Abstract
The Internet and web applications are playing very important role in our today’s modern day life. Several activities of our daily life like browsing, online shopping and booking of travel tickets are becoming easier by the use of web applications. As the volumes of the web applications are increasing the security of web applications becomes a major concern. Most of the web applications use the database as a back end to store critical information such as user credentials, financial and payment information, company statistics etc. These websites are continuously targeted by highly motivated malicious users to acquire monetary gain. Multiple client side and server side vulnerabilities like SQL injection and cross site scripting are discovered and exploited by malicious users. SQL injection attacks and cross site scripting vulnerabilities are top ranked in the open web application security project top ten vulnerabilities list. A number of security approaches are proposed and used like secure coding practices, encryption, static and dynamic analysis of code to secure the web applications but statistics shows that these vulnerabilities are still transpiring at the top. In this paper, we present an integrated model to prevent SQL injection attacks and reflected cross site scripting attack in PHP based implementation. This model is more effective to prevent SQL injection attack and reflected cross site scripting attack in production web environment. Our mechanism is divided into two modes, a safe mode and a production mode environment. In the safe mode we construct a security query model for SQL injection and sanitizer model for reflected cross site scripting attack for each identified SQL queries for SQL injection attacks and input entry points for reflected cross site scripting attacks. In the production environment, input entries which create dynamic SQL queries are validated against security query model generated in safe mode and normal input text entered by the user is validated by sanitizer model instrumented in the code at safe mode. The results and analysis shows that the proposed approach is simple and effective to prevent common SQL injection vulnerabilities and reflected cross site scripting vulnerabilities.
Similar content being viewed by others
Abbreviations
- XSS:
-
Cross site scripting
- SQL:
-
Structured query language
- SQLIA:
-
SQL injection attacks
- OWASP:
-
Open web application security project
- MHAPSIA:
-
Model based hybrid approach to prevent SQL injection attacks
- DFA:
-
Deterministic finite automata
- NFA:
-
Nondeterministic finite automata
- AMNeSIA:
-
Analysis and monitoring for neutralizing SQL injection attacks
- JDBC:
-
Java database connectivity
- HTML:
-
Hyper text markup language
References
Clinton L (undated) Cyber-insurance metrics and impact on cyber-security. http://www.whitehouse.gov/files/documents/cyber/ISA-Cyber-InsuranceMetricandImpactonCyber-Security.pdf. Accessed Aug 2012
Common Weakness Enumeration (2012) CWE-89: improper neutralization of special elements used in an SQL command (‘SQL injection’). http://cwe.mitre.org/data/definitions/89.html. Accessed 13 Jan 2012
Common Weakness Enumeration (2012) CWE-79: improper neutralization of input during web page generation (‘cross-site scripting’). http://cwe.mitre.org/data/definitions/79.html. Accessed 13 Jan 2012
ENISA (2012) Incentives and barriers of the cyber insurance market in Europe June 2012. European Network and Information Security Agency (ENISA), Heraklion. http://www.enisa.europa.eu. Accessed 5 July 2012
Gould C, Su Z, Devanbu P (2044) Java database connectivity (JDBC) checker: a static analysis tool for SQL/JDBC applications. In: Proceedings of the 26th international conference on software engineering (ICSE 2004) formal demos, p 697–698. ICSE, Minneapolis
Halfond W, Orso A (2005) AMNESIA: analysis and monitoring for neutralizing SQL injection attacks. In: Proceedings on 20th IEEE and ACM international conference automated software engineering, p 174–183. ACM, New York
Jeom-Goo K (2011) Injection attack detection using the removal of SQL query attribute values. In: Information science and applications (ICISA), international conference, p 1–7. Department of Computer Science, Namseoul University, Cheonan, 26–29 April 2011
Junjin M (2009) An approach for SQL injection vulnerability detection. In: Proceedings of the 6th international conference on information technology: new generations, p 1411–1414. IEEE, Las Vegas
Kiezun A, Guo PJ, Jayaraman K, Ernst MD (2009) Automatic creation of SQL injection and cross-site scripting attacks. In: ARDILLA, proceedings of the 31st international conference on software engineering, p 199–209. ICSE, Vancouver
Kunal S, Mohandas R, Pais AR (2011) Model based hybrid approach to prevent SQL injection attacks in PHP. InfoSecHiComNet’11 proceedings of the first international conference on security aspects of information technology, p 3–15. Springer, Berlin
Open Web Application Security Project (OWASP) (2012) Top 10 2010-main. https://www.owasp.org/index.php/Top_10_2010-Main. Accessed 13 Jan 2012
Prithvi B, Madhusudan P, Venkatakrishnan VN (2010) CANDID: dynamic candidate evaluations for automatic prevention of SQL injection attacks. ACM Trans Inf Syst Secur 13(2):1–39
Qianjie Z, Chen H, Sun J (2010) An execution-flow based method for detecting cross-site scripting attacks. In: Proceedings of software engineering and data mining, p 160–165. SEDM, Shanghai
Rahul J, Sharma P (2012) Survey on web application vulnerabilities (SQLIA,XSS) exploitation and security engine for SQL injection. In: Proceedings on CSNT 2012 IEEE international conference (978-0-7695-4692-6/1). IEEE, Washington, DC
Raju H, Cortesi A (2010) Obfuscation-based analysis of SQL injection attacks. In: ISCC ‘10 proceedings of the IEEE symposium on computers and communications, p 931–938. IEEE, Riccione
Rattipong P, Bunyatnoparat P (2011) Protecting cookies from reflected cross sitescript attacks using dynamic cookies rewriting technique. In: Method for detecting cross-site scripting attacks. 13th International conference on advanced communication technology (ICACT), p 1090–1094. IEEE Conference Publications, 13–16 Feb 2011
Stephen WB, Keromytis AD (2004) SQLrand: preventing SQL injection attacks. In: Proceedings of the 2nd applied cryptography and network security (ACNS) conference, p 292–302. ACNS, Yellow Mountain
Stephen T, Williams L, Xie T (2009) On automated prepared statement generation to remove SQL injection vulnerabilities. Department of Computer Science, North Carolina State University, Raleigh
Acknowledgments
Authors wish to express sincere gratitude to the administration of Department of Electronics & Information Technology, Government of India and GGSIP University for providing the academic environment to pursue research activities. In particular we would like to thank Dr. Gulshan Rai, DG, CERT-In, Mr. B.J Srinath, Scientist ‘G’ and Mr. A. S. Chawla, Scientist ‘F’, CERT-In for guidance and inputs.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Sharma, P., Johari, R. & Sarma, S.S. Integrated approach to prevent SQL injection attack and reflected cross site scripting attack. Int J Syst Assur Eng Manag 3, 343–351 (2012). https://doi.org/10.1007/s13198-012-0125-6
Received:
Revised:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13198-012-0125-6