Detection and Prevention of SQL injection Attacks using

Hybrid Approach
Abstract

SQL Injection attacks are most dangerous attacks in the context of web applications as they can
bypass the system authentication and can steel the confidential information of the user of the
particular web application. As the internet grows, various types of sql injection attacks comes in
to existence that results in a loss of information and security. There are various most common sql
injection attacks which are are tautology based sql injection attacks, piggy backed attacks,
logical sq injection attacks, union based sql injection attacks, alternate encoding based sql
injection attacks, stored procedure based sql injection attacks, compile time checking sql
injection attacks etc. These attacks are needed to be handled with the serious attention so that the
loss of the information and security should be lesser. In the proposed system, we developed a
novel approach that can detect and prevent or handle the sql injection attacks to a very large
extent. This approach is a hybrid approach that is that combination of positive and negative
tainting approaches. The proposed system is tested on various input queries attacks and the
accuracy of the system is evaluated to be 95.12% which is very good as compared to the existing
system.

Keywords :SQL Injection Attacks, Web Application, Web security, Internet Security, Attacks
detection and prevention.

Introduction

SQL Injection assaults target sets having databases that are open from the path of a web front-
end, and exploit blemishes in the info approval rationale of Web segments, for example, CGI
contents. Over the most recent couple of years app level problems have been misused with
genuine outcomes by the programmers have deceived online business locales into transportation
products for freely, visitors usernames and their correspoding passwords have been gathered and
private data, for example, locations and Mastercard private numbers along with secret codes has
been spilled. The explanation behind this event is that web apps and identification frameworks
don't have the foggiest idea about the assaults completely and utilize constrained arrangements of
assault designs during assessment. SQL Injection assaults can be effectively counteracted by
assigning increasingly robust confirmation plots in login stage itself. The greater part of the
assaults made on the internet focus on the defenselessness of internet apps. Shortcomings or
errors of web capacity to acquire and charge the touchy data, for example, military frameworks,
banks, and e-business, and so forth are presented to an incredible security chance. Numerous
divisions are investigating an assortment of strategies to distinguish and avoid SQLIAs, and the
most favored methods are Internet Architecture,, Static as well as Dynamic Analysis, mixture of
both of these Analysis, and Machine Learning Techniques. The Web Framework gives sifting
strategies utilizing the user‟s input information. In any case, it is just ready to channel
uncommon characters in this way, different assaults can't be counteracted. Static Analysis
techniques examines the information parameter type subsequently it is more successful than
separating strategies, however assaults utilizing the right parameter types can't be distinguished.
Dynamic examination will yield blunders of net applications while not fixing it at any rate this
technique is what is more not ready to acknowledge all SQLIAs. Combined Static and Dynamic
Analysis will atone for the deficiencies in every system and is awfully competent in recognizing
SQLIAs. The joined utilization of Static Analysis and Dynamic Analysis system is astonishingly
tangled. Also, Machine Learning strategy will understand cloud attacks, anyway results might
contain numerous faux positives and false negatives. in addition, the usefulness of this technique
in internet applications has been tried and supported. the remainder of this paper is treated as
seeks once. Reviews the structure of internet application and SQLIAs. Region three discusses the
connected work. Fragment four explains the projected technique that uses a mix of SQL question
parameters ejection and Combined Static and Dynamic Analysis systems for the
acknowledgment of SQLIAs. Portion five clarifies the assessment results victimization the
projected technique, associated Section half-dozen closes with an finish.

Web application and SQLIAs

In order to grasp the SQLIAs, there'll be a brief rationalization on the structure and methods of
internet applications. Moreover, there'll be a discussion on doable SQLInjection vulnerabilities
and attacks created on these internet applications are going to be inspected. A. internet
Application design

Despite the approach that web application is named undertakings running on an internet
program, internet applications overall have a Tree-level improvement.

1) Presentation Tier: gets the user‟s input file and shows the result of the readied data to the
client. it'd be thought of because the Graphic computer programme (GUI). Streak, HTML,
Javascript, etc are all little bit of the presentation level that direct interface with the client.

2) CGI Tier: typically known as the Server Script method, is organized within the presentation
level and info level. the information inputted by the client is taken care of and set away into the
info. The info sends back the set away knowledge to the CGI level that is finally sent to the
presentation level for summary. afterwards, the information taking care of within the online
application is finished at the CGI Tier. it'd be changed in numerous server content tongues, as an
example, JSP, PHP, ASP, etc.

3) info Tier: stores and manages most of the readied user‟s input file. every and each difficult
data point of internet applications are secured and directed within the info. The info level is to
blame for the passage of checked customers.

Literature Survey

Chimay C. Kulkarni, In this paper ,Web Applications today depend vigorously on database for
capacity of data and handling of the equivalent. In a similar time a lot of dangers and security
assaults are being propelled against web – applications that are expected to infuse directions and
addition unapproved access to the delicate data from the back-end database. A lot of assaults
abuse vulnerabilities of online applications, with dominant part on account of info approval
imperfections. On the off chance that the information given by client isn't purified accurately, at
that point it is effectively conceivable to dispatch assortment of assaults that power online
applications to bargain the security of back-end databases. In this work we propose a novel
methodology for distinguishing the SQL Injection assaults by applying TD AI system. In this
methodology first the SQL question is contrasted and KB and in the event that the inquiry
matches KB, at that point it is a certified question and database access is given. Be that as it may,
if there should be an occurrence of SQLIA questions, they are exposed to tokenization and after
that SQL inquiry examination is performed. A model based RL utilizing TD learning is created
to recognize veritable and SQLIA inquiries. In the model, if the question crosses the way and
achieves last state with higher rewards then it is named as a SQLIA inquiry. The future work can
be stretched out by actualizing the recognition systems utilizing diverse AI calculations for
canonicalization and index traversal (DT) assaults.

Debabrata Kar, In this Internet age, web applications have turned into a basic piece of their
lives, however security and protection of their delicate information has turned into a major
concern. Over most recent quite a long while, SQL Injection has been the most predominant type
of assault on web databases. Much research has been done around there, however a large portion
of the methodologies in the writing have high computational overhead or hard to convey in
reasonable situations. In this paper they have proposed a lightweight way to deal with forestall
SQL Injection assaults by a novel inquiry change conspire and hashing. They actualized it on a
model web based business application and the aftereffects of their examinations demonstrate that
it can effectively and productively obstruct an assortment of SQL Injection endeavors. This
methodology can likewise be effectively executed on any language or database stage with little
modification.In future ,further research on the question change plan is expected to make it
appropriate for avoidance of second request SQL infusion endeavors.

Shelly Rohilla, With boundless reception of the Web as a moment methods for data scattering
and different exchanges, including those having money related outcomes like e-banking, e-
shopping, online installment of bills and so on, they are ending up increasingly more subject to
web applications. An unapproved access to this quite a bit of secret information by a created
client can risk their privacy, honesty, and specialist. Subsequently, the framework could bear
substantial misfortune in giving appropriate administrations to its clients or it might face total
demolition. Once in a while such kind of breakdown of a framework can undermine the presence
of an organization or a bank or an industry. SQL Injection assaults are one of the most risky
security dangers to web applications. A few specialists have proposed a few different ways to
avoid SQL infusion assaults in the application layer yet next to no accentuation is laid on
forestalling SQL Injection assaults in put away methods in the database layer. In this paper a
novel method to anticipate SQLIA in put away methodology is proposed. This procedure gives a
two stage security to the application, so that, in the event that one stage is undermined, the
subsequent stage can at present forestall the assault. The strategy as of now works with Microsoft
SQL server however in future it tends to be changed to work with different servers too.

Amir mohammad Sadeghian, While utilizing web for proposing on the web administrations is
expanding each day, security dangers in the web additionally expanded drastically. One of the
most genuine and risky web application vulnerabilities is SQL infusion. SQL infusion assault
occurred by embeddings a segment of pernicious SQL question through a non-approved
contribution from the client into the authentic inquiry explanation. Thusly database the
executives framework will execute these directions and it prompts SQL infusion. An effective
SQL infusion assault meddle Confidentiality, Integrity and accessibility of data in the database.
In view of the factual examines this sort of assault highly affected business. Finding the best
possible answer for stop or moderate the SQL infusion is essential. To address this issue security
analysts acquaint various procedures with create secure codes, avert SQL infusion assaults and
identify them. In this paper they present a thorough audit of various kinds of SQL infusion
identification and counteractive action strategies. They reprimand qualities and shortcomings of
every procedure. Such an auxiliary arrangement would further assistance different specialists to
pick the correct method for the further examinations. In future this extensive arrangement can
help different analysts in their examinations on SQL infusion.

Proposed Methodology

In this stage programming configuration is set up from the necessities. Framework configuration
is useful in indicating equipment and programming necessities and furthermore helps in
characterizing the general framework design. In the plan arrange, the programming language and
programming stage in which the framework can run is additionally chosen. This paper is worried
about the anticipation of SQL infusion assault happens in web applications having three
databases as a backend with various interfaces. It is important to determine programming
language and engineering since arrangements are given likewise. There are a few methods
utilized for portraying the plan like stream outline, Data Flow Diagram (DFD), Architecture
chart and so forth. For the anticipation of SQL infusion assault, a cross breed approach is utilized
in this exposition. Complete engineering and stream graph has been given in this stage for the
proposed framework and the different kinds in which the framework is separated. The proposed
strategy has been partitioned into two stages. First period of the framework works at incorporate
time. Second period of the framework works at run time.

Phase I

In this stage the proposed framework compiles time checking. It includes the sentence structure
assessment of the info inquiry.

Sentence structure Evaluation: When inquiry entered as an information, the framework performs
punctuation mindful assessment of the question string before it is sent to the database. The
strategy emphasizes through the inquiry whether every one of the tokens recognized as
catchphrases or administrators were developed utilizing just confided in information. Sentence
structure examination of the question is done to the different kinds of assault linguistic structure.
For instance repetition assault, piggybacked assault and association assault. In all these kind of
assaults an assailant assault the framework by embeddings unlawful contributions to the first
inquiry. Be that as it may, the framework by assessing language structure examination
announced it as an unapproved get to and pronounced it a sort of assault. In this way different
sorts of assault halted at the aggregate time in the proposed framework based on sentence
structure assessment. In the event that the majority of the watchword and administrator are
believed, at that point this stage reasons that inquiry is sheltered and goes into the following
stage.

Phase II

After the stage I the framework goes into stage 11. This part has been isolated into two sections.
One section incorporates the preparation stage and second part incorporates SQL infusion
recognition. These parts have been characterized in the accompanying manner:

A. Training stage

This stage incorporate the preparation period of the proposed framework. Framework has been
prepared by putting away all the potential assaults in the database table which is likewise called
as essential rundown. This calculation works in the accompanying manner:

Assault stockpiling: All conceivable SQL infusion assaults are gathered and they are put away.
At that point these assaults are separated into tokens and tokens are changed into whole number
numbers. Following technique has been utilized for the transformation of tokens into whole
numbers:

Tokenization: It is the way toward part the inquiry into tokens.

For instance: select * from table_name. In tokenization when this inquiry parts into tokens then
the framework chooses select, *, from as a tokens.

Number Generation: After tokenization framework creates the number for tokens. Recipe
utilized for this is to duplicate every ASCII decimal estimation of an exacting by its position
number happening in tokens and after that total every one of these qualities.

B. SQL Injection Detection

This stage check the SQL infusion assault at run time and it coordinate the whole number of
information question string with the spared number. On the off chance that the number matches,
at that point the info inquiry has been blocked generally question forms ordinarily. This
calculation works in following manner:

Step I: Tokenize the information question string.

Step II: Scan every token for identifiers and administrator images.

Step III: Convert every token into whole number worth.

Step IV: Save this number into the database as an auxiliary rundown.

Step V: Compare this whole number an incentive with each estimation of essential rundown.

Step VI: If the number match then SQL infusion will recognize something else, process inquiry
regularly.

Step VII: Continue with next inquiry.

As every one of the frameworks works as per a specific stream. Also the proposed framework
does. Right off the bat, the SQL question goes as a contribution to the framework. First stage
check the information question at the incorporate time. The activities performed at arrange time
for the most part incorporate sentence structure examination. On the off chance that SQL
infusion finds in this stage, at that point the framework hinder the specific inquiry, else it goes in
the second period of the structure.

Second period of the framework check info question at run time. Run time is the time wherein
the program is running and creates yield. In the event that SQL infusion finds in this question, at
that point the framework obstruct the inquiry and send the alarm to database organization. In the
event that SQL infusion does not discover in the information inquiry, at that point question goes
to the database motor for typical preparing and closures this stage.

Results and Discussion

Proposed framework speaks to a procedure to anticipate the SQLIA with the assistance of Hybrid
methodology. The outcome is appeared for taking different sorts of information questions and
yield is meant as number of inquiries dealt with by the framework to check SQL infusion assault
in the information inquiry. The proposed framework can deal with different sorts of assault
questions. Various attacks handled by the proposed system are tautology based sql injection
attacks, piggy backed attacks, logical sq injection attacks, union based sql injection attacks,
alternate encoding based sql injection attacks, stored procedure based sql injection attacks,
compile time checking sql injection attacks etc.

The efficiency of the proposed system is tested on more than 200 input queries and it is checked
that the proposed system generates very good results. The proposed system shows the system
accuracy of 95.12% which is better than that of existing system.

Statistics of the proposed system:

Parameter Value
Total no. Of Inputs tested 250
Total number SQLIA Handled 230
No. Of Various types of Attacks 12
System Accuracy 95.12%

The following graph shows the accuracy comparison of proposed and existing system on the
basis of various attacks as mentioned in the graph below. It is concluded that the proposed
system always gives the better results than existing system on each type of graphs.
 120

100

80

60 Existing System
Proposed System
40

20

0
Tutology Union Attack Logical Sub Query Other Attacks
Attack Incorrect Attack

Figure : Comparison of Proposed and existing system on various attacks.

Conclusion and future work

Conclusion

The proposed work presented a robust system for detection and prevention of sql injection
attacks for the web applications. As SQL injection attacks are most dangourous threatsfor a web
applicaition as they can bypass the user authentication and can also steal the screat and important
data of the web user. Hence in this, proposed work a novel and robust approach is developed to
detect and prevent the sql injection attacks using hybrid approach. Proposed hybrid approach is a
combination of negative taining as well as positive tainting approach which gives very good
results as compare to the existing systems. The proposed system shows 96.52% accuracy.

Future Work

In future, the proposed system can be improved by implementing multithreading approaches

REFRENCES

[1] K. S. Chavda, “International Journal of Advance Engineering and Research,” Sci. J.

Impact Factor, vol. 1, no. 12, pp. 173–179, 2014.

Int. J. Inf. Electron. Eng., vol. 1, no. 1, pp. 38–46, 2011..

[3] A. S. Gadgikar, “Preventing SQL injection attacks using negative tainting approach,” in

IEEE International Conference on Computational Intelligence and Computing Research, 2013,

pp. 1–5.

[4] W. G. J. Halfond, A. Orso, and P. Manolios, “Using positive tainting and syntax-aware

evaluation to counter SQL injection attacks,” in Proceedings of the 14th ACM SIGSOFT

international symposium on Foundations of software engineering - SIGSOFT ’06/FSE-14, 2006,

pp. 175–185.

[5] A. John, A. Agarwal, and M. Bhardwaj, “An adaptive algorithm to prevent SQL injection,”

An Am. J. Netw. Commun., vol. 4, pp. 12–15, 2015.

[6] www.google.co.in

[7] B. Shehu and A. Xhuvani, “A Literature Review and Comparative Analyses on SQL

Injection : Vulnerabilities , Attacks and their Prevention and Detection Techniques,” IJCSI Int. J.

Comput. Sci., vol. 11, no. 4, pp. 28–37, 2014.

[8] S. Bangre and A. Jaiswal, “SQL Injection Detection and Prevention Using Input Filter

Technique,” Int. J. Recent Technol. Eng., vol. 1, no. 2, pp. 145–150, 2012.

[9] A. Sadeghian, M. Zamani, and A. A. Manaf, “A Taxonomy of SQL Injection Detection

and Prevention Techniques,” in 2013 International Conference on Informatics and Creative

Multimedia, 2013, pp. 53–56.

injection attacks,” in Conference Proceedings of the IEEE International Performance,

Computing, and Communications Conference, 2007, pp. 449–458.

[11] D. Kar and P. Suvasini, “Prevention of SQL Injection Attack Using Query

Transformation and Hashing,” in Proceedings of the 2013 3rd IEEE International Advance

Computing Conference, IACC 2013, 2013, pp. 1317–1323.

[12] P. Kumar and R. Pateriya, “A Survey on SQL injection attacks, detection and prevention

techniques,” in Computing Communication & Network Technologies, 2012, no. July, pp. 1–5.

[13] R. Dharam and S. G. Shiva, “Runtime Monitors for Tautology based SQL Injection

Attacks,” IEEE Int. J. Cyber-Security Digit. Forensics, vol. 53, no. 6, pp. 253–258, 2012.

[14] X. Fu, X. Lu, and B. Peltsverger, “A static analysis framework for detecting SQL

injection vulnerabilities,” in 31st Annual International Computer Software and Application

Conference, 2007, no. Compsac, pp. 87–96.

[15] K.-X. Zhang, C.-J. Lin, S.-J. Chen, Y. Hwang, H.-L. Huang, and F.-H. Hsu, “TransSQL:

A Translation and Validation-Based Solution for SQL-injection Attacks,” in 2011 First

International Conference on Robot, Vision and Signal Processing, 2011, pp. 248–251.

16] K. Kemalis and T. Tzouramanis, “SQL-IDS : A Specification-based Approach for SQL-

Injection Detection,” 2008, pp. 2153–2158.

[17] P. Bisht, “CANDID : Dynamic Candidate Evaluations for Automatic Prevention of SQL

Injection Attacks,” ACM Int. J. Comput. Sci., vol. V, no. 2, pp. 1–38, 2010.
[18] G. T. Buehrer, B. W. Weide, and P. A. G. Sivilotti, “Using Parse Tree Validation to

Prevent SQL Injection Attacks,” 2005, no. September, pp. 106–113.

[19] S. W. Boyd and A. D. Keromytis, “SQLrand : Preventing SQL Injection Attacks,” IEEE

Appl. Cryptogr. Netw. Secur., vol. 3089, pp. 292–302, 2004.

[20] W. G. J. Halfond and A. Orso, “Preventing SQL injection attacks using AMNESIA,” in

Proceeding of the 28th international conference on Software engineering - ICSE ’06, 2006, p.

795.