Uploaded by habtamuasayto

A Review of Detection and Prevention Techniques of SQL Injection

advertisement
A Review of Detection and Prevention
Techniques of SQL Injection Attacks
Here starts the
presentation!
Presented by : Group Members
1
Introduction
2
3
Research
Methodology
Searching
Papers
4
5
Result and
Critique
Strength and
Weakness
6
7
Recommendation
Conclusion
Today's Session
Part 1
↬ Introduction
↬ Research Methodology
↬ Searching Papers
Presented by : Habtamu A
Part 2
↬ Result and Critique
↬ Strength and Weakness
Presented by : Alayu D
Part 4
04
↬
03
01
Part
3
↬ Recommendation
Conclusion
Presented by :
Getnet A
↬
02
Question and Answering
By Group Members
Part 01
01
Introduction
→ What is SQL injection attack
↪ It is a code injection technique used to attack data-driven applications, in which
malicious SQL statements are inserted into an entry field for execution.
↪ It is a technique that is executed by attackers to target the databases, exploiting
vulnerabilities in web applications.
↪ It allow the attacker to access, retrieve, modify, or delete user data using illegitimate
methods.
→ SQLI attack process
a. The attacker adds SQL statements through input fields or hidden
b. Web app receives an HTTP request from attacker as input and generates a SQL
c. Submits the SQL statement as output for the back end database server
d. Attacker gains access successfully because of lack in the sanitization of inputs
Research Methodology
→ About the paper
1. Year of publication
↪ Published during the period 2019 to 2021
1. Searching engines
↪ IEEE,
↪ Science Direct, and
↪ Research Gate.
→ Research questions
1. Research Question 1
↪ How has publication grown in the SQL injection detection field?
1. Research Question 2
↪ What types of SQL injection attacks have been discussed?
2. Research Question 3
↪ What are the proposed methods to detect and mitigate these attacks?
Searching Papers
Remove Duplicates
813
Abstract and Full
Text Analysis
24
Data Extraction
7
Remove duplication and year of
Related to SQLIA detection and
The final papers that we
publication from 2019 to 2021
prevention techniques
have reviewed
Search Papers
↪ IEEE → 73
↪ Sciencedirect → 640
↪ Researchgate → 100
Quality Assessment
Title Selection
Exclude weak papers i.e
Exclude irrelevant papers
172
13
based on QA questions
3
Reviewed Papers
→ We have reviewed the following papers
↪ P1 – SQLIA Detection and Prevention Techniques by Mazoon Al Rubaiei,
Thuraiya Al Yarubi, Maiya Al Saadi and Basant Kumar
↪ P2 – A Detection and Prevention Technique on SQL Injection Attacks by Zar Chi
Su Su Hlaing and Myo Khaing
↪ P3 – Identification and Mitigation Tool for SQL Injection Attack by W.H.
Rankothge, Mohan Randeniya, Viraj, and Viraj Samaranayaka
1.
↪
↪
↪
1.
↪
Result and Critique
Publication growth in SQL injection detection field (RQ1)
Exploring the motivation behind each approach.
How security concerns have become important in developing secure web app.
Number of articles that discuss the topic increased from 2019 to 2021.
Types of SQL injection attacks (RQ2)
All the 3 papers try to mention and define all possible types of SQLIA with specific
examples related to each attack type.
↪ Now let’s try to see each types of attacks individually.
↪ In paper 1 there are 8 types of SQLIA.
Part 01
01
02
Part 2
Result and Critique
→ Types of attack in paper 1
1. Tautologies: - get access to the application without supplying a valid user name.
↪ Eg: Select * from users where username=’un’ or ‘a’=’a’ -- and password=’pwd’
2. Illegal/ Logically Incorrect Queries: - reveal relevant data of database being used
from the return error messages or logical error.
↪ The attack is considered as a preliminary step for further attacks.
↪ Eg: SELECT * FROM students WHERE username = 'un"' AND password =
3. Union Query: - disclosure of sensitive information using union queries, which
contain set operators.
↪ Eg: SELECT Salary from Employee where username=‟un“ and password = ”” ;
UNION SELECT Salary from Employee where Emp_ id= “1234” ;
4. Piggy-backed: - aim to delete or remove information with a harming intention.
↪ Eg
SELECT Salary_info from Employee where username=‟abc” and
password=””; DROP table user:
Result and Critique
→ Types of attack in paper 1
5. Stored Procedure: - aim to gain access to the host operating system by performing a
command execution.
↪ Eg: SELECT Salary from Employee where username=‟abc “ and password=”” ;
SHUTDOWN
6. Alternate Encodings: - Aim to hide the aggressor’s pattern via alternate
encodings, such as hexadecimal, ASCII..
↪ Eg: SELECT Salary from Employee where username=‟un “ and password=”” ;
exec(char(0x738757464f776e))
7. Timing Attacks: - aim to delays the database’s responses using waitfor keyword.
↪ Eg: Declare @varchar(8000) select @s= db_name if (asci(substring (@s,11)) &
(power (2,0)))> 0 waitfor delay ‘0:0:5’
8. Blind Injection: - asks the database true or false questions and determines the
answer based on the applications response.
↪ Eg Select pass from user where username=’user’ and 1=0
Result and Critique
→ Types of attack in paper 2
↪ The four type of attack is the same name and definition with paper 1.
↪ Malformed Queries is the same with the attack type in the paper 1 of “Illegal/
Logically Incorrect Queries”
↪ “Inference” holds those “Timing attack” and “Bind Injection” both in one
major category of Inference attacks those are stated in the paper 1.
↪ So that those two papers are agree with those attack type in common.
→ Types of attack in paper 3
↪ Instead of listing all types of SQLIA the author tries to show the lack of the
other paper to detect the attack of Random integer number.
↪ The focus of this 3rd paper is on identification and mitigation of the attacks.
→ Those 3 papers try to I identify and classify all possible types of SQLIA.
Result and Critique
→ SQL Injection Detection and Prevention Techniques (RQ3)
↪ Let’s compare and contrast the prevention techniques of SQLIA discussed on
each paper.
→ Prevention Techniques of SQLIA on paper 3
1. Input and URL Validation: - avoid the attack related to Input field and URL by
using input format, input length, input range and the accurate characters to be
entered.
2. Data Sanitization: - remove all dangerous characters from an input string before
passing it to the SQL engine.
3. Prepared Statement : - makes sure that whatever the user enters is treated as a string
literal in SQL and NOT as a part of the SQL query.
4. Query and Session Tokenization: - uses arrays to store the tokens where the original
and the injected queries will be stored.
↪ If the array length does not match, it means that the query is injected.
Result and Critique
→ Prevention Techniques of SQLIA on paper 2
1. Stored Procedures: - subsequent executions allow statements to be automatically
parameterized.
↪ Can isolate the database from the users and prevent some of the exploitations.
2. Encrypting Data: - the encrypted data value will prevent attacker to read sensitive
data and any further changes to databases would have no effect.
3. Limiting Privileges: - to identify the authenticated user there should be used an
account with limited privileges to limit the extent of harms in the occurrence of
SQL Injection.
↪ But in the 3rd paper the prevention techniques recommend those two
techniques user input validation and parameterized queries to prevent SQLIA.
Part 01
01
Part 3
02
Part 2
03
Strength and Weakness
→ Strength
↪ The researchers on paper one and two has identified each SQLI attack types with
the way of implementation and the way of prevention techniques of each attack,
especially researcher of paper one lists most of SQLI attacks by interrelating
prevention mechanism of other researcher literature reviews.
↪ Our team strongly agree with SQLI attack prevention mechanisms of paper one,
because they advised us to use machine learning preventing mechanisms.
↪ Another strength is general practices to prevent SQLI attack which are listed by
paper one researchers (Update security patches, Firewall/WAF, use appropriate
privileges and etc.)
Strength and Weakness
→ Weakness
↪ From the papers there is no common detection and prevention pattern to detect all
SQLI attack types.
↪ On the paper 3 the researcher develop a tool that used to identify and mitigate the
attack but the algorithm is using list of attack pattern but they don’t consider
newly developed and generated attack patterns.
Recommendation & Conclusion
→ Recommendation
↪ SQL injection attack is a very serious problem of web applications. Finding the
efficient solution of this problem is essential.
↪ Researchers have developed many techniques to detect and prevent this
vulnerability. There is no appropriate solution that can prevent all types of SQL
injection attacks. SQL Injection attacks remain to be one of top concerns for cyber
security researchers. Signature based SQL Injection detection methods are no
longer reliable as attackers are using new types of SQL Injections each time.
↪ Because now in this era may be there will be many types of SQLIA that will be
created overnight. So it is not feasible to overcome all threats, there is a need for
SQL Injection detection mechanisms that are capable of identifying new, never
before seen attacks.
↪ As a team we recommend to focus on machine learning techniques to detect and
prevent SQLIA.
Recommendation & Conclusion
→ Conclusion
↪ We have analyzed a total of 3 research papers and reviewed a comparison of
different techniques for detecting and preventing SQLIAs. Firstly we identified
different type of SQLI attacks from the papers. After that based on the type of
attacks we evaluate effective techniques for detecting and preventing such attacks.
For different services web based system is increasing rapidly and the same to
databases that are used to build web-based applications.
↪ From the analysis of those papers there is no common and general technique that
can guarantee 100 percent control to detect and prevent SQLI attack.
February, 2023
Computer Security | Computer Science | Addis Ababa University
Download