HACKER DETECTION IN WIRELESS
SENSOR NETWORK
SUBMITTED BY
NAME
:ATHIRA.M.R
CLASS
:IIIBsc.CS
REG NO
:1222K3697
ROLL NO :33
ABSTRACT
ABSTRACT
Intrusion detection in Wireless Sensor Network (WSN) is of practical interest in many
applications such as detecting an intruder in a battlefield. The intrusion detection is defined as a
mechanism for a WSN to detect the existence of inappropriate, incorrect, or anomalous moving
attackers. In this paper, we consider this issue according to heterogeneous WSN models.
Furthermore, we consider two sensing detection models: single-sensing detection and multiplesensing detection... Our simulation results show the advantage of multiple sensor heterogeneous
WSNs.
A Wireless sensor network (WSN) is a collection of spatially deployed wireless sensor by
which two monitor various changes of environmental conditions (e.g., forest fire, air pollutant
concentration, and object moving)in a collaborative manner without relying on any underlying
infrastructure support. Recently, a number of research efforts have been made to develop sensor
hardware and network architectures in order to effectively deploy WSN for a variety of
applications due to a wide diversity of WSN application requirements, however, a generalpurpose WSN design cannot fulfill the needs of all application.
Many network parameters such as sensing range, transmission range, and node density
have to be carefully considered at the network design stage, according to specific application. To
achieve this, it is critical to capture the impact to the network parameters on network
performance with respect to application specifications. Intrusion detection (i.e., object tracking)
WSN can be regarded as a monitoring system for detecting the intruder that is invading the
network domain.
INTRODUCTION
1.
INTRODUCTION
The intrusion detection application concerns how fast the intruder can be detected by the
WSN. If sensors are deployed with a high density so that the union of all sensing ranges covers
the entire network area, the intruder can be immediately detected once it approaches the network
area. However, such a high-density deployment policy increases the network investment and
may be even unaffordable for a large area.
In fact, it is not necessary to deploy so many sensors to cover the entire WSN area in
many applications, since a network with small and scattered void areas will also be able to detect
a moving intruder within a certain intrusion distance. In this case the application can be specify
a required intrusion distance within which the intruder should be detected.
The intrusion distance is referred as D and defined as the distance between the points
the intruder enters the WSN, and the point the intruder is detected by the WSN system. This
distance is of central interest to a WSN used for intrusion detection. In this paper, we derive the
expected intrusion distance and evaluate the detection probability in different application
scenarios. We can derive with respect to sensor’s sensing range, thereby knowing the total
number of sensors required for WSN deployment.
In a WSN, there are two ways to detect an object (i.e., an intruder): single-sensing
detection and multiple-sensing detection, the intruder can be successfully detected by a single
sensor. On the contrary, in the multiple-sensing detection, the intruder can only be detected by
multiple collaborating sensors. In some applications, the sensed information provided by a single
sensor might be inadequate for recognizing the intruder. It is because individual sensors can only
sense a portion of the intruder. For example, the location of an intruder can only be determined
from at least three sensors sensing.
SYSTEM STUDY
2.
SYSTEM STUDY
2.1 Existing System:
In single-sensing detection, At a time onlyone intruder detected by the WSN.
Our Previous work was according to homogeneous and heterogeneous single sensor in wireless
sensor network.
2.2 Proposed System:
In Heterogeneous wireless sensor ,Intruder detected anywhere in the network.
We are detecting the intruder in multiple sensor heterogeneous wireless sensor network.
2.3 Disadvantage:
The sensed information provided by a
single sensor might be inadequate for
recognizationthe intruder.
So that there is no guarantee for our information has been sent securely.
The Data will not routed if primary detector fails.
2.4 Advantage:
If primary detector fails another detector detect the intruder.
By finding the intruders we can send our information in a secured manner.
2.5Modules:
1. Constructing Sensor Network
2. Packet Creation
3. Find authorized and unauthorized port
4. Constructing Inter-Domain Packet Filters
5. Receiving the valid packet
MODULE DESCRIPTION
3.
MODULE DESCRIPTION
Module-1:
In this module, we are going to connect the network .Each node is connected the
neighboring node and it is independently deployed in network area. And also deploy the each
port no is authorized in a node.
Module-2:
In this module, browse and select the source file. And selected data is converted into fixed
size of packets. And the packet is send from source to detector.
Module-3:
The intrusion detection is defined as a mechanism for a WSN to detect the existence of
inappropriate, incorrect, or anomalous moving attackers. In this module check whether the path
is authorized or unauthorized. If path is authorized the packet is send to valid destination.
Otherwise the packet will be deleted. According port no only we are going to find the path is
authorized or Unauthorized.
Module-4:
If the packet is received from other than the port no it will be filtered and discarded.
filter only removes the unauthorized packets and authorized packets send to destination.
Module-5:
This
In this module, after filtering the invalid packets all the valid
destination.
Packets will reach the
REQUIREMENTS SPECIFICATION
4.
REQUIREMENT SPECIFICATION
4.1 Hardware Requirements:
PROCESSOR
: PENTIUM IV 2.6 GHz
RAM
: 512 MB DD RAM
MONITOR
: 15” COLOR
HARD DISK
: 20 GB
CDDRIVE
: LG 52X
KEYBOARD
MOUSE
: STANDARD 102 KEYS
: 3 BUTTONS
4.2 Software Requirements:
FRONT END
: Java
TOOL USED
: JFrameBuilder
OPERATING SYSTEM : Window’sXp
SOFTWARE DESIGN
5. SOFTWARE DESIGN
5.1 Data Flow Diagrams:
cha nge pa sw o rd
vie w de ta ils
am o un t tran sa ction
po sitive ta inting
synta x-aw a re
use r
W AS P
inje ction
N o in jectio n
ad m in
or
custo m er
ad m in
inje ction fo un d
tarnsastion d etail
N e w R eg istraton
am o un t cred it
5.2 System arc:
5.3 Class diagram:
Cerdit Card
CreditProcess
Accnumber()
Password()
cre
cre
dit
Bill process()
dit
CustomerHome
Customer Login
Database
Accnumber()
password()
customer
customer
check()
update()
delete()
insert()
Admin
username()
password()
in
m
Ad
Adm
in
User details()
Transaction()
Admin Home
Reistration()
transation()
customer details()
Amount credit()
5.4 Sequence diagram:
WASP
Login
account number
password
DataBase
Not Injected
admin or Customer
Invalid Account number
password
injected
5.5 Admin module:
Loan
Loan details
Registration
Admin module
name
age
gender
occupaiton
.
.
.
Registration
Transaction
WASP
No injected
view the tarnsaction details
Customer details
Edit the customer detials
Injected
username
&
password
Amount credit
Credit the amount to user
5.6 CUSTOMER MODULE:
Customer module
No injection
View The Details
name
age
gender
.
.
.
WASP
Username &
Password
injected
Login
Tarnsaction
user accno
amount
transaction accno
Credit Card
No Injection
WASP
Injection
Username &
password
Bill process
ACCESS MODELS
5.
ACCESS MODELS
6.1 Access Models
A Java Server Pages file may be accessed in at least two different ways:
1. A client request comes directly into a Java Server Page.
In this scenario, suppose the page accesses reusable JavaBean components that perform
particular well-defined computations like accessing a database. The result of the Bean’s
computations, called result sets are stored wihtin the Bean as properties. The page uses such
Beans to generate dynamic content and present it back to the client.
2. A request comes through a servlet.
The servlet generates the dynamic content. To handle the response to the client, the
servlet creates a Bean and stores the dynamic content (sometimes called the result set) in the
Bean. The servlet then invokes a Java Server Page that will present the content along with the
Bean containing the generated from the servlet.
There are two APIs to support this model of request processing using Java Server Pages.
One API facilitates passing context between the invoking servlet and the Java Server Page. The
other API lets the invoking servlet specify which Java Server Page to use.
In both of the above cases, the page could also contain any valid Java code. The Java
Server Pages architecture encourages separation of content from presentation—it does not
mandate it.With at least two access models, the question naturally arises “When does it make
sense to have a Java Server Page as the front-end to a servlet, as the back-end to a servlet, or use
only the servlet? Here are some possible guidelines:

If a GraphicalUser Interface (GUI) is necessary to collect the request data— Use a
JavaServerPagesfile.

If the request and request parameters are otherwise available to the servlet, but the results
of the servlet processing requires a graphical interface to present them —Use
aJavaServerPagesfile.

If presentation layout is minimal (will not require very many println lines in your servlet
code) and you don’t need to make that presentation logic available to a customer or your
webpage designer, then a Servlet might suffice.
Using XML with JSP:
The Java Server Pages technology is an ideal way to describe processing of XML input
and output. Simple XML generation can be done by just writing the XML as static template
portions within the JSP. Dynamic generation will be done through JavaBeans components,
Enterprise JavaBeans components, or via custom tags that generate XML.
Similarly, input XML can be received from POST or QUERY arguments and then sent
directly to JavaBeans components, Enterprise JavaBeans components, or custom tags, or
manipulated via the scripting. There are two attributes of JSP that make it specially suited for
describing XML processing. One is that XML fragments can be described directly in the JSP text
either as templates for input into some XML-consuming component or as templates for output to
be extended with some other XML fragment.
Another attribute is that the tag extension mechanism enables the creation of specific
tags and directives that are targeted at useful XML manipulation operations. Future versions of
the JSP specification will include several standard tags that will support XML manipulation,
including the transformation of the XML produced by the given JSP using XTL/XSL.
Features in JSP 1.0
The JSP 1.0 specification has mandatory and optional features. JSP 1.0 enables a tag
extension mechanism for the creation of custom tags but such a mechanism will not appear until
a later version of the specification.
The JSP 1.0 specification includes:

JSP standard directives

JSP standard actions

Script language declarations, Scriplets and expressions
A future version of the JSP specification will also add additional features to enhance the use of
JSP pages in a J2EE platform.
JAVA BEANS
6.
JAVA BEANS
The JavaBeans API makes it possible to write component software in the Java
programming language. Components are self-contained, reusable software units that can be
visually composed into composite components, applets, applications, and servlets using visual
application builder tools. JavaBean components are known as Beans.
Components expose their features (for example, public methods and events) to builder
tools for visual manipulation. A Bean’s features are exposed because feature names adhere to
specific design patterns. A “JavaBeans-enabled” builder tool can then examine the Bean’s
patterns, discern its features, and expose those features for visual manipulation. A builder tool
maintains Beans in a palette or toolbox. You can select a Bean from the toolbox, drop it into a
form, modify it’s appearance and behavior, define its interaction with other Beans, and compose
it and other Beans into an applet, application, or new Bean. All this can be done without writing
a line of code.
The following list briefly describes key Bean concepts,

Builder tools discover a Bean’s features (that is, its properties, methods, and
events) by a process known as introspection. Beans support introspection in two
ways:

By adhering to specific rules, known as design patterns, when naming
Bean features.

By explicitly providing property, method, and event information with a
related Bean Information class.

Properties are a Bean’s appearance and behavior characteristics that can be
changed at design time. Builder tools introspect on a Bean to discover its
properties, and expose those properties for manipulation.

Beans expose properties so they can be Customizedat design time.
Customization is supported in two ways: By using property editors, or by using
more sophisticated Bean customizers.

Beans useEvents to communicate with other Beans. A Bean that wants to receive
events (a listener Bean) registers its interest with the Bean that fires the event (a
source Bean). Builder tools can examine a Bean and determine which events that
Bean can fire (send) and which it can handle (receive).

Persistenceenables Beans to save and restore their state. Once you’ve changed a
Beans properties, you can save the state of the Bean and restore that Bean at a
later time, property changes intact. JavaBeans uses Java Object Serialization to
support persistence.

A Bean’s Methods are no different than Java methods, and can be called from
other Beans or a scripting environment. By default all public methods are
exported.
Although Beans are designed to be understood by builder tools, all key APIs, including
support for events, properties, and persistence, have been designed to be easily read and
understood by human programmers as well.
NEW JAVA BEAN FEATURES
Here is a list of upcoming Beans and Beans-related features:
The Java Activation Framework (JAF). The JAF is a data typing and command
registry API. With the JAF you can discover an arbitrary data object’s type, and look
command applications or Beans that can process that data type, and activate the
appropriate command at a user gesture. For example, a browser can identify a file’s data
type, and then launch the appropriate plug-in to view or edit the file. The JAF is a Java
standard extension.
The Extensible Runtime Containment and Services Protocol, also
known as beancontext. Previous to this protocol a Bean only knew about and had access
to the Java Virtual Machine (JVM) in which the Bean ran, and the core Java APIs. This
protocol introduces a standard way for a Bean to discover and access attributes or
services provided by a Bean’s enclosing environment, and for a Bean’s enclosing
environment to discover and access a Bean’s attributes and services.
The java.beans.beancontext API introduces the ability to nest Beans and Bean
contexts within a hierarchical structure. At runtime, a Bean can obtain services from its
containing enviroment; the Bean can then make use of those services, or propagate those
services to any Beans that it contains.
DATA BASES AND THE WAB
7.
DATA BASES AND THE WAB
Databases are at the root of all business computing today. At some point, you are going to
want to integrate a company database with your Web site. On the other hand, perhaps when you
have a large Web site, you will want to create a database that will let clients search the text of
your HTML files.
There are several ways to achieve database and Web site integration.
 ODBC and
 JDBC.
8.1 ODBC:
Microsoft Open Database Connectivity (ODBC) is a standard programming interface for
application developers and database systems providers. Before ODBC became a de facto
standard for Windows programs to interface with database systems, programmers had to use
proprietary languages for each database they wanted to connect to. Now, ODBC has made the
choice of the database system almost irrelevant from a coding perspective, which is as it should
be. Application developers have much more important things to worry about than the syntax that
is needed to port their program from one database to another when business needs suddenly
change.
Through the ODBC Administrator in Control Panel, you can specify the particular
database that is associated with a data source that an ODBC application program is written to
use. Think of an ODBC data source as a door with a name on it. Each door will lead you to a
particular database. For example, the data source named Sales Figures might be a SQL Server
database, whereas the Accounts Payable data source could refer to an Access database. The
physical database referred to by a data source can reside anywhere on the LAN.
The ODBC system files
From a programming perspective, the beauty of ODBC is that the application can be
written to use the same set of function calls to interface with any data source, regardless of the
database vendor. The source code of the application doesn’t change whether it talks to Oracle or
SQL Server. We only mention these two as an example. There are ODBC drivers available for
several dozen popular database systems. Even Excel spreadsheets and plain text files can be
turned into data sources.
The operating system uses the Registry information written by ODBC Administrator to
determine which low-level ODBC drivers are needed to talk to the data source (such as the
interface to Oracle or SQL Server). The loading of the ODBC drivers is transparent to the ODBC
application program. In a client/server environment, the ODBC API even handles many of the
network issues for the application programmer.
The advantages of this scheme are so numerous that you are probably thinking there must
be some catch. The only disadvantage of ODBC is that it isn’t as efficient as talking directly to
the native database interface. ODBC has had many detractors make the charge that it is too slow.
Microsoft has always claimed that the critical factor in performance is the quality of the driver
software that is used. In our humble opinion, this is true.
The availability of good ODBC drivers has improved a great deal recently. And anyway,
the criticism about performance is somewhat analogous to those who said that compilers would
never match the speed of pure assembly language. Maybe not, but the compiler (or ODBC) gives
you the opportunity to write cleaner programs, which means you finish sooner. Meanwhile,
computers get faster every year.
8.2 JDBC:
In an effort to set an independent database standard API for Java, Sun Microsystems
developed Java Database Connectivity, or JDBC. JDBC offers a generic SQL database access
mechanism that provides a consistent interface to a variety of RDBMSs. This consistent interface
is achieved through the use of “plug-in” database connectivity modules, or drivers. If a database
vendor wishes to have JDBC support, he or she must provide the driver for each platform that the
database and Java run on.
To gain a wider acceptance of JDBC, Sun based JDBC’s framework on ODBC. As you
discovered earlier in this chapter, ODBC has widespread support on a variety of platforms.
Basing JDBC on ODBC will allow vendors to bring JDBC drivers to market much faster than
developing a completely new connectivity solution.
JDBC was announced in March of 1996. It was released for a 90 day public review that
ended June 8, 1996. Because of user input, the final JDBC v1.0 specification was released soon
after. The remainder of this section will cover enough information about JDBC for you to know
what it is about and how to use it effectively. This is by no means a complete overview of JDBC.
That would fill an entire book.
8.3 JDBC Goals:
Few software packages are designed without goals in mind. JDBC is one that, because of
its many goals, drove the development of the API. These goals, in conjunction with early
reviewer feedback, have finalized the JDBC class library into a solid framework for building
database applications in Java.
MODULES
8.
The modules can be included:
1.ADMIN
MODULES
2.CUSTOMER
3.CREDIT CARD
4.LOANS
1. Admin:
Login in:
To access our site ever person must login in that page it have account number and
password .the admin must enter his account number and password that values is checked in the
data base weather the give values in correct if the give value is correct means is show the next
page otherwise it return to login page with error message (Invalid account number and password
).
The is normal procedure but the user can login without his password by injecting the
SQLQuery so to solve this problem we develop the tool(WASP) to find the user input is valid
data or not that tool contain a technique is positive tainting and syntax-awareness .it check
wither the inputs is injected the present query or not .If the present value is inject the query
means that tool doesn’t send the data to the SQL Query .if the data is good means it send the
data to the database through the sqlquery.
To invoke the WASP tool the user want to click any one of radio button in the login page
once you click it check’s full project. After the admin login success admin have the sub modules
.in our project we checked all the data’s weather the give data is correct or not then we send the
data to the database. sub modules follows…..
2. Customer:
This module customer can view his details and change the password and send the
amount to another account. To process this he/she must login by his account number and
password. This module has two sub-modules.
Login in:
To access our site ever person must login in that page it have account number and password .the
customer must enter his account number and password that values is checked in the data base
weather the give values in correct if the give value is correct means is show the next page other
wise it return to login page with error message (Invalid account number and password ) .
This is normal procedure but the user can login with out his password by injecting the
Sqlquery so to solve this problem we develop the tool(WASP) to find the user input is valid data
or not .that tool contain a technique is positive tainting and syntax-awareness .it check wither the
inputs is injected the present query or not .If the present value is inject the query means that tool
doesn’t send the data to the SQL Query .if the data is good means it send the data to the
database through the sqlquery.
To invoke the WASP tool the user wants to click any one of radio button in the login
page .once you click it check’s full . After the customer login success admin have the sub
modules .in our project we checked all the data’s weather the give data is correct or not then we
send the data to the database. Sub modules follow…..
Customer details:
This is the first module of the customer in this module customer can Change his
password of his account because admin only create his account and pin number it was known to
the admin in not safe so we want to change the pin number .the customer can have access to
change it pin number only .before the value going to SQL Query the WASP tool check each
given data is good or not (ie) weather it injected the present query or not .
Transaction:
In this module the customer can send the amount from his account to another account if
that sending amount is available or not .to send the amount the customer must login and move to
the transaction module and type the account number and amount which we want to send and
press the enter button .before the value send to the database the WASP tool invoke and check the
given data is injected the present SQL Query or not then only it was send to database.
3. Credit card:
Login in:
To access our site ever person must login in that page it have account number and password .the
customer must enter his account number and password that values is checked in the data base
weather the give values in correct if the give value is correct means is show the next page other
wise it return to login page with error message (Invalid account number and password ) .
This is normal procedure but the user can login with out his password by injecting the
SQL Query so to solve this problem we develop the tool(WASP) to find the user input is valid
data or not .that tool contain a technique is positive tainting and syntax-awareness .it check
wither the inputs is injected the present query or not .If the present value is inject the query
means that tool doesn’t send the data to the SQL Query .if the data is good means it send the
data to the database through the SQL Query.
To invoke the WASP tool the user wants to click any one of radio button in the login
page .once you click it check’s full project.In this module customer can pay the bill to his due by
login in this credit card account, it have one sub-module.
Bill credit:
After the customer login successfully it show the sub module in that modules
The customer can pay his bills through his card in our project we set two option to pay
the bill one is electric bill another bill is cell phone bill. when we click bill links to show the
current account balance and we can pay the bill and the particular amount his reduce in his own
account. Before the given values going to the query the WASP tool check weather the given data
is injecting the present query or not .if it injected the query it not send the value to data base and
return to the same page with message your value is invalid.
4. Loans
In this module viewer can see what the loans available in this bank are and get the details of the
loans. This module can see any one who accessing the application
Problem Analysis:
Over the past several years, attackers have developed a wide array of sophisticated attack
techniques that can be used to exploit Hacker Detection vulnerabilities. These techniques go
beyond the well-known SQLIA examples and take advantage of esoteric and advanced SQL
constructs. Ignoring the existence of these kinds of attacks leads to the development of solutions
that only partially address the SQLIA problem. For example, developers and researchers often
assume that SQLIAs are introduced only via user input that is submitted as part of a Web form.
This assumption misses the fact that any external input that is used to build a query string
may represent a possible channel for SQLIAs. In fact, it is common to see other external sources
of input such as fields from an HTTP cookie or server variables used to build a query. Since
cookie values are under the control of the user’s browser and server variables are often set using
values from HTTP headers, these values are actually external strings that can be manipulated by
an attacker. In addition, second-order injections use advanced knowledge of vulnerable
applications to introduce attacks by using otherwise properly secured input sources .
A developer may suitably escape, typecheck, and filter input that comes from the user
and assume that it is safe. Later on, when that data is used in a different context or to build a
different type of query, the previously safe input may enable an injection attack. Once attackers
have identified an input source that can be used to exploit SQLIA vulnerability, there are many
different types of attack techniques that they can leverage.
The Attacks depending on the type and extent of the vulnerability, the results of these
attacks can include crashing the database, gathering information about the tables in the database
schema, establishing covert channels, and open-ended injection of virtually any SQL command.
Here, we summarize the main techniques for performing SQLIAs. We provide additional
information and examples of how these techniques work in.
CODING
9.
Database.java
packageDataBase;
CODING
importjava.sql.*;
importjava.util.*;
public class database {
private Statement st=null;
privateResultSetrs=null;
private Connection con=null;
private String billupdate;
private String amountcredit;
private String tarninsert;
private String customertarns;
private String insert;
private String tableName;
private String update;
private String modify;
public String query;
private String newReg;
public database()
{
try{
Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
Connection con=DriverManager.getConnection("jdbc:odbc:injection");
st=con.createStatement();
}
catch(SQLException e)
{
e.printStackTrace();
}
catch(ClassNotFoundException e)
{
e.printStackTrace();
}
}
public String getTableName() {
returntableName;
}
public void setTableName(String tableName) {
System.out.println("table name " +tableName);
this.tableName = tableName;
}
public String check(String accNumber,String password) throws SQLException
{
try {
String result="";
int flag=0;
query="select * from "+ tableName + " where accountnumber="+accNumber+" AND
password='"+password+"'";
System.out.println("dsdsdsdsd "+query);
rs=st.executeQuery(query);
while(rs.next())
{
flag=1;
System.out.println("wwwwwhile loop");
}
if(flag==1)
{
System.out.println("in if block");
result="sucess";
}
else
{
System.out.println("wwewewe");
result="failure";
}
System.out.println( "data class " +result);
return result;
}
catch(Exception e)
{
return "failure";
}
}
//usercheck
public String usercheck(String accNumber,String password) throws SQLException
{
try {
String result="";
int flag=0;
query="select * from "+ tableName + " where accountnumber='"+accNumber+"' AND
password='"+password+"'";
System.out.println("dsdsdsdsd "+query);
rs=st.executeQuery(query);
while(rs.next())
{
flag=1;
System.out.println("wwwwwhile loop");
}
if(flag==1)
{
System.out.println("in if block");
result="sucess";
}
else
{
System.out.println("wwewewe");
result="failure";
}
System.out.println( "data class " +result);
return result;
}
catch(Exception e)
{
return "failure";
}
}
public String getInsert() {
return insert;
}
public void setInsert(Vector v) throws SQLException {
String values="";
System.out.println(v.size()-1);
int i;
for( i=0;i<v.size()-1;i++)
{
values=values + "'" + v.get(i)+ "',";
}
if(i<=v.size()-1)
{
values=values + "'" + v.get(i)+ "'";
}
try{
System.out.println(values);
String query="insert into "+tableName+" values ("+values+")";
System.out.println(query);
st.executeUpdate(query);
System.out.println("after exceuted");
insert="sucess";
this.insert = insert;
}
catch(Exception e)
{
insert="failure";
}
}
public String getUpdate() {
return update;
}
public void setUpdate(String password,Stringcpassword,Stringaccountnumber) throws
SQLException {
try{
String
query="update
password="+password+",cpassword='"+cpassword+"'
accountnumber='"+accountnumber+"'" ;
System.out.println(query);
st.executeUpdate(query) ;
System.out.println("after executed");
update="sucess";
this.update =update;
}
catch(Exception e)
{
update="failure";
}
}
public String getBillupdate() {
returnbillupdate;
}
"+tableName+"
set
where
public void setBillupdate(String accountnumber,String amount) throws SQLException {
try{
String
query="update
creditcard
set
amount="+amount+"
accountnumber="+accountnumber;
System.out.println(query);
st.executeUpdate(query);
System.out.println("executed sucessfully the billupdate");
this.billupdate ="sucess";
}
catch(Exception e)
{
billupdate="failure";
}
}
public String getModify() {
return modify;
}
where
public void setModify(Vector v) throws SQLException {
try{
String
query="update
customerdetails
set
name='"+v.get(0)+"',dob='"+v.get(1)+"',age='"+v.get(2)+"',gender='"+v.get(3)+"',address='"+v.g
et(4)+"',occupation='"+v.get(5)+"',acctype='"+v.get(6)+"',contactnumber='"+v.get(7)+"',account
number='"+v.get(8)+"',amount='"+v.get(9)+"',password='"+v.get(10)+"',cpassword='"+v.get(11)
+"' where accountnumber='"+v.get(8)+"'";
System.out.println("modify query " + query);
st.executeUpdate(query);
System.out.println("executed sucessfully");
this.modify = "sucess";
}
catch(Exception e)
{
modify="failure";
}
}
public String getAmountcredit() {
returnamountcredit;
}
public
void
setAmountcredit(String
accountnumber,Stringamountcredit)
throws
SQLException {
try{
String query="update customerdetails set amount="+amountcredit+" where
accountnumber='"+accountnumber+"' ";
System.out.println("amountcredit query " + query);
st.executeUpdate(query);
System.out.println("amountcredit query iiiii" );
this.amountcredit ="sucess";
}
catch(Exception e)
{
amountcredit="failure";
}
}
public String getTarninsert() {
returntarninsert;
}
public void setTarninsert(String tarninsert) throws SQLException {
try{
st.executeUpdate(tarninsert);
this.tarninsert ="sucess";
}
catch(Exception e)
{
e.printStackTrace();
}
}
public String getCustomertarns() {
returncustomertarns;
}
public void setCustomertarns(String customertarns) {
this.customertarns = customertarns;
}
public String getNewReg() {
returnnewReg;
}
public void setNewReg(Vector v,Stringacc) throws SQLException {
rs=st.executeQuery("select
accountnumber='"+acc+"'");
if(rs.next())
{
newReg="exist";
}
else
{
String values="";
System.out.println(v.size()-1);
int i;
for( i=0;i<v.size()-1;i++)
*
from
customerdetails
where
{
values=values + "'" + v.get(i)+ "',";
}
if(i<=v.size()-1)
{
values=values + "'" + v.get(i)+ "'";
}
System.out.println(values);
String query="insert into "+tableName+" values ("+values+")";
System.out.println(query);
st.executeUpdate(query);
System.out.println("after exceuted");
newReg="sucess";
this.newReg = newReg;
}
}
}
BillprocessAction.java
/*
* Generated by MyEclipse Struts
* Template path: templates/java/JavaClass.vtl
*/
packagecom.yourcompany.struts.action;
importjava.io.BufferedReader;
importjava.io.File;
importjava.io.FileReader;
importjava.io.FileWriter;
importjava.io.IOException;
importjava.sql.SQLException;
importjava.util.Vector;
importjavax.servlet.http.HttpServletRequest;
importjavax.servlet.http.HttpServletResponse;
importjavax.servlet.http.HttpSession;
importorg.apache.struts.action.Action;
importorg.apache.struts.action.ActionForm;
importorg.apache.struts.action.ActionForward;
importorg.apache.struts.action.ActionMapping;
importcom.yourcompany.struts.form.BillprocessForm;
/**
* MyEclipse Struts
* Creation date: 08-01-2008
*
* XDoclet definition:
* @struts.action path="/billprocess" name="billprocessForm" attribute="BillprocessForm"
input="/Billprocess.jsp" scope="request" validate="true"
*/
public class BillprocessActionexten
}
else if(amounthaving<pamount)
{
result="failure";
}
}
returnmapping.findForward(result);
}
}
New Registration.jsp
<html>
<head>
<title>Free Template from Interspire.com</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="keywords" content="Keywords here">
<meta name="description" content="Description here">
<meta name="Author" content="Joseph De Araujo">
<meta name="Publisher" content="Interspire.com">
<meta name="robots" content="index, follow"><!-- (Robot commands: All, None, Index, No
Index, Follow, No Follow) -->
<meta name="revisit-after" content="30 days">
<meta name="distribution" content="global">
<meta name="rating" content="general">
<meta name="Content-Language" CONTENT="english">
DataBase.databasesyntaxdatasyntax=new DataBase.databasesyntax();
datasyntax.setInsertdetails(name, dob, age, gender, address, occupation,
acctype, contactnumber, accnumber, amount, password, cpassword,"customerdetails");
String givequery=datasyntax.getInsertdetails();
System.out.println(givequery);
WASP.SyntaxAware syntax=new WASP.SyntaxAware();
syntax.function(givequery,"insert");
syntax.setInsertdetails();
name=syntax.getName();
dob=syntax.getDob();
age=syntax.getAge();
gender=syntax.getGender();
address=syntax.getAddress();
occupation=syntax.getOccupation();
acctype=syntax.getAcctype();
contactnumber=syntax.getContact();
amount=syntax.getAmount();
accnumber=syntax.getAccountnumber();
password=syntax.getPassword();
cpassword=syntax.getCpassword();
String tablename=syntax.getTablename();
String
runquery="insert
into
"+tablename+"
values('"+name+"','"+dob+"','"+age+"','"+gender+"','"+address+"','"+occupation+"','"+acctype+"',
'"+contactnumber+"','"+amount+"','"+accnumber+"','"+password+"','"+cpassword+"')";
System.out.println("qyerttgggdgdgdg " +runquery);
datasyntax.setRunquery(runquery);
result=datasyntax.getRunquery();
}
returnmapping.findForward(result);
}
TESTING
TESTING
Testing is the process of detecting errors. Testing performs a very critical role for quality
assurance and for ensuring the reliability of software. The results of testing are used later on
during maintenance also.
TYPE OF TESTING:
1.
2.
3.
4.
5.
6.
7.
UNIT TESTING
LINK TESTING
INTEGRATION TESTING
SYSTEM TESTING
ACCEPTANCE TESTING
WHITE BOX TESTING
BLACK BOX TESTING
Unit Testing
Unit testing focuses verification effort on the smallest unit of software i.e. the module.
Using the detailed design and the process specifications testing is done to uncover errors within
the boundary of the module. All modules must be successful in the unit test before the start of the
integration testing begins.
In this project each service can be thought of a module. There are so many modules like Login,
HWAdmin, MasterAdmin, Normal User, and PManager. Giving different sets of inputs has
tested each module. When developing the module as well as finishing the development so that
each module works without any error. The inputs are validated when accepting from the user.
In this application developer tests the programs up as system. Software units in a system are the
modules and routines that are assembled and integrated to form a specific function. Unit testing
is first done on modules, independent of one another to locate errors. This enables to detect
errors. Through this errors resulting from interaction between modules initially avoided.
Link Testing
Link testing does not test software but rather the integration of each module in system.
The primary concern is the compatibility of each module. The Programmer tests where modules
are designed with different parameters, length, type etc.
Integration Testing
After the unit testing we have to perform integration testing. The goal here is to see if
modules can be integrated proprerly, the emphasis being on testing interfaces between modules.
This testing activity can be considered as testing the design and hence the emphasis on testing
module interactions.
In this project integrating all the modules forms the main system. When integrating all the
modules I have checked whether the integration effects working of any of the services by giving
different combinations of inputs with which the two services run perfectly before Integration.
System Testing
Here the entire software system is tested. The reference document for this process is the
requirements document, and the goal os to see if software meets its requirements.
Here entire ‘ATM’ has been tested against requirements of project and it is checked whether all
requirements of project have been satisfied or not.
Acceptance Testing
Acceptance Test is performed with realistic data of the client to demonstrate that
the
software is working satisfactorily. Testing here is focused on external behavior of the system; the
internal logic of program is not emphasized.
In this project ‘Network Management Of Database System’ I have collected some data and tested
whether project is working correctly or not.
Test cases should be selected so that the largest number of attributes of an equivalence class is
exercised at once. The testing phase is an important part of software development. It is the
process of finding errors and missing operations and also a complete verification to determine
whether the objectives are met and the user requirements are satisfied.
White Box Testing
This is a unit testing method where a unit will be taken at a time and tested thoroughly at
a statement level to find the maximum possible errors. I tested step wise every piece of code,
taking care that every statement in the code is executed at least once. The white box testing is
also called Glass Box Testing.
I have generated a list of test cases, sample data. which is used to check all possible
combinations of execution paths through the code at every module level.
Black Box Testing
This testing method considers a module as a single unit and checks the unit at interface
and communication with other modules rather getting into details at statement level. Here the
module will be treated as a block box that will take some input and generate output. Output for a
given set of input combinations are forwarded to other modules.
CONCLUSION
CONCLUSION
This paper presented a novel highly automated approach for protecting Web applications
from SQLIAs. Our approach consists of
1) Identifying trusted data sources and marking data coming from these sources as trusted,
2) Using dynamic tainting to track trusted data at runtime, and
3) Allowing only trusted data to form the semantically relevant parts of queries such as SQL
keywords and operators.
Unlike previous approaches based on dynamic tainting, our technique is based on positive
tainting, which explicitly identifies trusted (rather than untrusted) data in a program. This way,
we eliminate the problem of false negatives that may result from the incomplete identification of
all untrusted data sources. False positives, although possible in some cases, can typically be
easily eliminated during testing. Our approach also provides practical advantages over the many
existing techniques whose application requires customized and complex runtime environments:
It is defined at the application level, requires no modification of the runtime system, and imposes
a low execution overhead.
FURTHER ENHANCEMENT
FURTHER ENHANCEMENT
In this paper we find the Hacker Detection only in the login process, they don’t care
about other process in the application after he/she sign in to application they can inject any
where in the application so we want to check the full application by using wasp , before the data
going to query we want to check the each data by use of WASP and find the injected query
before going to the database for the full application , so our future work is to check the full
application with WASP.
REFERENCES
REFERENCES
1. S.W. Boyd and A.D. Keromytis, “SQLrand: Preventing Hacker Detection Attacks,” Proc.
Second Int’l Conf. Applied Cryptography and Network Security, pp. 292-302, June 2004.
2. G.T. Buehrer, B.W. Weide, and P.A.G. Sivilotti, “Using Parse Tree Validation to Prevent
Hacker Detection Attacks,” Proc. Fifth Int’l
Workshop Software Eng. and Middleware, pp. 106-113, Sept. 2005
3. J. Clause, W. Li, and A. Orso, “Dytan: A Generic Dynamic Taint Analysis Framework,” Proc.
Int’l Symp. Software Testing and Analysis, pp. 196-206, July 2007.
4. W.R. Cook and S. Rai, “Safe Query Objects: Statically Typed Objects as Remotely
Executable Queries,” Proc. 27th Int’l Conf.
Software Eng., pp. 97-106, May 2005.
5. “Top Ten Most Critical Web Application Vulnerabilities,” OWASP Foundation,
http://www.owasp.org/documentation/
topten.html, 2005.