An Approach for Detecting and Preventing SQL Injection and Cross Site Scripting Attacks using Query sanitization with regular expression

  IJCTT-book-cover
 
International Journal of Computer Trends and Technology (IJCTT)          
 
© 2017 by IJCTT Journal
Volume-49 Number-4
Year of Publication : 2017
Authors : Monali Sachin Kawalkar, Dr. P. K. Butey
DOI :  10.14445/22312803/IJCTT-V49P139

MLA

Monali Sachin Kawalkar, Dr. P. K. Butey "An Approach for Detecting and Preventing SQL Injection and Cross Site Scripting Attacks using Query sanitization with regular expression". International Journal of Computer Trends and Technology (IJCTT) V49(4):237-245, July 2017. ISSN:2231-2803. www.ijcttjournal.org. Published by Seventh Sense Research Group.

Abstract -
Because of digitalization and rapid growth in technology web applications are widely used like e-commerce, online payments, online banking, money transfer, social networking, etc. As web application interacts with database where critical information is stored over the network. The methodology used is Structure Query language (SQL) and Scripting language.OWASP[2] has released the latest version of “Top 10 Vulnerabilities” based on the previous incidents as well as on the risks associated with the Vulnerabilities. SQL Injection and Cross Site Scripting vulnerabilities are more prominent and harmful and have taken the highest Rank amongst the rest of the Top 10 OWASP Vulnerabilities. The SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The attack takes advantage of poor input validation in code and website administration. It allows attackers to obtain unauthorized access to the back-and database to change the intended application generated SQL queries. Cross Site Scripting is a most prevalent web application security issue. This occurs when application sends the user provided data to the web browser without validating or encoding the account. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. In this paper present new Sql injection and Cross site scripting attacks defense approach. The paper identifies vulnerability attacks caused due to inputs performed by a user which are not properly validated in the web applications. In this approach we remove the attacks by using input query sanitization with the help of regular expression based database independent server side background service. This service will stop the attack before it affect the system and will provide a sanitized query to the system by classifying the input data into Sql or html input.

References
[1] Www.OWASP.org/index.php/XSS_Prevention_Cheat_sheet
[2] OWASP Top Ten Project - http://www.owasp.org/index.php/Top_10
[3] OWASP Code Review Guide - http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
[4] OWASP Testing Guide - http://www.owasp.org/index.php/Testing_Guide
[5] https://www.acunetix.cz/websitesecurity/cross-site-scripting/
[6] "SQL Injection/Insertion Attacks". insecure.org.
[7] SQL Injection Attacks and Defense(Book) - Justin Clarke
[8] Cross Site Scripting Wikipedia, http://en.wikipedia.org/wiki/Cross-site_scripting
[9] Cross site scripting ,accunetix,http://www.acunetix.com/websitesecurity/cross-site-scripting/
[10] Cross site scripting, Secure web development, ,http://hwang.cisdept.csupomona.edu/swanew/Code.aspx?m=XSS
[11] W. G. J. Halfond and A. Orso, "Preventing SQL injection attacks using AMNESIA," presented at the Proceedings of the 28th international conference on Software engineering,Shanghai, China, 2006.
[12] Sh. Bojken, A. Shqiponja, A. Marin, and Xh. Aleksander,"Protection of Personal Data in Information Systems",International Journal of Computer Science, Vol. 10, No. 2,July 2013, ISSN (Online): 1694-0784.
[13] Srinivas Avireddy, Varalaxhmi perumal, Narayan Gowraj, Ram Srivastava Kannan“Random4: An Application Specific Randomized Encryption Algorithm to prevent SQL Injection” 11th International conference on trust, Security and privacy in computing and communications IEEE 2012.
[14] A Survey on Detection and Prevention Techniques of SQL Injection by Harish Dehariya
[15] S. W. Boyd and A. D. Keromytis. “SQLrand: Preventing SQL Injection Attacks”, In Proceedings of the 2nd Applied Cryptography and Network Security Conference, pages 292–302, June 2004.
[16] Y. Huang, F. Yu, C. Yang, C. H. Tsai, D. T. Lee, and S. Y. Ku. “Securing Web Application Code by Static Analysis and Runtime Protection”, In Proceedings of the 12th International Word Wide Web Conference, May 2004.
[17] Y. W Huang, F. Yu, C. Hang, C. H. Tsai, D. Lee and S. Y. Kuo, “Verifying Web Application using Bounded Model Checking,” In Proceedings of the International Conference on Dependable Systems and Networks, (2004).
[18] Y.-W. Huang, S.-K. Huang, T.-P. Lin and C.-H. Tsai, “Web application security assessment by fault injection and Behavior Monitoring,” In Proceeding of the 12th international conference on World Wide Web, ACM, New York, NY, USA, (2003), pp.148-159.
[19] ]A. S. Christensen, A. M?ller and M. I. Schwartzbach, “Precise analysis of string expression”, In proceedings of the 10th international static analysis symposium, LNCS, Springer-Verlag, vol. 2694, pp. 1-18.
[20] V.B. Livshits and M. S. Lam, “Finding security errors in Java programs with static analysis,” In proceedings of the 14th Usenix security symposium, (2005)August, pp. 271-286.
[21] N. Jovanovic, C. Kruegel and E. Kirda, “Precise alias analysis for syntactic detection of web application vulnerabilities,” In ACM SIGPLAN Workshop on Programming Languages and Analysis for security, Ottowa, Canada, (2006)June.
[22] D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel and G. Vigna, “Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications,” In IEEE symposium on Security and Privacy, (2008).
[23] G. Wassermann and Z. Su, “Static detection of cross-site Scripting vulnerabilities,” In Proceeding of the 30th International Conference on Software Engineering, (2008)May.
[24] Z. Su and G. Wassermann, “The essence of command Injection Attacks in Web Applications,” In Proceeding of the 33rd Annual Symposium on Principles of Programming Languages, USA: ACM, (2006) January, pp. 372-382.
[25] ] E. Kirda et al., “Client-Side Cross-Site Scripting Protection,” Computers & Security,”Proc of 21st ACM Symposium on Applied Computing,Oct. 2009, pp. 592-604.
[26] ]T. Jim, N. Swamy and M. Hicks, “BEEP: Browser-Enforced Embedded Policies,” In Proceedings of the 16th International World Wide Web Conference, ACM, (2007), pp. 601-610.
[27] T. Pietraszek and C. V. Berghe, “Defending against Injection Attacks through Context-Sensitive String Evaluation”, In Proceeding of the 8th International Symposium on Recent Advance in Intrusion Detection (RAID), (2005)September.
[28] D. Balzarotti, M. Cova, V. V. Felmetsger and G. Vigna, “Multi-Module Vulnerability Analysis of Web-based Applications,” In proceeding of 14th ACM Conference on Computer and Communications Security,Alexandria, Virginia, USA, (2007)October.
[29] R.Putthacharoen and P.Bunyatnoparat,” Protecting Cookies from Cross Site Script Attacks Using Dynamic Cookies Rewritng Technique,”Proc. of IEEE 13th International Conference on Advanced Communication Technology, Feb 2011,pp. 1090-1094.
[30] P. Bisht and V. N. Venkatakrishnan, “XSS-GUARD: Precise dynamic prevention of Cross-Site Scripting Attacks,” In Proceeding of 5th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, LNCS, vol. 5137, (2008), pp. 23-43.
[31] N. Ikemiya and N. Hanakawa, “A New Web Browser Including A Transferable Function to Ajax Codes”, In Proceedings of 21st IEEE/ACM International Conference on Automated Software Engineering (ASE `06), Tokyo, Japan, (2006) September, pp. 351-352.
[32] E. Kirda et al., “Client-Side Cross-Site Scripting Protection,” Computers & Security,”Proc of 21st ACM Symposium on Applied Computing,Oct. 2009, pp. 592-604.

Keywords
OWASP – Open Web Application Security Project (OWASP) , SQL – Structure Query language, Web Application ,Detection and Prevention Techniques.XSS – Cross site scripting, Input query sanitization, DOM - Document Object Model.