Integrated approach to prevent SQL injection attack and reflected cross site scripting attack

The Internet and web applications are playing very important role in our today’s modern day life. Several activities of our daily life like browsing, online shopping and booking of travel tickets are becoming easier by the use of web applications. As the volumes of the web applications are increasing the security of web applications becomes a major concern. Most of the web applications use the database as a back end to store critical information such as user credentials, financial and payment information, company statistics etc. These websites are continuously targeted by highly motivated malicious users to acquire monetary gain. Multiple client side and server side vulnerabilities like SQL injection and cross site scripting are discovered and exploited by malicious users. SQL injection attacks and cross site scripting vulnerabilities are top ranked in the open web application security project top ten vulnerabilities list. A number of security approaches are proposed and used like secure coding practices, encryption, static and dynamic analysis of code to secure the web applications but statistics shows that these vulnerabilities are still transpiring at the top. In this paper, we present an integrated model to prevent SQL injection attacks and reflected cross site scripting attack in PHP based implementation. This model is more effective to prevent SQL injection attack and reflected cross site scripting attack in production web environment. Our mechanism is divided into two modes, a safe mode and a production mode environment. In the safe mode we construct a security query model for SQL injection and sanitizer model for reflected cross site scripting attack for each identified SQL queries for SQL injection attacks and input entry points for reflected cross site scripting attacks. In the production environment, input entries which create dynamic SQL queries are validated against security query model generated in safe mode and normal input text entered by the user is validated by sanitizer model instrumented in the code at safe mode. The results and analysis shows that the proposed approach is simple and effective to prevent common SQL injection vulnerabilities and reflected cross site scripting vulnerabilities.

[1]  Agostino Cortesi,et al.  Obfuscation-based analysis of SQL injection attacks , 2010, The IEEE symposium on Computers and Communications.

[2]  Alwyn Roshan Pais,et al.  Model Based Hybrid Approach to Prevent SQL Injection Attacks in PHP , 2011, InfoSecHiComNet.

[3]  Premkumar T. Devanbu,et al.  JDBC checker: a static analysis tool for SQL/JDBC applications , 2004, Proceedings. 26th International Conference on Software Engineering.

[4]  Michael D. Ernst,et al.  Automatic creation of SQL Injection and cross-site scripting attacks , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[5]  Pratheep Bunyatnoparat,et al.  Protecting cookies from Cross Site Script attacks using Dynamic Cookies Rewriting technique , 2011, 13th International Conference on Advanced Communication Technology (ICACT2011).

[6]  Jeom-Goo Kim,et al.  Injection Attack Detection Using the Removal of SQL Query Attribute Values , 2011, 2011 International Conference on Information Science and Applications.

[7]  Angelos D. Keromytis,et al.  SQLrand: Preventing SQL Injection Attacks , 2004, ACNS.

[8]  Jianhua Sun,et al.  An execution-flow based method for detecting Cross-site Scripting attacks , 2010, The 2nd International Conference on Software Engineering and Data Mining.

[9]  Sabrina De Capitani di Vimercati,et al.  Guest Editorial: Special Issue on Computer and Communications Security , 2008, TSEC.

[10]  V. N. Venkatakrishnan,et al.  CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks , 2010, TSEC.

[11]  Laurie A. Williams,et al.  On automated prepared statement generation to remove SQL injection vulnerabilities , 2009, Inf. Softw. Technol..

[12]  Mei Junjin,et al.  An Approach for SQL Injection Vulnerability Detection , 2009, 2009 Sixth International Conference on Information Technology: New Generations.

[13]  R. Johari,et al.  A Survey on Web Application Vulnerabilities (SQLIA, XSS) Exploitation and Security Engine for SQL Injection , 2012, 2012 International Conference on Communication Systems and Network Technologies.

[14]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.