Saturday, August 31, 2019
An Approach to Detect and Prevent Sql Injection Attacks in Database Using Web Service
IJCSNS International Journal of Computer Science and Network Security, VOL. 11 No. 1, January 2011 197 An Approach to Detect and Prevent SQL Injection Attacks in Database Using Web Service IndraniBalasundaram 1 Dr. E. Ramaraj2 1 Lecturer, Department of Computer Science, Madurai Kamaraj University, Madurai 2 Director of Computer Centre Alagappa University, Karaikudi. Abstract SQL injection is an attack methodology that targets the data residing in a database through the firewall that shields it. The attack takes advantage of poor input validation in code and ebsite administration. SQL Injection Attacks occur when an attacker is able to insert a series of SQL statements in to a ââ¬Ëqueryââ¬â¢ by manipulating user input data in to a web-based application, attacker can take advantages of web application programming security flaws and pass unexpected malicious SQL statements through a web application for execution by the backend database. This paper proposes a novel specification-ba sed methodology for the prevention of SQL injection Attacks. The two most important advantages of the new approach against xisting analogous mechanisms are that, first, it prevents all forms of SQL injection attacks; second, Current technique does not allow the user to access database directly in database server. The innovative technique ââ¬Å"Web Service Oriented XPATH Authentication Techniqueâ⬠is to detect and prevent SQLInjection Attacks in database the deployment of this technique is by generating functions of two filtration models that are Active Guard and Service Detector of application scripts additionally allowing seamless integration with currently-deployed systems. General TermsLanguages, Security, Verification, Experimentation. Keywords Database security, world-wide web, web application security, SQL injection attacks, Runtime Monitoring changes to data. The fear of SQL injection attacks has become increasingly frequent and serious. . SQL-Injection Attacks are a cl ass of attacks that many of these systems are highly vulnerable to, and there is no known fool-proof defend against such attacks. Compromise of these web applications represents a serious threat to organizations that have deployed them, and also to users who trust these systems to store confidential data. The Web applications hat are vulnerable to SQL-Injection attacks user inputs the attackerââ¬â¢s embeds commands and gets executed [4]. The attackers directly access the database underlying an application and leak or alter confidential information and execute malicious code [1][2]. In some cases, attackers even use an SQL Injection vulnerability to take control and corrupt the system that hosts the Web application. The increasing number of web applications falling prey to these attacks is alarmingly high [3] Prevention of SQLIAââ¬â¢s is a major challenge. It is difficult to implement and enforce a rigorous defensive coding discipline. Many olutions based on defensive coding ad dress only a subset of the possible attacks. Evaluation of ââ¬Å"ââ¬Å"Web Service Oriented XPATH Authentication Techniqueâ⬠has no code modification as well as automation of detection and prevention of SQL Injection Attacks. Recent U. S. industry regulations such as the Sarbanes-Oxley Act [5] pertaining to information security, try to enforce strict security compliance by application vendors. 1. Introduction 1. 1 SAMPLE ââ¬â APPLICATION Information is the most important business asset in todayââ¬â¢s environment and achieving an appropriate level of Information Security. SQL-Injection Attacks (SQLIAââ¬â¢s) re one of the topmost threats for web application security. For example financial fraud, theft confidential data, deface website, sabotage, espionage and cyber terrorism. The evaluation process of security tools for detection and prevention of SQLIAââ¬â¢s. To implement security guidelines inside or outside the database it is recommended to access the sensitive databases should be monitored. It is a hacking technique in which the attacker adds SQL statements through a web application's input fields or hidden parameters to gain access to resources or make Application that contain SQL Injection vulnerability.The example refers to a fairly simple vulnerability that could be prevented using a straightforward coding fix. This example is simply used for illustrative purposes because it is easy to understand and general enough to illustrate many different types of attacks. The code in the example uses the input parameters LoginID, password to dynamically build an SQL query and submit it to a database. For example, if a user submits loginID and password as ââ¬Å"secret,â⬠and ââ¬Å"123,â⬠the application dynamically builds and submits the query: Manuscript received January 5, 2011 Manuscript revised January 20, 2011 198IJCSNS International Journal of Computer Science and Network Security, VOL. 11 No. 1, January 2011 SELECT * from FROM loginID=ââ¬â¢secretââ¬â¢ AND pass1=123 user_info WHERE If the loginID and password match the corresponding entry in the database, it will be redirect to user_main. aspx page other wise it will be redirect to error. aspx page. 1. dim loginId, Password as string 2. loginId = Text1. Text 3. password = Text2. Text 3. cn. open() 4. qry=â⬠select * from user_info where LoginID=ââ¬â¢Ã¢â¬ & loginID & ââ¬Å"ââ¬â¢ and pass1=â⬠& password & ââ¬Å"â⬠5. cmd=new sqlcommand(qry,cn) 6. rd=cmd. executereader() 7. if (rd. Read=True) Then 8. Response. redirect(ââ¬Å"user_main. spxâ⬠) 9. else 10. Response. redirect(ââ¬Å"error. aspxâ⬠) 11. end if 12. cn. close() 13. cmd. dispose() b. Union Query In union-query attacks, Attackers do this by injecting a statement of the form: UNION SELECT because the attackers completely control the second/injected query they can use that query to retrieve information from a specified table. The result of this attack is that th e database returns a dataset that is the union of the results of the original first query and the results of the injected second query. Example: An attacker could inject the text ââ¬Å"ââ¬â¢ UNION SELECT pass1 from user_info where LoginID=ââ¬â¢secret ââ¬â -â⬠nto the login field, which produces the following query: SELECT pass1 FROM user_info WHERE loginID=ââ¬â¢Ã¢â¬â¢ UNION SELECT pass1 from user_info where LoginID=ââ¬â¢secretââ¬â¢ ââ¬â AND pass1=ââ¬â¢Ã¢â¬â¢ Assuming that there is no login equal to ââ¬Å"â⬠, the original first query returns the null set, whereas the second query returns data from the ââ¬Å"user_infoâ⬠table. In this case, the database would return column ââ¬Å"pass1â⬠for account ââ¬Å"secretâ⬠. The database takes the results of these two queries, unions them, and returns them to the application. In many applications, the effect of this operation is that the value for ââ¬Å"pass1â⬠is displayed along with the account informationFigure 1: Example of . NET code implementation. 1. 2 Techniques of SQLIAââ¬â¢S Most of the attacks are not in isolated they are used together or sequentially, depending on the specific goals of the attacker. a. Tautologies Tautology-based attack is to inject code in one or more conditional statements so that they always evaluate to true. The most common usages of this technique are to bypass authentication pages and extract data. If the attack is successful when the code either displays all of the returned records or performs some action if at least one record is returned. Example: In this example attack, an attacker submits ââ¬Å" ââ¬â¢ or 1=1 ââ¬â -â⬠The Query for Login mode is: SELECT * FROM user_info WHERE loginID=ââ¬â¢Ã¢â¬â¢ or 1=1 ââ¬â AND pass1=ââ¬â¢Ã¢â¬â¢ The code injected in the conditional (OR 1=1) transforms the entire WHERE clause into a tautology the query evaluates to true for each row in the table and returns a ll of them. In our example, the returned set evaluates to a not null value, which causes the application to conclude that the user authentication was successful. Therefore, the application would invoke method user_main. aspx and to access the application [6] [7] [8]. c. Stored Procedures SQL Injection Attacks of this type try to execute stored procedures present in the database.Today, most database vendors ship databases with a standard set of stored procedures that extend the functionality of the database and allow for interaction with the operating system. Therefore, once an attacker determines which backend database is in use, SQLIAs can be crafted to execute stored procedures provided by that specific database, including procedures that interact with the operating system. It is a common misconception that using stored procedures to write Web applications renders them invulnerable to SQLIAs. Developers are often surprised to find that their stored procedures can be just as vulner able o attacks as their normal applications [18, 24]. Additionally, because stored procedures are often written in special scripting languages, they can contain other types of vulnerabilities, such as buffer overflows, that allow attackers to run arbitrary code on the server or escalate their privileges. CREATE PROCEDURE DBO. UserValid(@LoginID varchar2, @pass1 varchar2 AS EXEC(ââ¬Å"SELECT * FROM user_info WHERE loginID=ââ¬â¢Ã¢â¬ [emailà protected]+ ââ¬Å"ââ¬â¢ and pass1=ââ¬â¢Ã¢â¬ [emailà protected]+ ââ¬Å"ââ¬â¢Ã¢â¬ );GO Example: This example demonstrates how a parameterized stored procedure can be exploited via an SQLIA. In the example, we assume that the query string constructed at ines 5, 6 and 7 of our example has been replaced by a call IJCSNS International Journal of Computer Science and Network Security, VOL. 11 No. 1, January 2011 to the stored procedure defined in Figure 2. The stored procedure returns a true/false value to indicate whether the u serââ¬â¢s credentials authenticated correctly. To launch an SQLIA, the attacker simply injects ââ¬Å" ââ¬â¢ ; SHUTDOWN; ââ¬ââ⬠into either the LoginID or pass1 fields. This injection causes the stored procedure to generate the following query: SELECT * FROM user_info WHERE loginID=ââ¬â¢secretââ¬â¢ AND pass1=ââ¬â¢; SHUTDOWN; -At this point, this attack works like a piggy-back attack.The first query is executed normally, and then the second, malicious query is executed, which results in a database shut down. This example shows that stored procedures can be vulnerable to the same range of attacks as traditional application code [6] [11] [12] [10] [13] [14] [15]. d. Extended stored procedures IIS(Internet Information Services) Reset There are several extended stored procedures that can cause permanent damage to a system[19]. Extended stored procedure can be executed by using login form with an injected command as the LoginId LoginId:';execmaster.. xp_xxx;-Passwo rd:[Anything] LoginId:';execmaster.. p_cmdshell'iisreset';-Password:[Anything] select password from user_info where LoginId=â⬠; exec master.. xp_cmdshell ââ¬Ëiisreset'; ââ¬âââ¬Ë and Password=â⬠This Attack is used to stop the service of the web server of particular Web application. Stored procedures primarily consist of SQL commands, while XPs can provide entirely new functions via their code. An attacker can take advantage of extended stored procedure by entering a suitable command. This is possible if there is no proper input validation. xp_cmdshell is a built-in extended stored procedure that allows the execution of arbitrary command lines. For example: exec master.. p_cmdshell ââ¬Ëdir' will obtain a directory listing of the current working directory of the SQL Server process. In this example, the attacker may try entering the following input into a search form can be used for the attack. When the query string is parsed and sent to SQL Server, the server wi ll process the following code: SELECT * FROM user_info WHERE input text =â⬠exec master.. xp_cmdshell LoginId /DELETE'ââ¬âââ¬Ë 199 Here, the first single quote entered by the user closes the string and SQL Server executes the next SQL statements in the batch including a command to delete a LoginId to the user_info table in the database. . Alternate Encodings Alternate encodings do not provide any unique way to attack an application they are simply an enabling technique that allows attackers to evade detection and prevention techniques and exploit vulnerabilities that might not otherwise be exploitable. These evasion techniques are often necessary because a common defensive coding practice is to scan for certain known ââ¬Å"bad characters,â⬠such as single quotes and comment operators. To evade this defense, attackers have employed alternate methods of encoding their attack strings (e. g. , using hexadecimal, ASCII, and Unicode character encoding).Common scanning an d detection techniques do not try to evaluate all specially encoded strings, thus allowing these attacks to go undetected. Contributing to the problem is that different layers in an application have different ways of handling alternate encodings. The application may scan for certain types of escape characters that represent alternate encodings in its language domain. Another layer (e. g. , the database) may use different escape characters or even completely different ways of encoding. For example, a database could use the expression char(120) to represent an alternately-encoded character xâ⬠, but char(120) has no special meaning in the application languageââ¬â¢s context. An effective code-based defense against alternate encodings is difficult to implement in practice because it requires developers to consider of all of the possible encodings that could affect a given query string as it passes through the different application layers. Therefore, attackers have been very succe ssful in using alternate encodings to conceal their attack strings. Example: Because every type of attack could be represented using an alternate encoding, here we simply provide an example of how esoteric an alternativelyencoded attack could appear.In this attack, the following text is injected into the login field: ââ¬Å"secretââ¬â¢; exec(0x73687574646f776e) ââ¬â ââ¬â â⬠. The resulting query generated by the application is: SELECT * FROM user_info WHERE loginID=ââ¬â¢secretââ¬â¢; exec(char(0x73687574646f776e)) ââ¬â AND pass1=ââ¬â¢Ã¢â¬â¢ This example makes use of the char() function and of ASCII hexadecimal encoding. The char() function takes as a parameter an integer or hexadecimal encoding of a character and returns an instance of that character. The stream of numbers in the second part of the injection is the 200 IJCSNS International Journal of Computer Science and Network Security, VOL. 11 No. , January 2011 ASCII hexadecimal encoding of the strin g ââ¬Å"SHUTDOWN. â⬠Therefore, when the query is interpreted by the database, it would result in the execution, by the database, of the SHUTDOWN command. References: [6] f. Deny Database service This attack used in the websites to issue a denial of service by shutting down the SQL Server. A powerful command recognized by SQL Server is SHUTDOWN WITH NOWAIT [19]. This causes the server to shutdown, immediately stopping the Windows service. After this command has been issued, the service must be manually restarted by the administrator. select password from user_info whereLoginId=';shutdown with nowait; ââ¬âââ¬Ë and Password='0' The ââ¬Ëââ¬âââ¬Ë character sequence is the ââ¬Ësingle line comment' sequence in Transact ââ¬â SQL, and the ââ¬Ë;' character denotes the end of one query and the beginning of another. If he has used the default sa account, or has acquired the required privileges, SQL server will shut down, and will require a restart in order to f unction again. This attack is used to stop the database service of a particular web application. Select * from user_info where LoginId=ââ¬â¢1;xp_cmdshell ââ¬Ëformat c:/q /yes ââ¬Ë; drop database mydb; ââ¬âAND pass1 = 0 This command is used to format the C: drive used by the ttacker. 2. Related Work There are existing techniques that can be used to detect and prevent input manipulation vulnerabilities. 2. 1 Web Vulnerability Scanning Web vulnerability scanners crawl and scan for web vulnerabilities by using software agents. These tools perform attacks against web applications, usually in a black-box fashion, and detect vulnerabilities by observing the applicationsââ¬â¢ response to the attacks [18]. However, without exact knowledge about the internal structure of applications, a black-box approach might not have enough test cases to reveal existing vulnerabilities and also have alse positives. 2. 2 Intrusion Detection System (IDS) Valeur and colleagues [17] propose the use of an Intrusion Detection System (IDS) to detect SQLIA. Their IDS system is based on a machine learning technique that is trained using a set of typical application queries. The technique builds models of the typical queries and then monitors the application at runtime to identify queries that do not match the model in that it builds expected query models and then checks dynamically-generated queries for compliance with the model. Their technique, however, like most techniques based on learning, can generate large umber of false positive in the absence of an optimal training set. Su and Wassermann [8] propose a solution to prevent SQLIAs by analyzing the parse tree of the statement, generating custom validation code, and wrapping the vulnerable statement in the validation code. They conducted a study using five real world web applications and applied their SQLCHECK wrapper to each application. They found that their wrapper stopped all of the SQLIAs in their attack set without g enerating any false positives. While their wrapper was effective in preventing SQLIAs with modern attack structures, we hope to shift the focus rom the structure of the attacks and onto removing the SQLIVs. 2. 3 Combined Static and Dynamic Analysis. AMNESIA is a model-based technique that combines static analysis and runtime monitoring [1][7]. In its static phase, AMNESIA uses static analysis to build models of the different types of queries an application can legally generate at each point of access to the database. In its dynamic phase, AMNESIA intercepts all queries before they are sent to the database and checks each query against the statically built models. Queries that violate the model are identified as SQLIAââ¬â¢s and prevented from executing on the database.In their evaluation, the authors have shown that this technique performs well against SQLIAââ¬â¢s. The primary limitation of this technique is that its success is dependent on the accuracy of its static analysis f or building query models. Certain types of code obfuscation or query development techniques could make this step less precise and result in both false positives and false negatives Livshits and Lam [16] use static analysis techniques to detect vulnerabilities in software. The basic approach is to use information flow techniques to detect when tainted input has been used to construct an SQL query. These ueries are then flagged as SQLIA vulnerabilities. The authors demonstrate the viability of their technique by using this approach to find security vulnerabilities in a benchmark suite. The primary limitation of this approach is that it can detect only known patterns of SQLIAââ¬â¢s and, IJCSNS International Journal of Computer Science and Network Security, VOL. 11 No. 1, January 2011 because it uses a conservative analysis and has limited support for untainting operations, can generate a relatively high amount of false positives. Wassermann and Su propose an approach that uses stati c analysis combined with automated reasoning to verify that he SQL queries generated in the application layer cannot contain a tautology [9]. The primary drawback of this technique is that its scope is limited to detecting and preventing tautologies and cannot detect other types of attacks. 3. Proposed Technique This Technique is used to detect and prevent SQLIAââ¬â¢s with runtime monitoring. The solution insights behind the technique are that for each application, when the login page is redirected to our checking page, it was to detect and prevent SQL Injection attacks without stopping legitimate accesses. Moreover, this technique proved to be efficient, imposing only a low overhead on the Web pplications. The contribution of this work is as follows: A new automated technique for preventing SQLIAââ¬â¢s where no code modification required, Webservice which has the functions of db_2_XMLGenrerator and XPATH_ Validator such that it is an XML query language to select specific part s of an XML document. XPATH is simply the ability to traverse nodes from XML and obtain information. It is used for the temporary storage of sensitive dataââ¬â¢s from the database, Active Guard model is used to detect and prevent SQL Injection attacks. Service Detector model allow the Authenticated or legitimate user to access the web applications.The SQLIAââ¬â¢s are captured by altered logical flow of the application. Innovative technique (figure:1) monitors dynamically generated queries with Active Guard model and Service Detector model at runtime and check them for compliance. If the Data Comparison violates the model then it represents potential SQLIAââ¬â¢s and prevented from executing on the database. This proposed technique consists of two filtration models to prevent SQLIAââ¬â¢S. 1) Active Guard filtration model 2) Service Detector filtration model. The steps are summarized and then describe them in more detail in following sections. a. Active Guard Filtration Mod elActive Guard Filtration Model in application layer build a Susceptibility detector to detect and prevent the Susceptibility characters or Meta characters to prevent the malicious attacks from accessing the dataââ¬â¢s from database. b. Service Detector Filtration Model Service Detector Filtration Model in application layer validates user input from XPATH_Validator where the Sensitive dataââ¬â¢s are stored from the Database at second 201 level filtration model. The user input fields compare with the data existed in XPATH_Validator if it is identical then the Authenticated /legitimate user is allowed to proceed. c. Web Service LayerWeb service builds two types of execution process that are DB_2_Xml generator and XPATH_ Validator. DB_2_Xml generator is used to create a separate temporary storage of Xml document from database where the Sensitive dataââ¬â¢s are stored in XPATH_ Validator, The user input field from the Service Detector compare with the data existed in XPATH_ Val idator, if the dataââ¬â¢s are similar XPATH_ Validator send a flag with the count iterator value = 1 to the Service Detector by signifying the user data is valid. Procedures Executed in Active Guard Function stripQuotes(ByVal strWords) stripQuotes = Replace(strWords, ââ¬Å"ââ¬Ëâ⬠, ââ¬Å"â⬠â⬠) Return stripQuotesEnd Function Function killChars(ByVal strWords) Dim arr1 As New ArrayList arr1. Add(ââ¬Å"selectâ⬠) arr1. Add(ââ¬Å"ââ¬âââ¬Å") arr1. Add(ââ¬Å"dropâ⬠) arr1. Add(ââ¬Å";â⬠) arr1. Add(ââ¬Å"insertâ⬠) arr1. Add(ââ¬Å"deleteâ⬠) arr1. Add(ââ¬Å"xp_â⬠) arr1. Add(ââ¬Å"ââ¬Ëâ⬠) Dim i As Integer For i = 0 To arr1. Count ââ¬â 1 strWords = Replace(strWords, arr1. Item(i), ââ¬Å"â⬠, , , CompareMethod. Text) Next Return strWords End Function IJCSNS International Journal of Computer Science and Network Security, VOL. 11 No. 1, January 2011 202 Figure 2: proposed Architecture Procedures Executed in Service D etector navi. Compile(ââ¬Å"/Main_Tag/Details[LoginId='â⬠& userName & ââ¬Å"ââ¬Ë and Password=â⬠& Password & ââ¬Å"]â⬠) _Public Sub Db_2_XML() adapt=New SqlDataAdapter(ââ¬Å"select LoginId,Password from user_infoâ⬠, cn) Dim nodes As XPathNodeIterator = navi. Select(expr) Dim count2 As Integer = nodes. Count. ToString() Return count2 dst = New DataSet(ââ¬Å"Main_Tagâ⬠) End Function adapt. Fill(dst, ââ¬Å"Detailsâ⬠) dst. WriteXml(Server. MapPath(ââ¬Å"XML_DATAXML_D ATA. xmlâ⬠)) End Sub Procedures Executed in Web Service _ Public Function XPath_XML_Validation(ByVal userName As String, ByVal Password As Integer) As Integer Dim xpathdoc As New XPathDocument(Server. MapPath(ââ¬Å"XML_DATAX ML_DATA. xmlâ⬠)) Dim navi As XPathNavigator = xpathdoc. CreateNavigator() Dim expr As XPathExpression = . Identify hotspot This step performs a simple scanning of the application code to identify hotspots. Each hotspot will be verified with the Active Server to remove the susceptibility character the sample code (figure: 2) states two hotspots with a single query execution. (In . NET based applications, interactions with the database occur through calls to specific methods in the System. Data. Sqlclient namespace, 1 such as Sqlcommand- . ExecuteReader (String)) the hotspot is instrumented with monitor code, which matches dynamically generated queries against query models. If a generated query is matched with Active Guard, then it is onsidered an attack. 3. 1 Comparison of Data at Runtime Monitoring When a Web application fails to properly sanitize the parameters, which are passed to, dynamically created SQL statements (even when using parameterization techniques) it is possible for an attacker to alter the construction of back-end SQL statements. IJCSNS International Journal of Computer Science and Network Security, VOL. 11 No. 1, January 2011 When an attacker is able to modify an SQL statement, the statement will execute with t he same rights as the application user; when using the SQL server to execute commands that interact with the operating system, the rocess will run with the same permissions as the component that executed the command (e. g. , database server, application server, or Web server), which is often highly privileged. Current technique (Figure: 1) append with Active Guard, to validate the user input fields to detect the Meta character and prevent the malicious attacker. Transact-SQL statements will be prohibited directly from user input. For each hotspot, statically build a Susceptibility detector in Active Guard to check any malicious strings or characters append SQL tokens (SQL keywords and operators), delimiters, or string tokens to the legitimate command.Concurrently in Web service the DB_2_Xml Generator generates a XML document from database and stored in X_PATH Validator. Service Detector receive the validated user input from Active Guard and send through the protocol SOAP (Simple Obj ect Access Protocol) to the web service from the web service the user input data compare with XML_Validator if it is identical the XML_Validator send a flag as a iterator count value = 1 to Service Detector through the SOAP protocol then the legitimate/valid user is Authenticated to access the web application, If the data mismatches the XML_Validator send a flag as a count alue = 0 to Service Detector through the SOAP protocol then the illegitimate/invalid user is not Authenticated to access the web application. In figure 3: In the existing technique query validation occur to validate a Authenticated user and the user directly access the database but in the current technique, there is no query validation . From the Active Guard the validated user input fields compare with the Service Detector where the Sensitive data is stored, db_2_XML Generator is used to generate a XML file and initialize to the class XPATH document the instance Navigator is used to search by using cursor in the selected XML document.With in the XPATH validator, Compile is a method which is used to match the element with the existing document. The navigator will be created in the xpathdocument using select method result will be redirected to the XPATH node iterator. The node iterator count value may be 1 or 0, If the flag value result in Service Detector as 1 then the user consider as Legitimate user and allowed to access the web application as the same the flag value result in Service Detector as 0 then the user consider as Malicious user and reject/discard from accessing the web application If the script builds an SQL query by concatenating hard-coded trings together with a string entered by the user, As long as injected SQL code is syntactically correct, tampering cannot be detected programmatically. String concatenation is the primary point of entry for script injection Therefore, 203 we Compare all user input carefully with Service Detector (Second filtration model). If the user input and Sensitive dataââ¬â¢s are identical then executes constructed SQL commands in the Application server. Existing techniques directly allows accessing the database in database server after the Query validation. Web Service Oriented XPATH Authentication Technique does not allow directly to ccess database in database server. 4. EVALUATIONS The proposed technique is deployed and tried few trial runs on the web server. Table 1: SQLIAââ¬â¢S Prevention Accuracy SQL Injection Types Unprotected Protected 1. TAUTOLOGIES Not Prevented Prevented 2. PIGGY BACKED QUERIES Not Prevented Prevented 3. STORED PROCEDURE Not Prevented Prevented 4. ALTERNATIVE ENCODING Not Prevented Prevented 5. UNION Not Prevented Prevented Table 2: Execution Time comparison for proposed technique Total Number of Entries in Database Execution Time in Millisecond Existing Proposed Technique Technique 1000 1640000 46000 2000 1420000 93000 3000 1040000 6000 4000 1210000 62000 5000 1670000 78000 6000 1390000 107000 T he above given table 2 illustrate the execution time taken for the proposed technique with the existing technique. 4. 1 SQLIA Prevention Accuracy Both the protected and unprotected web Applications are tested using different types of SQLIAââ¬â¢s; namely use of Tautologies, Union, Piggy-Backed Queries, Inserting additional SQL statements, Second-order SQL injection and various other SQLIA s. Table 1 shows that the proposed technique prevented all types of SQLIA s in all cases. The proposed technique is thus a secure and robust solution to defend against SQLIAââ¬â¢sIJCSNS International Journal of Computer Science and Network Security, VOL. 11 No. 1, January 2011 204 4. 2 Execution Time at Runtime Validation The runtime validation incurs some overhead in terms of execution time at both the Web Service Oriented XPATH Authentication Technique and SQL-Query based Validation Technique. Taken a sample website ETransaction measured the extra computation time at the query validation, th is delay has been amplified in the graph (figure: 4 and figure:5) to distinguish between the Time delays using bar chart shows that the data validation in XML_Validator performs better than query validation.In Query validation(figure:5) the user input is generated as a query in script engine then it gets parsed in to separate tokens then the user input is compared with the statistical generated data if it is malicious generates error reporting. Web Service Oriented XPATH Authentication Technique (figure: 4) states that user input is generated as a query in script engine then it gets parsed in to separate tokens, and send through the protocol SOAP to Susceptibility Detector, then the validated user data is sequentially send to Service Detector through the protocol SOAP then the user input is ompared with the sensitive data, which is temporarily stored in dataset. If it is malicious data, it will be prevented otherwise the legitimate data is allowed to access the Web application. 5. C ONCLUSION SQL Injection Attacks attempts to modify the parameters of a Web-based application in order to alter the SQL statements that are parsed to retrieve data from the database. Any procedure that constructs SQL statements could potentially be vulnerable, as the diverse nature of SQL and the methods available for constructing it provide a wealth of coding options. 1800000 Execution time in Milli Sec 1600000 1400000 1200000 000000 Proposed Technique Existing Technique 800000 600000 400000 200000 0 1000 2000 3000 4000 5000 6000 Total Number of Entries in Database Figure4: Execution Time comparison for proposed technique (data validation in X-path) with existing technique The primary form of SQL injection consists of direct insertion of code into parameters that are concatenated with SQL commands and executed. This technique is used to detect and prevent the SQLI flaw (Susceptibility characters & exploiting SQL commands) in Susceptibility Detector and prevent the Susceptibility att acker Web Service Oriented XPATH Authentication Technique hecks the user input with valid database which is stored separately in XPATH and do not affect database directly then the validated user input field is allowed to access the web application as well as used to improve the performance of the server side validation This proposed technique was able to suitably classify the attacks that performed on the applications without blocking legitimate accesses to the database (i. e. , the technique produced neither false positives nor false negatives). These results show that our technique represents a promising approach to countering SQLIAââ¬â¢s and motivate further work in this irection References [1] William G. J. Halfond and Alessandro Orso , ââ¬Å"AMNESIA: Analysis and Monitoring for Neutralizing SQLInjection Attacksâ⬠, ASEââ¬â¢05, November 7ââ¬â11, 2005 [2] William G. J. Hal fond and Alessandro Orso, ââ¬Å"A Classification of SQL injection attacks and countermeasure sâ⬠,proc IEEE intââ¬â¢l Symp. Secure Software Engg. , Mar. 2006. IJCSNS International Journal of Computer Science and Network Security, VOL. 11 No. 1, January 2011 [3] Muthuprasanna, Ke Wei, Suraj Kothari, ââ¬Å"Eliminating SQL Injection Attacks ââ¬â A TransparentDefenceMechanismâ⬠, SQL Injection Attacks Prof. Jim Whitehead CMPS 183. Spring 2006, May 17, 2006 4] William G. J. Hal fond, Alessandro Orso, ââ¬Å"WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation IEEE Software Engineering, VOL. 34, NO. 1January/February 2008 [5] K. Beaver, ââ¬Å"Achieving Sarbanes-Oxley compliance for Web applicationsâ⬠, http://www. spidynamics. com/support/whitepapers/, 2003 [6] C. Anley, ââ¬Å"Advanced SQL Injection In SQL Server Applications,â⬠White paper, Next Generation Security Software Ltd. , 2002. [7] W. G. J. Halfond and A. Orso, ââ¬Å"Combining Static Analysis and Runtime Monitoring to Counter SQL Injection Attacks,â⬠3rd International Workshop on Dynamic Analysis, 2005, pp. ââ¬â 7 [8] Z. Su and G. Wassermann, ââ¬Å"The Essence of Command Injection Attacks in Web Applications,â⬠33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 2006, pp. 372-382. [9] G. Wassermann and Z. Su. An Analysis Framework for Security in Web Applications. In Proceedings of the FSE Workshop on Specification and Verification of componentBased Systems (SAVCBS 2004), pages 70ââ¬â78, 2004. [10] P. Finnigan, ââ¬Å"SQL Injection and Oracle ââ¬â Parts 1 & 2,â⬠Technical Report, Security Focus, November 2002. http://securityfocus. com/infocus/1644 [11] F. Bouma, ââ¬Å"Stored Procedures are Bad, Oââ¬â¢kay,â⬠Technical report,Asp. Net Weblogs, November 2003. http://weblogs. asp. net/fbouma/archive/2003/11/18/38178. as px. [12] E. M. Fayo, ââ¬Å"Advanced SQL Injection in Oracle Databases,â⬠Technical report, Argeniss Information Security, Black Hat Briefings, Black Hat USA, 2 005. [13] C. A. Mackay, ââ¬Å"SQL Injection Attacks and Some Tips on How to Prevent them,â⬠Technical report, The Code Project, January 2005. http://www. codeproject. com/cs/database/ qlInjectionAttacks. asp. [14] S. McDonald. SQL Injection: Modes of attack, defense, and why it matters. White paper, GovernmentSecurity. org, April 2002. http://www. governmentsecurity. rg/articles/SQLInjectionM odesofAttackDefenceandWhyItMatters. php [15] S. Labs. SQL Injection. White paper, SPI Dynamics, Inc. ,2002. http://www. spidynamics. com/assets/documents/Whitepaper SQLInjection. pdf. [16] V. B. Livshits and M. S. Lam. Finding Security Errors in Java Programs with Static Analysis. In Proceedings of the 14th Usenix Security Symposium, pages 271ââ¬â286, Aug. 2005. [17] F. Valeur and D. Mutz and G. Vigna ââ¬Å"A Learning-Based Approach to the Detection of SQL Attacks,â⬠In Proceedings of the Conference on Detection of Intrusions and Malware Vulnerability Assessment (DIMVA), July 20 05. [18] Kals, S. Kirda, E. , Kruegel, C. , and Jovanovic, N. 2006. SecuBat: a web vulnerability scanner. In Proceedings of the 205 15th International Conference on World Wide Web. WWW '06. ACM Press, pp. 247-256. [19] Sql injection ââ¬â HSC Guides ââ¬â Web App Security Written by Ethical Hacker sunday, 17 February 2008. http://sqlinjections. blogspot. com/2009/04/sql-injection-hscguides-web-app. html. Prof. E. Ramaraj is presently working as a Technology Advisor, Madurai Kamaraj University, Madurai, Tamilnadu, India on lien from Director, computer centre at Alagappa university, Karaikudi. He has 22 years teaching experience and 8 years esearch experience. He has presented research papers in more than 50 national and international conferences and published more than 55 papers in national and international journals. His research areas include Data mining, software engineering, database and network security. B. Indrani received the B. Sc. degree in Computer Science, in 2002; t he M. Sc. degree in Computer Science and Information Technology, in 2004. She had completed M. Phil. in Computer Science. She worked as a Research Assistant in Smart and Secure Environment Lab under IIT, Madras. Her current research interests include Database Security.
Friday, August 30, 2019
Possible Solutions to Self-Harm
[Enter title here] A large number of people in western society have found self-mutilation as a means to ââ¬Å"escapeâ⬠from the problemââ¬â¢s haunting their everyday life. The act of cutting oneself has been proven to release chemical compounds into the body to momentarily clear the mind of such problems. These compounds, known as endorphins, relieve the body of whatever tension and stress that is undergone in the individualââ¬â¢s life.Harming oneââ¬â¢s self is a serious problem that must be assessed and treated in an appropriate manner that will not only stop the act within the individual but also remove the source of such trauma in their life. The cause of such actions has been known to come in from a large multitude of personal problems. Problems such as an unsuitable household, difficulties within a personââ¬â¢s social background, or even the image they see within themselves. Professor Keith Hawton oversaw a study taken over the amount of adolescents who admitte d to inflicting harm upon themselves.His survey took place in forty-one schools involving 6,020 subjects aged fifteen to sixteen. The results were that ââ¬Å"398 (6. 8%) participants reported an act of deliberate self harm in the past yearâ⬠(Hawton 2002). According to the results, more females admitted to this act than males. Of those females who were accountable to deliberate self-harm, they confessed the causes being their ââ¬Å"friends, self harm by family members, drug misuse, depression, anxiety, impulsivity, and low self esteemâ⬠(Hawton 2002).The factors found within the males were drug use, suicidal behavior found within their friends and family, and low self-esteem. Patricia and Peter Adler discuss the effects that undergone by the individual through the expectations of those around that person. In their writing, ââ¬Å"The Glorified Selfâ⬠the Adlers present how a society creates an image of those within it and the pressure placed upon those people create an inner conflict ââ¬Å"between their desire for recognition, flattery, and importance and the inclination to keep feeding this self-affirming elementâ⬠(Adler 195).As society continues to surround the individual, the pressure increases as the person begins to take on a role which they may not feel is best suited for them, yet must be upheld in order to feel better accepted within their society. Such expectations are found in those closest to that person: parents, siblings, friends or anyone who could affect that personââ¬â¢s life. These expectations can create a dilemma within the individual, whether they wish to be who they want or who they are required to be.Through the burden of deciding on they wish to become, the troubled person begins to turn away from the sources of their problems and look for a quick escape. That escape varies among the individual experiencing such complications in their life, anything from substance abuse to physically abusing their own body. The human body finds whatever means necessary in order to cope with the difficulties presented in their life. This coping mechanism is the brainââ¬â¢s way of releasing the stress that builds up over time from dealing with whatever obstacles that are laid out before the person.In order to stop such actions taking place, the source of the problem(s) must then be removed, or tuned down enough to no longer give the desire for the person to find a momentary escape. Removing all sources of responsibilities in a personââ¬â¢s life is nearly impossible. Instead of removing the source of the problem, a more possible solution is to show the people undergoing such problems that they arenââ¬â¢t alone in their responsibilities. Giving out a hand to those in need will show them that they donââ¬â¢t need to hold their problems to themselves.Encourage a troubled individual to express their fears, problems, and concerns in hopes that in doing so, that person may then be able to realize that a s tough as things may be, they are never alone. Another way to relieve stress in a positive manner is meditation. True this seems like it wonââ¬â¢t do much, but ââ¬Å"that small amount of peace in your day can help you deal with or even release stressâ⬠(Alvarez 2012). There are countless ways to combat the problems in an individualââ¬â¢s life, remedies that expand anywhere from eating healthy to taking a few minutes in their day to meditate or exercise.Sources Cited Adler, Patricia A. , and Peter Adler. ââ¬Å"The Glorified Self. â⬠à Social Theory. Ed. Roberta Garner. 2nd ed. [S. l. ]: Univ Of Toronto, 2009. 195-207. Print. Alvarez, Manny. ââ¬Å"10 Ways to Relieve Stress Naturally. â⬠Newsgroup. Fox News. Fox News, 9 Aug. 2012. Web. 31 Mar. 2013. Hawton, Keith. ââ¬Å"Deliberate Self Harm in Adolescents: Self Report Survey in Schools in England. â⬠à Ncbi. nlm. nih. gov/. National Center for Biotechnology Information, 23 Nov. 2002. Web. 31 Mar. 2013.
Thursday, August 29, 2019
A Shakespearean Prep
Diversity can it be defined? Shouldnââ¬â¢t every person be a living example of it? I am as different as night and day. I am probably the only Mexican in existence who dislikes Mexican food. My main contradiction, though, is my personality and my love for theater. I am a Dallasite through and through. From going to private school to shopping at Marcus to driving a BMW, I am the embodiment of a teenager living a privileged life. There is a side of me, however, that goes much deeper a more artistic side. Though my body may be devoted to the prep lifestyle, my soul has one passion theater. I have always felt comfortable on stage. Itââ¬â¢s actually more than comfort, itââ¬â¢s a sense of belonging. Acting is the essence of my being and I often use my craft to define myself. Yet, how can I explain to my friends the beauty of a Shakespearean couplet when the only rhymes they care about are in the latest hip-hop hit? Here I find myself at the ultimate contradiction: the theater kid who conforms to the expectations of her seemingly homogeneous friends. But as the boisterous theater kid, I am unable to be stifled even by my best friends. Through my own diversity, I have overcome this obstacle. I embrace my individuality around my friends and believe that it is because of this that they love me as they do. Instead of listening to rap, I hum tunes from ââ¬Å"Rentâ⬠in school and randomly quote Shakespeare during car rides or dinner parties. This path to individuality has not been easy. I was not always accepted for my theatrical tendencies. In fact, I lost many a friend because I am, well, a drama queen. Also, my life is not filled with others who, like me, love the spotlight (an actual spotlight, that is) and the Bard. Yet, in high school I began to find a few like me three. But this was all I needed. Once I found this small group, I could easily go back to my other friends feeling more comfortable in my own skin. Thus, all my contradictions (my inability to memorize chemical equations while easily learning lines of Shakespeare), are what make me quirky. Iââ¬â¢m the loud theater freak whose friends are quiet and non-confrontational. Iââ¬â¢m that actress who spends time with girls ââ¬Å"who lunch.â⬠But most important, I am myself.
Wednesday, August 28, 2019
A policy dictating mandatory marriage classes before couples get Essay - 2
A policy dictating mandatory marriage classes before couples get married should be introduced - Essay Example This article therefore is a reflection of the whole process of working on this project. The reflection outlines the lessons that I have learned, the challenges that I encountered, and what can be done to bring about improvement if a similar project is to be embarked on again. The process of working on this project was long and I learned many lessons from it. Generally, three of them are patience, endurance and planning. Planning was very vital to beat the deadlines. There was a need for strict adherence to the time schedule and this called for self discipline, endurance and patience. Endurance and discipline were especially significant because a lot of time was required in sourcing the correct materials from the internet. Writing the proposal and working on the presentation was quite exhausting and required a strong will to complete. Nevertheless, the project proved useful and I learned a lot was about the topic and academic writing as I continue to discuss below. The topic of the project made it possible to view divorce from a different perspective. I now understand divorce as a serious issue whose effect can be felt by the whole nation ââ¬â I did not think that divorce was this serious before. The view that marriage and, specifically, wrangles in marriage is a private issue was corrected. I found out that these wrangles are often due to lack of counseling and when divorce is the end product; the government, in the long run, has some costs to incur. ââ¬ËMarriage is a public goodââ¬â¢ was a phrase I found appropriate in encouraging pre-marital counseling. The topic also made it possible for me to understand that marriage is not a bed of roses since it is a union of two human beings and since human being are not angels they are likely to conflict with each other. I must say I had not seriously thought of marriage from this angle. This project involved a lot of writing and as a result I learned a lot about carrying out a research and
Tuesday, August 27, 2019
All DP- CH-1 Essay Example | Topics and Well Written Essays - 2750 words
All DP- CH-1 - Essay Example The paper discussed the prevalence of diabetes in South Asian women in Los Angeles County in a critical manner highlighting reasons and impact in the recent run. It was found that South Asian women suffer from diabetes mainly because of the genetic and lifestyle issues. They are well educated and supported by strong demographics still lack focus and dedication to deal with the diabetes issue. One of the most critical factors pertaining to the treatment of diabetes is based on the notion that, it cannot be treated and thus can only be managed and controlled. However, in many cases, individuals do not even take initiatives in controlling it rather than getting affected by it to the core and then taking actions and initiatives. South Asian women have strong demographics and weak social factors making them all the more vulnerable towards the treatment of diabetes in the long run. This report makes a conclusion that South Asian women are exposed to little awareness programs that affect their thought process. The problem lies in dealing with the diabetes issue that is dependent on the understanding of reasons behind the rise of diabetes (Mather and Keen, 1985). In the past, it was found that health intervention programs have been of great help but considering the need of mutual cooperation and coordination; at times; healthcare models and programs create very little impact and in the case of South Asian women, it was found that healthcare models affect for a brief period of time and then are of little use and importance considering the lack of continuation and zeal to take positive initiatives.
Monday, August 26, 2019
Chosen career Personal Statement Example | Topics and Well Written Essays - 500 words
Chosen career - Personal Statement Example Tax advisors are supposed to provide their expert advice to clients who operate in different sectors of the economy. I have an experience as an auditor and I have an experience of working with clients which makes it easier to understand the economy and the corporate world. Taxation can be a complicated career as it requires understanding and interpreting the complex taxation laws and legislations. Taxation advisors stay up-to-date with the changing tax laws and explain their implications in simple terms to their clients. As a tax advisor, I would serve as a corporate tax advisor where I have to ensure that the clients are not paying extra taxes or more than what is necessary. The other type of tax advising is for individuals who have large assets and are subjected to taxes. I chose this career because I believe I have the potential to understand this field and take interest in it to serve the clients. It is very important for tax advisors to have an interest in the field so that they can understand the laws and explain them in simpler terms to the clients. This requires a good understanding and knowledge of the terms and techniques. These clients can be businesses, individuals, partnerships, small or large companies, and estates. They rely on tax advisors to pay their taxes and ensure their security. The firm I currently work in is a large company which has specialization in tax advising. This would allow me to specialize in one field and polish my skills to the best. I would have specialized clients and my concern will be with specialized tax laws on which I can provide a detailed study. I wish to pursue my career as a tax advisor and then operate my own practice as a professional tax advisor. There are several small business owners and low income individuals who get caught with the complexities of tax laws and practices. As a tax advisor, I would be able to help them with their taxes and ensure that they are giving what they should and nothing
Sunday, August 25, 2019
Discussion of Three Wishes for Cinderella and other filmed versions Essay
Discussion of Three Wishes for Cinderella and other filmed versions - Essay Example The portrayed glass slipper has critical and intensive meaning and denotation by consideration of varying aspects. They symbolize or infer the prestige of the princess due to the large price paid to acquire one and also represent the delicateness of the prince. The prince has physically light and elegant appearance to be able to put fittingly on the shoes without even destroying or shattering them. The final symbolism presented by the glass slipper indicates of Cinderella ability to comfort to wear and dance with the grace. This action presents a picture of mettle as normally glass slipper is typically uncomfortable. The Godmother features on few versions of the Cinderella and thus he is uncommon character in the Cinderella narrative as elaborated by Perraultââ¬â¢s version of the account. With reference other varying versions of Cinderella, possibly in other cultures, frequently the heroine acquires aids from the deceased mother or even nanny. The fairy godmothers account is relat able to the in Western lifestyle as Perrault elaborates and even the following accounts from Disney. The figure functions of the portrayed versions all presents miraculous and feel-superior fantasy that brings together the community and appeals to every generation. The film ââ¬Å"Three Wishes for Cinderellaâ⬠informs of historic and classic Cinderella tale disregarding a hint of irony. Cinderella is played by Libuse Sanfrankova. This lady lives in a quaint village securely hidden into a wintry bush adjacent to a local castle. Her stepmother and sister green-eyed of her beauty, happiness and good-nature, try to saddle her with a life of drudgery. Their worst torture is to dispense two types of seeds on the ground for Cinderella to separate. Though it is tedious and random, the underprivileged maiden calls on affable doves to assist. The movie is typically a live action and is cool to see birds
Life wk2 Essay Example | Topics and Well Written Essays - 1250 words
Life wk2 - Essay Example IF we were conducting a lifespan study through a clinic or other covered entity we should take this rule into consideration and inform the participants about their rights under the rule. According to the American Psychological Association (2002), there are also ethical considerations that must be followed. One of the first issues to be concerned with is the "do no harm" aspect of the work. Psychologists "seek to safeguard the welfare and rights" (APA, 2002, Principle A, p. 1) of their clients. The psychologist must also make sure that they are practicing within the boundaries of their competency areas (Standard 2, p. 2) and if working with participants who are a different ethnicity or gender, they must have the proper training in these areas. Legally, they must report any infromation to law enforcement where they find a participant to be harmful to themselves or others. They must also make sure that they have the proper licensing and that this licensing is up to date. Researchers should also have in writing the "informed consent" form which states all of the aspects of the study including the nature of the study, that it entails naturalistic observation, that there may be some deception within it and that the information received will be recorded and shared. All participants must sign this agreement to make sure that they understand what is happening. It would be difficult to totally eliminate bias in the researcher, but I would make sure that I had training in the areas necessary to work with the participants. I would make an attempt to use gender neutral wording in the instructions and in conducting the researcher. I would use research methods that had been used with minorities as well as women to the best of my ability. I think that the two most important aspects of ethical considerations are to do no harm and the HIPAA information. The reason these are important is because they are stated to protect the clients. To do no harm is the motto
Saturday, August 24, 2019
Business Planning and Development Essay Example | Topics and Well Written Essays - 1000 words
Business Planning and Development - Essay Example 106). Personal Mission Statement Going by my current attitude towards leadership, my mission is to develop the abilities and skills like patience, positivity, perseverance, communication skills and cultural literacy, which I already possess and which can further be refined and polished that will allow me to set an example before the people and teams I lead so as to steer my business towards the acquisition of success, profitability and sustainability. I already do possess much strength that will help me emerge to be as an astute business leader. I have refined communication skills and an immense ability for listening to others (Glaser 2007, p. 236). I have a vision the pursuance of which I believe will lead to a viable and profitable business success (Koestenbaum 2002, p. 188). I possess a reasonable measure of cultural literacy and hence I am comfortable leading teams comprising of individuals hailing from diverse backgrounds. I am affiliated to a participative or democratic style o f leadership and I believe in seeking inputs from my team members regarding the incumbent business problems and challenges, before I take the final decision (Miner 2002, p. 279). In addition I believe in being a transformational leader who believes in retaining a high level of communication with varied team members, so as to keep them motivated and to achieve high levels of productivity and profitability through maintaining a high visibility and through appropriate and deft communication (Riggio, Murphy & Pirozzolo 2002). Over the next six months I intend to achieve a firm grounding in the theoretical aspects of business and I also intend to attain the salient skills that will help me emerge to be a successful entrepreneur in the times to come. I believe that gaining a firm grounding in the theoretical and skill aspects of business goes a long way in assuring business and entrepreneurial success. In the pursuant 2 to 3 years I intend to work as a management professional in some repu ted and big firm. This will not only refine my business acumen and skills, but will also allow me to have a firsthand experience in the actual running and management of a viable business. After that I intend to use my savings to launch a corporation of my own. I believe that financial independence is the real measure of the amount of freedom that an individual affords (Fletcher 2006). To be a success, it is important to engage in work that one loves to do. However, not all aspects of an individualââ¬â¢s work tend to be interesting. Thereby, gaining financial independence will give to me the freedom to engage in things that I do of my own volition and am not forced to do or that I must do. Over the years I intend to build a personal investment portfolio that will allow me to gain financial independence at the earliest (Kiyosaki 2009). In that context, my annual budget, once I proceed on my course to achieve financial independence will be somewhat like this: Expenses and Liabilitie s Utilities, Mortgage, Real Property Taxes, Insurance, Maintenance GB Pounds 14,000 GB Pounds Assets Income from Business, Stocks, Bonds, Mutual Funds , Income Generating Real Estate, Notes (IOUs), Royalties from Intellectual Property Total Annual Income 75000-14000= 75,000 61,000 (Reinvested) To gain financial independence I intend to configure a diversified investment portfolio rather than putting all my eggs in one basket (Kiyosaki 2009). My primary financial objective for the next decade will be to cut
Subscribe to:
Posts (Atom)