An Authentication Mechanism to prevent SQL Injection Attacks

SQL Injection attacks target databases that are accessible through a web front-end, and take advantage of flaws in the input validation logic of Web components such as CGI scripts.In the last few months application-level vulnerabilities have been exploited with serious consequences by the hackers have tricked e-commerce sites into shipping goods for no charge, usernames and passwords have been harvested and confidential information such as addresses and credit-card numbers has been leaked. The reason for this occurrence is that web applications and detection systems do not know the attacks thoroughly and use limited sets of attack patterns during evaluation. SQL Injection attacks can be easily prevented by applying more secure authentication schemes in login phase itself. To address this problem, this paper presents an authentication scheme for preventing SQL Injection attack using Advance Encryption Standard (AES). Encrypted user name and password are used to improve the authentication process with minimum overhead. The server has to maintain three parameters of every user: user name, password, and user‟s secret key. This paper proposed a protocol model for preventing SQL Injection attack using AES (PSQLIAAES).

[1]  Alessandro Orso,et al.  WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation , 2008, IEEE Transactions on Software Engineering.

[2]  Tal Garfinkel,et al.  Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools , 2003, NDSS.

[3]  Todd M. Austin,et al.  High Coverage Detection of Input-Related Security Faults , 2003, USENIX Security Symposium.

[4]  Michael Rodeh,et al.  CSSV: towards a realistic tool for statically detecting all buffer overflows in C , 2003, PLDI '03.

[5]  David Evans,et al.  Statically Detecting Likely Buffer Overflow Vulnerabilities , 2001, USENIX Security Symposium.

[6]  Alexander Aiken,et al.  A theory of type qualifiers , 1999, PLDI '99.

[7]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[8]  Konstantinos Kemalis,et al.  SQL-IDS: a specification-based approach for SQL-injection detection , 2008, SAC '08.

[9]  Angelos D. Keromytis,et al.  SQLrand: Preventing SQL Injection Attacks , 2004, ACNS.

[10]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[11]  S. Rai,et al.  Safe query objects: statically typed objects as remotely executable queries , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[12]  Chris Anley,et al.  Advanced SQL Injection In SQL Server Applications , 2002 .

[13]  David H. Ackley,et al.  Randomized instruction set emulation to disrupt binary code injection attacks , 2003, CCS '03.

[14]  John Johansen,et al.  PointGuard™: Protecting Pointers from Buffer Overflow Vulnerabilities , 2003, USENIX Security Symposium.

[15]  Tadeusz Pietraszek,et al.  Defending Against Injection Attacks Through Context-Sensitive String Evaluation , 2005, RAID.