Worldwide Journal of Database Administration Techniques ( IJDMS ) Vol.6, No.1, February 2014
DOI : 10.5121/ijdms.2014.6102 21
A HYBRID TECHNIQUE FOR SQL INJECTION
ATTACKS DETECTION AND PREVENTION
Jalal Omer Atoum and Amer Jibril Qaralleh
Princess Sumaya College for Know-how, Amman, Jordan
ABSTRACT
SQL injection is a sort of assaults used to achieve, manipulate, or delete data in any data-driven system
whether or not this system is on-line or offline and whether or not this system is a internet or non-web-based. It is
distinguished by the multiplicity of its performing strategies, so protection methods couldn’t detect or
prevent such assaults. The main objective of this paper is to create a reliable and accurate hybrid technique
that safe methods from being exploited by SQL injection assaults. This hybrid technique combines static
and runtime SQL queries Assessment to create a protection technique that may detect and prevent numerous varieties of
SQL injection assaults. To judge this urged technique, a giant set of SQL queries have been executed
by means of a simulation that had been developed. The outcomes point out that the urged technique is reliable
and more practical in capturing extra SQL injection varieties in contrast to different SQL injection detection
strategies.
KEYWORDS
Database SQL Injection Atttacks, Static Assessment, Runtime Assessment, Three Tier Structure.
1. INTRODUCTION
SQL injection assaults (SQLIAs) are very efficient system assaults that can be utilized to achieve or
manipulate knowledge in data-driven methods, which is a widespread drawback for internet purposes that
are printed on the web. Furthrmore, SQLIAs are easy to be realized and easy to be
executed; to allow them to be executed by unexperienced hackers [16].
There have been many researches which have developed numerous strategies to detect and prevent
SQLIAs. Every of these strategies covers an objective or set of targets associated to this sort of
assaults, however there is no methodology that may cowl the entire system from being attacked by SQL
injections [6].
The danger of SQLIAs is that when they’re carried out by means of the sufferer again finish system, they
will likely be runing with the identical priviliges that the system have on the database, which means if the
system has a energy consumer or administrator permisions then the injection code may very well be executed
with a catastrophe results on the sufferer machine [2].
Part two presents the elements associated to the different sorts of SQLIAs and describes the
vulnerabilities which can be used to carry out the SQLIAs. Part three prsentes completely different earlier
options to take care of the SQLIAs detection and prevention. Part 4 presents the urged
hybrid technique. Part 5 presents a description of the simulation that has been developed to
Worldwide Journal of Database Administration Techniques ( IJDMS ) Vol.6, No.1, February 2014
22
consider the reliability and accuracy of the urged hybrid technique. Lastly, part six
prsents the conclusion and future works.
2. SQL INJECTION ATTACKS
There is no resolution that ensures all vulnerabilities in a system will likely be lined and managed
fully 100%. There are vulnerabilities during which SQLIAs attackers most popular to use so as
to breach the methods knowledge, these vulnerabilities are both Software program or parts such as
(Servers, Net-Companies, Working Techniques, Functions, Database Engines, and so on.). If these
parts usually are not continuasly up to date with the most recent patches and safety updates, then they may
be extra susceptible to be attacked, and then they may not give you the chance to reject such assaults.
Monitoring, logging, validation, intrusion detection, and different operations are very helpful in
system architectures to enhance the safety of the database. If the system is not making use of a sturdy
enter validation technique to examine each database enter to the system it’s going to create a vital
drawback, as a result of the enter parameters are the primary gate to the attacker that may very well be used to inject
malicious code with this enter [3].
The builders needs to be curious in regards to the error reporting, they need to not allow shopper error
reporting service, as a result of it could lead to an necessary data of the code or the database of
the system.
The first mechanism to deal with the safety of a database is to make sure that their entry is properly
managed, by assigning the entry rights to the suitable customers or objects [8]. Therefore, if the
first protection line is not dealt with in addition to required then the database will likely be susceptible to
completely different sort of assaults.
It is necessary to safe the information particularly the delicate knowledge, so despite the fact that the database is
secured from being hacked, delicate knowledge needs to be encrypted within the database or by means of the
community [13].
In superior SQLIAs attackers desire to use the database core tables that comprise delicate
details about the entire database system. Desk 1 reveals some of the widespread helpful
database system tables which can be most popular to be used within the SQLIAs.
Desk 1. Database system’s tables for various Database surroundings
MS SQL Server MS Entry Server Oracle
sysobjects syscolumns MSysACEs MsysObjects
MsysQueries
MSysRelationships
SYS.USER_OBJECTS SYS.TAB
SYS.USER_TABLES
SYS.USER_VIEWS
SYS.ALL_TABLES
SYS.USER_TAB_COLUMNS
SYS.USER_CONSTRAINTS
SYS.USER_TRIGGERS
SYS.USER_CATALOG
SQLIAs goal database engines which can be related with data-driven methods. Therefore, as soon as customers
are related to database to get solutions for his or her requests, the system submits these solutions as
SQL queries to the database administration system (DBMS) within the database server. After that, the
database server returns the associated data (solutions) to the system. Lastly, the system
renders the resulted knowledge as visible data to the requester (consumer).
Worldwide Journal of Database Administration Techniques ( IJDMS ) Vol.6, No.1, February 2014
23
The attacker can exploit the stream of knowledge between the consumer, the system, and the database to achieve or
manipulate the information by sending queries loaded (injected) by malicious scripts, inline SQL queries,
or instructions that will likely be executed by the database engine and utilized to the system database [7].
The intents of the SQL injection assaults may very well be categorized as; Figuring out database
data, Information Gathering, Database Manipulation, Code Injection, Perform Name Injection, or
Buffer Overflows. For extra data on these SQL injection assaults please refere to [4].
The handiest gateways which can be used to carry out differing types of SQLIAs are: browser
variables, consumer inputs, and injection HTTP header [4].
three. BACKGROUND
This part presents the litrature assessment that is related to SQLIAs and describes the widespread
researches and methods which have been achieved so as to detect and prevent SQLIAs.
SQLIAs detection and prevention methods have adopted numerous elements so as to come up
with an acceptable resolution in order to prevent SQLIAs from being utilized to differing types of
databases. Some of these elements are:
• Static Assessment: Static Assessment is a precept that depends upon discovering the weaknesses and
malicious codes within the system supply code prior to reaching the execution stage [10, 12].
Usually, this precept has been one of essentially the most extensively used to detect or prevent SQLIAs.
• Runtime Assessment: It is a technique which has been used to detect a particular sort of assaults
that needs to be identefied upfront with out the necessity of modifing the event lifecycle nor
the necessity of the supply code of the system. Such a technique depends upon monitoring the occasions of
the system by means of its execution course of and detects if there is any of assault that is happing whereas
execution [7] .
• Static and Runtime Assessment: In this sort of Assessment, completely different researches had choosen to
mix the 2 aforementioned methods to create a more practical and reliable resolution to
get hold of a greater high quality with a quicker growth and testing processes [1].
four. SUGGESTED HYBRID TECHNIQUE
This part focuses on the main concept of the urged hybrid technique for detecting and
stopping SQLIAs.
four.1 Regular Information Exchanging Technique
There are lots of architectures to handle and to arrange any data-driven methods, however essentially the most
widespread structure that has been used is the three-tier structure that depends upon dividing the
system into three tiers [15] as follows:
1. Presentation Tier (a Net browser or rendering engine).
2. Logic Tier (a server code, such as C#, ASP, .NET, PHP, JSP, and so on …).
three. Storage Tier (a database such as Microsoft SQL Server, MySQL, Oracle, and so on.).
Determine 1 summerizes the steps of exchanging knowledge among the many three-tier system structure.
Worldwide Journal of Database Administration Techniques ( IJDMS ) Vol.6, No.1, February 2014
24
Determine 1. Three-Tier Structure Information Exchanging
Determine 2 describes the traditional mode to hyperlink the logged on customers to methods which have the database
situations and to decide the accessible situations.
Determine 2. Accessing Database in Regular Mode
four.2 Urged Method Technique
The urged strategy is a runtime detection and prevention methodology that follows the identical
steps as the traditional strategy to change the queries between the structure events
(Presentation-Logic-Storage), nonetheless, it gives an additional protection line on the Information-Tier to
make sure that this aspect is not going to execute any irregular codes that incase have an effect on the system partially or
fully or it impacts the hosted working system and units.
This strategy is primarily based on offering safety controlling methodology on the database server aspect
to ensures that every one requested SQL queries from an inside or an outdoor the system are executed
Worldwide Journal of Database Administration Techniques ( IJDMS ) Vol.6, No.1, February 2014
25
securely with none database fabrication or hacking. Determine three illustrates the method stream
diagram of the urged strategy levels from getting consumer or utility entry to the execution
of the queries which have been delivered to the database.
Determine three. Course of Move Diagram for Urged Method
four.three Urged Method Phases
The urged strategy is primarily based on completely different levels to reject any malicious question from being
handed by means of the database engine earlier than its execution course of, and these levels may very well be listed
as follows:
• Replicate system databases: For every database to be secured from SQLIAs, there needs to be a
new replication database and it ought to comprise a small quantity of pattern knowledge.
• Creating “database_Behaviors” database: The urged strategy ought to have a separate
database known as “database_Behaviors” that incorporates all system database queries and their
anticipated behaviors which have resulted from SQL queries execution in regular circumstances. This database
is positioned within the replicated situations.
• Redirect SQL queries: Any SQL question assigned to be executed within the goal database will likely be
initally delayed and replicated by the database engine then this replicated question is despatched to the
Worldwide Journal of Database Administration Techniques ( IJDMS ) Vol.6, No.1, February 2014
26
digital database (Schema Replicated database). Therefore, the unique SQL question will likely be not
executed but in this stage and it will likely be delayed to a later stage.
• Easy SQL syntax checking: All SQL queries which can be passing by means of the replicated
database also needs to move by means of a number of examine processes earlier than they transfer to the subsequent step
particularly, “The execution course of”. The following listing presents the checks processes that the SQL
queries ought to move by means of:
– Encoding Assessment: Earlier than persevering with to any subsequent step the acquired SQL queries needs to be
analyzed to decide the character encoding that has been used to write these queries. There
are many methods that can be utilized to do this Assessment course of such as “Computerized
Identification of Language and Encoding” [11].
– Easy White-Field validation: The question ought to undergo easy syntax validation and
filtering for particular SQL reserved phrases particularly people who use (EXECUTE, SHELL
instructions).
– Parameters substitute: Any parameter that has been discovered within the SQL question needs to be
changed by an indexing parameter names. Equivalent to (@par_1, @par_2 … @par_n).
• Digital execution: After the SQL syntax checking course of, the SQL question will likely be executed on
the replicated database “Digital Database” during which it is a course of that is working concurrently
with the execution course of, it displays and traces the behaviors of the SQL question.
• SQLIA Detection: This stage is an important stage within the urged technique, its
goal is to detect whether or not the acquired SQL question is legitimate and anticipated question or not. The concept
right here is to catch the objects which have been affected by the present SQL question regardless of the sort of
such objects and create a listing of these objects to use them within the subsequent step of this stage.
The resulted listing of affected objects will likely be in contrast with the “database_Behaviors”. If there is
a question that handles all of the listed objects with the identical sort of conduct that is detected from
the earlier step then this conduct question will likely be added to a new listing (Anticipated Queries). Any
resulted conduct that is detected as a suspicious needs to be rejected and deleted from the precise
database occasion execution queue, in any other case the question will likely be transferred to the precise database
occasion for being executed.
5. Assessment AND DISCUSSION
As described earlier than, the proposed hybrid technique combines static and runtime Assessment
approaches to create a new resolution to detect and prevent the SQLIAs. This urged hybrid
technique will likely be put in and built-in with the database engines within the database server.
An utility utilizing VB .Web has been developed to simulate the work of the urged
strategy. The simulation utility has been used to consider the efficiency and accuracy of
the detection and prevention processes in this strategy. Utilizing this utility, 2 hundred and
fifty (250) SQL queries that cowl all differing types of SQLIA have been examined.
The outcomes that had been obtained from simulating this hybrid technique of these 250 queries
show that this hybrid technique may cowl all identified SQLIA gateways, and prevents any sort
of SQLIAs.
Desk 2 provides a comparability of well-known set of SQLIA detection and prevention methods
together with our urged hybrid technique in phrases of their functionality of detection and
Worldwide Journal of Database Administration Techniques ( IJDMS ) Vol.6, No.1, February 2014
27
preventions, particularly: Tautology, Constructed-In Capabilities, Logically Incorrect Queries, Union Question,
Saved Process, Piggy-Backed Queries, Inference, Alternate Encoding, and the Direct Assault.
Desk 1: Numerous Schemes and SQL Injection Assaults
This desk has been initially offered by [5] aside from the primary row of our urged hybrid
technique, the third column of Constructed-In Capabilities, and the final column of direct assaults. From this
desk, it may be concluded that our hybrid technique covers all sorts of SQLIA and it is the one
technique that forestalls the direct assault sort; which means it may well detect and prevent any sort of
SQLIA even when this assault is utilized into the database instantly. In different phrases, this hybrid
technique can detect and prevent SQLIAs which can be carried out by means of the system or by means of a
direct SQL question to the database. Lastly, the urged hybrid technique is the one one that may
detect and prevent SQLIAs which can be utilizing Constructed-In features to carry out such assaults.
6. CONCLUSION AND FUTURE WORK
This paper has offered a novel hybrid technique that detects and prevents all sorts of SQLIAs
in numerous system classes regardless of the system growth language or the database
engine.
The urged hybrid technique is achieved in two main phases: runtime Assessment, and static Assessment.
The first section is a dynamic/runtime Assessment methodology that depends upon making use of monitoring strategies
to hint and monitor the execution processes of all acquired queries. The consequence of affected objects
of this monitoring will likely be in contrast with a ready set of anticipated modifications that the developer
had created earlier than, and the consequence of this comparability course of will determine if there is an existence of
any sort of SQLIA and if that’s the case they are going to be forwarded to the subsequent section. The subsequent section is a static
Assessment section that is performing a string comparability between the acquired SQL queries and
earlier anticipated SQL queries to prevent any question that is described as a suspicious question.
Worldwide Journal of Database Administration Techniques ( IJDMS ) Vol.6, No.1, February 2014
28
Moreover, the simulation confirmed that the urged hybrid technique can detect and prevent
all sorts of SQLIAs.
The future plan is to improve this technique by reducing the time delay that the database
restoration takes after the SQLIA is detected.
REFERENCES
[1] Graham, B., Leroux, P. N., and Landry, T. “Utilizing Static and Runtime Assessment to Enhance Developer
Productiveness and Product High quality,” white paper, QNX Software program Techniques, April 2008.
[2] Guimarães, B. D., “Superior SQL Injection to Working System Full Management,” Black Hat Europe,
white paper, April 2009.
[3] Halde, J., “SQL Injection Assessment, Detection and Prevention,” MSc Thesis, Division of Pc
Science, San Jose State College, San Jose, CA, USA, 2008.
[4] Halfond, W. G., Viegas, J. and Orso, A., “A Classification of SQL Injection Assaults and
Countermeasures”, In Proceedings of the IEEE Worldwide Symposium on Safe Software program
Engineering, Arlington, VA, USA, 2006..
[5] Kindy, D. A., and Pathan, A. S., “A Detailed Survey on Numerous Points of SQL Injection:
Vulnerabilities, Modern Assaults, and Treatments,” Worldwide Journal of Communication Networks
& Data Safety, Aug. 2013, Vol. 5 Challenge 2, pp 80-92.
[6] Majumder, J., and Saha, G., “Assessment of SQL Injection Assault,” Particular Challenge of Worldwide
Journal of Pc Science & Informatics (IJCSI), ISSN (PRINT) : 2231–5292, Vol.- II, Challenge-1.
[7] Mishra, R. and Bhattacharjya, A., “A Research on Deterrence Strategies from SQLIA,” VSRD
Worldwide Journal of CS & IT, vol. I, no. eight, pp. 608-617, 2011.
[8] Murray, M., “Database Safety: What College students Want to Know,” Journal of Data Know-how
Schooling, Improvements in Apply (9), pp. 61-77.
[9] Rani, D. R., Kumar, B. S., Rao, L. R., Jagadish, V. T., and Pradeep, M., “Net Safety by
Stopping SQL Injection Utilizing Encryption in Saved Procedures,” (IJCSIT) Worldwide Journal of
Pc Science and Data Applied sciences, vol. three, no. 2, 0975-9646, pp. 3689-3692, 2012.
[10]Roy, S., A. Okay. Singh and Sairam, A. S., “Analyzing SQL Meta Characters and Stopping SQL
Injection Assaults Utilizing Meta Filter,” 2011 Worldwide Convention on Data and Electronics
Engineering, IPCSIT vol.6 (2011) © (2011) IACSIT Press, Singapore, pp 167-170.
[11]Russell, G., Lapalme, G., Plamondon, P, ”Computerized Identification of Language and Encoding”.
Rapport Scientifique. Laboratoire de Recherche Appliquée en Linguistique In-formatique (RALI),
Université de Montréal, Canada, 7-2003 (2003).
[12]Shanmughaneethi, V., and Swamynathan, S., “Detection of SQL Injection Assault in Net Functions
utilizing Net Companies,” IOSR Journal of Pc Engineering (IOSRJCE), vol. 1, no. 5, pp. 13-20,
2012.
[13]Shaul, J., and Ingram, A., Sensible Oracle Safety, Rockland: Syngress Publishing, Rockland, MA:
Syngress Pub., c2007.
[14]Spett, Okay., “SQL Injection: Are your internet purposes susceptible,” Technical report, SPI Dynamics,
Inc., 2005. obtainable at URL http:// www.spidynamics.com/papers/sql injectionwhitepaper.pdf.
[15]Srivastava, S., and Tripathi, R., “Assaults Due to SQL Injection & Their Prevention Methodology for WebApplication” (IJCSIT) Worldwide Journal of Pc Science and Data Applied sciences, Vol.
three (2) , 2012,pp. 3615-3618.
[16]Williams, J., “OWASP Prime 10 Challenge,” OWASP Group, The Open Net Utility Safety
Challenge , 2013. http://www.owasp.org.”’
————
Worldwide Journal of Database Administration Techniques ( IJDMS ) Vol.6, No.1, February 2014 DOI : 10.5121/ijdms.2014.6102 21
DETECTION AND PREVENTION OF SQL INJECTION ATTACKS USING A HYBRID TECHNIQUE
Jalal Omer Atoum and Amer Jibril Qaralleh Princess Sumaya College for Know-how, Amman, Jordan
ABSTRACT
SQL injection is a sort of assaults used to achieve, manipulate, or delete data in any data-driven system whether or not this system is on-line or offline and whether or not this system is a internet or non-web-based. It is distinguished by the multiplicity of its performing strategies, so protection methods couldn’t detect or prevent such assaults. The main objective of this paper is to create a reliable and accurate hybrid technique that safe methods from being exploited by SQL injection assaults. This hybrid technique combines static and runtime
