NoSQL Injection Attack Detection in Web Applications Using RESTful Service

Despite the extensive research of using web services for security purposes, there is a big challenge towards finding a no radical solution for NoSQL injection attack. This paper presents an independent RESTful web service in a layered approach to detect NoSQL injection attacks in web applications. The proposed method is named DNIARS. DNIARS depends on comparing the generated patterns from NoSQL statement structure in static code state and dynamic state. Accordingly, the DNIARS can respond to the web application with the possibility of NoSQL injection attack. The proposed DNIARS was implemented in PHP plain code and can be considered as an independent framework that has the ability for responding to different requests formats like JSON, XML. To evaluate its performance, DNIARS was tested using the most common testing tools for RESTful web service. According to the results, DNIARS can work in real environments where the error rate did not exceed 1%.

[1]  Hussam N. Fakhouri,et al.  Web Threats Detection and Prevention Framework , 2016 .

[2]  Vitaly Shmatikov,et al.  Diglossia: detecting code injection attacks with precision and efficiency , 2013, CCS.

[3]  Manoj Kumar,et al.  Comprehensive study of web application attacks and classification , 2016, 2016 3rd International Conference on Computing for Sustainable Global Development (INDIACom).

[4]  G. Selvakumar,et al.  A survey on RESTful web services composition , 2016, 2016 International Conference on Computer Communication and Informatics (ICCCI).

[5]  Abdullah Talha Kabakus,et al.  A performance evaluation of in-memory databases , 2017, J. King Saud Univ. Comput. Inf. Sci..

[6]  Cory Nance,et al.  NOSQL VS RDBMS - WHY THERE IS ROOM FOR BOTH , 2013 .

[7]  Lei Li,et al.  MongoDB NoSQL Injection Analysis and Detection , 2016, 2016 IEEE 3rd International Conference on Cyber Security and Cloud Computing (CSCloud).

[8]  Alaa Mohamed Riad,et al.  A machine learning model for improving healthcare services on cloud computing environment , 2018 .

[9]  Rahul Shrivastava,et al.  SQL INJECTION ATTACKS IN DATABASE USING WEB SERVICE: DETECTION AND PREVENTION – REVIEW , 2013 .

[10]  S. Swamynathan,et al.  SBSQLID: Securing Web Applications with Service Based SQL Injection Detection , 2009, 2009 International Conference on Advances in Computing, Control, and Telecommunication Technologies.

[11]  Ahmed M. Eassa,et al.  IMATT: An Integrated Multi-Agent Testing Tool for the Security of Agent-Based Web Applications , 2013 .

[12]  Mohamed Elhoseny,et al.  A secure data routing schema for WSN using Elliptic Curve Cryptography and homomorphic encryption , 2016, J. King Saud Univ. Comput. Inf. Sci..

[13]  Megat F. Zuhairi,et al.  Big Data: The NoSQL and RDBMS review , 2016, 2016 International Conference on Information and Communication Technology (ICICTM).

[14]  Aviv Ron,et al.  No SQL, No Injection? Examining NoSQL Security , 2015, ArXiv.

[15]  Andrea Arcuri,et al.  RESTful API Automated Test Case Generation , 2017, 2017 IEEE International Conference on Software Quality, Reliability and Security (QRS).

[16]  Ehud Gudes,et al.  Security Issues in NoSQL Databases , 2011, 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications.

[17]  Cesare Pautasso,et al.  REST: From Research to Practice , 2011 .

[18]  Kenneth Mark Anderson,et al.  MySQL to NoSQL: data modeling challenges in supporting scalability , 2012, SPLASH '12.

[19]  Bob Martin,et al.  2010 CWE/SANS Top 25 Most Dangerous Software Errors , 2010 .

[20]  K. P. Jevitha,et al.  Web Services Attacks and Security- A Systematic Literature Review , 2016 .

[21]  Suhaimi Ibrahim,et al.  Web application security by SQL injection detection tools , 2012 .

[22]  Mohamed Elhoseny,et al.  Secure Automated Forensic Investigation for Sustainable Critical Infrastructures Compliant with Green Computing Requirements , 2020, IEEE Transactions on Sustainable Computing.

[23]  Mohamed Elhoseny,et al.  Secure Routing in Wireless Sensor Networks: A State of the Art , 2013 .

[24]  Ahmed S. Salama,et al.  NoSQL Racket: A Testing Tool for Detecting NoSQL Injection Attacks in Web Applications , 2017 .

[25]  Mohammad Ali Nematbakhsh,et al.  A Survey on Security Issues in Big Data and NoSQL , 2015 .

[26]  Daljit Kaur,et al.  Empirical Analysis of Web Attacks , 2016 .

[27]  Annibale Panichella,et al.  Automatic Generation of Tests to Exploit XML Injection Vulnerabilities in Web Applications , 2019, IEEE Transactions on Software Engineering.

[28]  Xiaohui Yuan,et al.  An energy efficient encryption method for secure dynamic WSN , 2016, Secur. Commun. Networks.

[29]  Kim-Kwang Raymond Choo,et al.  Web application protection techniques: A taxonomy , 2016, J. Netw. Comput. Appl..

[30]  M. A. Pund,et al.  Recent attack prevention techniques in web service applications , 2016, 2016 International Conference on Automatic Control and Dynamic Optimization Techniques (ICACDOT).

[31]  Mohamed Elhoseny,et al.  A hybrid model of Internet of Things and cloud computing to manage big data in health services applications , 2018, Future Gener. Comput. Syst..

[32]  Hossain Shahriar,et al.  Security Vulnerabilities of NoSQL and SQL Databases for MOOC Applications , 2017 .