Downloaded on November 11,2022 at 06:38:45 UTC from IEEE Xplore. Restrictions apply.