PROGESI: A PROxy Grammar to Enhance

Web Application Firewall for SQL

Injection Prevention
ABSTRACT

A web application is prone to security threats due to its open nature. The security of
these platforms is imperative for organizations of all sizes because they store
sensitive information. Consequently, exploiting web application vulnerabilities could
result in large-scale data breaches and significant brand and financial damages. SQL
injection (SQLi) represents a popular attack vector that malicious actors use to
compromise website security. Web application firewalls (WAFs) play a primary role
in preventing such malicious attack typologies. In the recent literature, several
advances have been proposed in the field of WAF enhancement to prevent SQLi
exploitation. However, many of them test the effectiveness of a WAF without
releasing a patch to fix security flaws if a WAF is bypassed. In other cases, the patch
is distributed exclusively according to the syntax specified by the WAF tested. This
paper introduces a framework that leverages PROxy Grammar to Enhance web
application firewalls for SQL Injection prevention (PROGESI). The proposed
solution can act as an intermediary layer between the targeted web server and the
incoming application level requests. Specifically, PROGESI can be used individually
or in combination with a WAF and includes a series of rules that patch SQLi
vulnerabilities exposed by a specific web server. Furthermore, it can identify and
mitigate SQLi attempts, also when attackers use mutation techniques, since the rules
used encompass generalization mechanisms. The experiments performed revealed
two strengths of PROGESI: (i) the ability to identify SQLi even in the presence of
server-side defense mechanisms, which increases as the generalization rate
implemented by the rule generation algorithm increases; (ii) impressive detection
performance even for low generalization rate values, which is higher than that
achieved by competitors using a state-of-the-art SQLi dataset.

EXISTING SYSTEM

Web application attacks have been combated by several mitigation techniques in the
current literature. Depending on the application level at which the defense line
operates, these can be divided into the following: (i) security by design solutions, i.e.,
application development that aims to limit, from the earliest stage of creation,
potential vulnerabilities; (ii) ML models developed to predict attacks on web
applications; (iii) WAF solutions for protecting web servers against malicious HTTP
traffic. In this section, a review of the methods belonging to the aforementioned
categories is presented. Then, the proposed contribution motivation that emerged
from such a revision is outlined.

Security by design solutions represent an effective strategy to protect web

applications against SQLis. Using these approaches, software vulnerabilities can be
automatically repaired according to the programming language used in the
development of web applications [20]. Input sanitizers represent a first line of
defense, consisting of reducing the input domain of an application as a whole, acting
directly on the values provided by the user. If a user provides a value outside the
domain, this type of defense stops the execution of the program. Therefore, in such
cases, developers establish defense software routines that identify acceptable inputs
rather than unacceptable ones [43]. In [44], a MySQL plugin, called SQLBlock is
presented to prevent popular PHP web applications from being attacked using the
SQLi attack vector. Laravel [45], [46] is one of the most popular frameworks used
for PHP-developed web applications. It can protect from SQLi attacks as it uses the
bind variables, i.e., a mechanism to provide values to the structured query language
(SQL) statement through parameterization; thus, the values are not included in the
generic SQL statement as literals. This is achieved using an object-related mapper,
namely Eloquent [47]. However, the security by design solution should not be
targeted to specific programming languages, e.g., the prepared statement interface in
Java. This led the authors of [48] to conduct a deeper investigation of secure design
patterns to address vulnerabilities in web applications, such as SQLis. Specifically,
the secure strategy factory pattern is examined. According to the strategy design
pattern, a specific algorithm is selected to deal with the attack on the web application.
Similarly, in [49] the factory design pattern is extended so that a specific function
implements a secure strategy to take the necessary action in the case of an SQLi
attack. This function takes advantage of the libinjection library. The stored
procedures [50] represent an alternative method that uses subroutines composed of
predefined SQL code recalled when requested. In this way, an abstraction layer is
added before interacting with DB. In [51], an ad hoc secure design pattern approach
for lateral-based SQLi attacks is proposed. By using such a design pattern, userand
security-level features can be decoupled but still work together. It is an architectural
model consisting of three main elements, each delegated for a specific task, such as
triggering the security strategy to be adopted (secure zones) for protecting data
(sensitive zone) from user input injections (injection zone).

Several ML-based solutions have been proposed currently to counter the detection of
SQLi attacks because of the effective outcomes achieved by such a paradigm [52]. In
[53], an artificial neural network (ANN) model is presented to distinguish between
malicious and legitimate uniform resource locators (URLs). SQLi patterns are crafted
into malicious URL, while legitimate URL consists of the most popular URL
addresses in the UK, according to a report by the Alexa service. In [54], a support
vector machine (SVM)- based classifier is used on data that include SQL tokens
extracted from the Microsoft SQL reserved keyword website. Such data were pre-
processed using an oversampling strategy to deal with class skew and the
computation of the Gini index for feature selection. In [55] and [56] a deep learning
(DL)-based model, i.e., an adaptive deep forest model, is proposed to deal with SQLi
detection, which integrates adaptive boosting and SVM as classification techniques.
A comprehensive analysis of twenty-three ML classifiers is presented in [57].
Specifically, in such an examination, classifiers are trained using injected and
legitimate SQL statements. A deep natural language model based on DL and word
sequence prediction is presented in [58].

Disadvantages
 An existing system didn’t explore Implementation SQL injection (SQLi).
 An existing system didn't implement Context-free grammar.

Proposed System

• With respect to security by design strategies, although Laravel includes features to

protect against these SQL injection vulnerabilities (such as wrapping column names),
some DB engines may still be vulnerable because they do not support binding
variables (depending on their versions and configurations).
• Regarding the input sanitizers, this mitigation strategy is not applicable in every
case because it could lead to the need for a complete rewrite of the source code
software, which in some cases is not a cheap solution. In addition, inhibited
characters may be present in some strings. Finally, the introduction of sophisticated
input sanitizer methods could result in a degradation in web application performance.
• Although the efficiency of ML-based detection algorithms proves to be the most
widespread and popular, the emerging cybersecurity frontiers of AI systems make
these systems susceptible to adversarial attacks that can evade them.

Advantages

• It combines state-of-the-art methodologies to leverage their strengths to define a

general framework, called PROGESI, capable of countering SQLi attacks.
• It provides a set of ad-hoc rules for proxy-based solutions that can be used to
mitigate sophisticated SQLi vulnerabilities.

SYSTEM REQUIREMENTS

➢ H/W System Configuration:-

➢ Processor - Pentium –IV

➢ RAM - 4 GB (min)
➢ Hard Disk - 20 GB
➢ Key Board - Standard Windows Keyboard
➢ Mouse - Two or Three Button Mouse
➢ Monitor - SVGA

Software Requirements:
 Operating System
 Coding Language
 Front End
 Back End
- Windows XP
- Java/J2EE(JSP,Servlet)
- J2EE
- MySQL