SQL Injection Prevention System

2016 International Conference "Radio Electronics & InfoCommunications" (UkrMiCo) September 11-16, 2016, Kiev, Ukraine

SQL Injection Prevention System Voitovych O.P., Yuvkovetskyi O.S.

Kupershtein L.M.

Information Security Department Vinnytsia National Technical University Vinnytsia, Ukraine [email protected], [email protected]

Information Security Department Vinnytsia National Technical University Vinnytsia, Ukraine [email protected]

Abstract—Existing vulnerabilities of Web system threaten the regular work of information systems. The most common Web system vulnerability is SQL injection. There is known approaches to protect Web applications against SQL injection attacks in the article. To improve the Web software security it is developed defense mechanism that protects Web resources from SQL injection performing. To implement this software it is used PHP, JavaScript and formal language theory known as regular expression. As a result it is received a software tool which allows to protect Web software from SQL injection vulnerability. Developed software tool allows user to protect his own Web application from an attack with using SQL. Fig. 1. SQL injection scheme

Keywords—Web resources vulnerabilities; Web applications; SQL injection; prevention system.

I. INTRODUCTION It is known, that a lot of Web resources don’t satisfy modern safety requirements. Web vulnerabilities could jeopardize the image, finances, assets, personal data and other valuable organization resources. This may cause the bankruptcy or complete liquidation of the company. Today we have many classifications [1], which classifies different types of vulnerabilities and attacks which are based on various parameters. We consider such classifications as OWASP [2], Markov taxonomy [3], WASC threats classification [4], Microsoft STRIDE threat model and the Kaspersky Lab classification [5]. In these and other sources were researched the main Web resources vulnerabilities and attacks [6]. The most common threats to web resources allocated in each classification are injections, mostly SQL. SQL injection is a vulnerability that occurs when anyone accesses Webbased applications database and makes some actions that are not provided by developer [7]. This is one of the common ways to hack websites and applications that work with databases. When users are trying to send request to the Web server, this occurs through HTML forms, URL or other fields where data can be enter in. Forms without filtering allows user to use SQL injection vulnerability. It is happens because of data from forms send to the database is processed and executed as it, without checking. For example (Fig. 1), user for authentication typically enters to a text box on Web form their username and password.

Those values are used for creating a SQL query (e.g. SELECT query) which transferred to the Database. If the entered values are found as expected, the user’s access is allowed; otherwise, access is denied [8-10]. But user can enter some data with special symbols that could damage the logic or even structure of the database. The occurrence of SQL injection and their risk depend on the type of database and their conditions. Typically, it may allow the attacker to execute arbitrary database query (e.g., read the contents of any table, remove, change or add data) and get the opportunity to read and/or write local files and execution of arbitrary commands on the server side, involving escalate to more damaging attacks inside a network or DMZ. The attack by using SQL injection becomes possible because of handling of input used in SQL queries without checking or/and filtering. II. SQL INJECTION ATTACK TYPES Different statistics data shows that more than 40,000 attacks per day happen in real world, so it’s a huge problem which needs solution for variety of Web systems. The attack fluctuation for SQL injections for months is shown in Fig. 2 [11]. Today there are many Web systems use databases for storing the data needed for the Websites applications activity, as well as user preferences, personal data, sensitive financial information etc in different fields, from finance and egovernment to social network. Using variety of technologies allows developers to make Web products interesting and useful for clients (e.g. e-shop, internet banking) [12-15].


webpage (1), he forms special request to the server (2). It is necessary to check the information from users, because input data could be dangerous. That’s why prevention system has Validation checker. It is a bunch of methods to filter all input data from users (3) that generates request signature. After that injection cannot be used, because Secure Shell filters the output information (4) and blocks injection to the Database (5). Also, prevention system has its own error handler.

Fig. 2. The attack fluctuation for SQL injections

SQL injections can be classified into five major categories: Union SQL injections, Error-based SQL injections, Boolean SQL injections, Time-based SQL injections and Out-of-band SQL injections [16, 17]. Union-based SQL injection allows attackers to give from the database all the information he needs by using standard UNION operator. For example: http://www.site.com/article?id=-1 one,two,version(),four–

union

all

select

Error-based SQL injection is the type of injection that relies on the errors messages received from database server which contain information about the structure of the database. For example: 'AND (1) = UPPER (XMLType (' ')) Known two types of blind SQL injection those are BlindBoolean-based SQLi and Blind-time-based SQLi. The first one makes decisions according to the answers on tag questions sending to the database. The second one uses time delay which is specific for different responses of database. Example: // delay SELECT count (*) FROM all_objects 'AND 1 = SELECT SUM (LENGTH (utl_http.request ('http://site.com/'||username||"??"||password))FROM ba.users Out-of-band SQL injection caused by feature of database server to use different channel for delivering data (e.g. email, HTTP or other transport) allows attacker to receive result of injection from database e.g. in case of blind SQL injection. III. PREVENTION SYSTEM To protect system against SQL injection attack we have offered protection (Fig. 3) that performs three functions. When the hacker is trying to use SQL injection on the vulnerable

Fig. 3. Prevention system scheme

The first method is converting special characters to HTML entities. Another two methods are using regular expressions and exceptions. 1. Output escaping. Because server side of web applications often interacts with webpage, URL-s and databases, there are a lot of functions that are using to handle this data. Most of the information is handling as a string type, but in the different situations (database or server) it is needed to use different checking with filters. For instance, a space in a web address is specified as %20, while a Single quote (') is specified as '. There are a number of built-in conversion functions in PHP. That is why it often uses for Output escaping method. There are PHP functions for converting special characters in a string into their entities by removing HTML tags and extracting meta tags. The PHP htmlspecialchars( ) function converts predefined characters into those entities (omitting the space character). This function converts the minimum number of entities possible to generate valid HTML. For example: $string = htmlspecialchars("It is known that 30 > 10, but < 50"); echo $string; // $output is 'It is known that 30 > 10, but < 50'. So, for protection against simple SQL injection which use single quote or double quote characters, the server side could apply filter which involves htmlspecialchars() function. For another thing other security option for HTML forms could be applied namely the strip_tags( ) function. This function is ignoring all HTML tags from the input data. For example:


$input = '
"Hello"
'; $out = strip_tags($input); // $out is '"Hello"'. Also, it’s necessary to make sure that the output data, which will be send in database is clear. There is variety of different methods to filter data. One of them is escaping slashes. For example, the addslashes( ) function adds these slashes, and the stripslashes( ) function removes them: $string =