0 évaluation0% ont trouvé ce document utile (0 vote)
15 vues4 pages
Now- a-day’s internet applications have grasped a lot of attention and every business is made online. The risk in online business is that whether the transaction done through online is safe or not and there could a chance of data being hacked by intruders. There could be a Phishing attack in the system where a user cannot know the correct website in which the details are being entered. Also one more type of attack that could be possible is Injection attacks where an intruder can access the details even without proper authentication. In this paper, we are designing a DoubleGuard which is an intruder detection system that models the network behaviour of user sessions across both front-end web server and back-end web databases. This system will monitor all the requests coming in from the users and will block the injection attacks coming from the intruders. Intrusion is the term that can be linked to attacker and hacker in network security domain. Hacker is the person who tries to solve the problem with that single request sent and where as Attacker is the user who just sends the request and will never wait long for the response. This paper considers Hacker and will block intrusion attacks trying to destroy the system.
Titre original
A Framework for Detecting Infractions in Multi-tier Web Applications
Now- a-day’s internet applications have grasped a lot of attention and every business is made online. The risk in online business is that whether the transaction done through online is safe or not and there could a chance of data being hacked by intruders. There could be a Phishing attack in the system where a user cannot know the correct website in which the details are being entered. Also one more type of attack that could be possible is Injection attacks where an intruder can access the details even without proper authentication. In this paper, we are designing a DoubleGuard which is an intruder detection system that models the network behaviour of user sessions across both front-end web server and back-end web databases. This system will monitor all the requests coming in from the users and will block the injection attacks coming from the intruders. Intrusion is the term that can be linked to attacker and hacker in network security domain. Hacker is the person who tries to solve the problem with that single request sent and where as Attacker is the user who just sends the request and will never wait long for the response. This paper considers Hacker and will block intrusion attacks trying to destroy the system.
Now- a-day’s internet applications have grasped a lot of attention and every business is made online. The risk in online business is that whether the transaction done through online is safe or not and there could a chance of data being hacked by intruders. There could be a Phishing attack in the system where a user cannot know the correct website in which the details are being entered. Also one more type of attack that could be possible is Injection attacks where an intruder can access the details even without proper authentication. In this paper, we are designing a DoubleGuard which is an intruder detection system that models the network behaviour of user sessions across both front-end web server and back-end web databases. This system will monitor all the requests coming in from the users and will block the injection attacks coming from the intruders. Intrusion is the term that can be linked to attacker and hacker in network security domain. Hacker is the person who tries to solve the problem with that single request sent and where as Attacker is the user who just sends the request and will never wait long for the response. This paper considers Hacker and will block intrusion attacks trying to destroy the system.
A Framework for Detecting Infractions in Multi-tier Web Applications Narender Armulla #1 , K. Durga Prasad *2 , BetamSuresh *3
1 Pursuing M.Tech(CSE), Vikas Group of Institutions (Formerly known as Mother Theresa Educational Society Group of Institutions), Nunna, Vijayawada. Affiliated to JNTU- Kakinada, A.P, India 2 Working as an Assistant Professor in Department of CSE at Vikas College of Engineering and Technology, Nunna, Vijayawada, India. 3 Betam Suresh, working as an HOD at Vikas Group of Institutions (Formerly known as Mother Theresa Educational Society Group of Institutions), Nunna, Vijayawada, Affiliated to JNTU Kakinada, A.P , India.
Abstract Now- a-days internet applications have grasped a lot of attention and every business is made online. The risk in online business is that whether the transaction done through online is safe or not and there could a chance of data being hacked by intruders. There could be a Phishing attack in the system where a user cannot know the correct website in which the details are being entered. Also one more type of attack that could be possible is Injection attacks where an intruder can access the details even without proper authentication. In this paper, we are designing a DoubleGuard which is an intruder detection system that models the network behaviour of user sessions across both front-end web server and back-end web databases. This system will monitor all the requests coming in from the users and will block the injection attacks coming from the intruders. Intrusion is the term that can be linked to attacker and hacker in network security domain. Hacker is the person who tries to solve the problem with that single request sent and where as Attacker is the user who just sends the request and will never wait long for the response. This paper considers Hacker and will block intrusion attacks trying to destroy the system.
Keywords Phishing attacks, Double Guard, Intruder Detection System, SQL Injection, Attacker, Hacker. I. INTRODUCTION Double Guard, the term means that providing security in two ways. As already said that current market is all online so it becomes very important for a developer to develop an application with complete security to avoid attacks of intruders. Any web application involves both the things i.e. static nature and dynamic nature in the application. Intrusion Detection system is a device or software that monitors network or system activities for malicious activities and produce report to the manager. Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. In addition, organizations use IDPSes for other purposes, such as identifying problems with security policies, documenting existing threats and deterring individuals from violating security policies. IDPSes have become a necessary addition to the security infrastructure of nearly every organization. IDPSes typically record information related to observed events; notify security administrators of important observed events and produce reports. Many IDPSes can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDPS stopping the attack itself, changing the security environment or changing the content. Fig 1: Intrusion Detection System International Journal of Computer Trends and Technology (IJCTT) volume4Issue8August 2013 ISSN: 2231-2803 http://www.ijcttjournal.org Page 2817
Intruders main aim is to use the data without permission or make the content not available to the end user. Intruders may be Attacker or it can be Hacker, Attacker is the user who tries to destruct the file with many number of requests but whereas Hacker is the user who tries to decode the bar kept before the file accessing with single request that is sent. Attacker may hijack the application using the sql injection queries, so it is very important to take care of the code designed for accessing the content from the database. SQL injection is a code injection technique meaning when a user enters some values through the form it is modified by the intruder and the statement is automatically modified as per the attacker will i.e., unauthorized login is made by the attacker. Fig 2: sample login form In the above sample login form, when user fills correct details and posts the application will connect to the database and will execute this query, Query: select * from register where name=+name+ and password=+password+; With the above query the genuine user will get authenticated and will navigate to the user home page and in case if the attacker wants to hijack the applications database and the application then the query will be modified as, Query 1: select * from register where name=+name+ or 1=1; In the above query we can see that the attacker has modified the query and a parameter is added into the query which is or operator. In the above query if even one condition is satisfied then the user can navigate to their home page. This process explained above is SQL Injection and we need to design an application that will protect from injection attacks and also should take care about the web database at the backend generally could be MySQL or Oracle. II BACKGROUND In this paper we are going to show the way security is provided to the application in both ways i.e. static part and also to the dynamic web database from the intruders and through the SQL injections. To give more clarity for this work consider a application which simulates Bank application, first of all we are going to show the way to prevent the application from SQL injection because it is the most critical part in any application, once the hacker has got the access into the user application then it becomes very difficult for the bank authorities to stop the transactions being done by that user. The question here arises is, how a user can perform database related transactions though not being a genuine user, it is because the user is hacker and already got the access to the application because of SQL injection.
As already told above in this paper that SQL injection is a code injection technique where the values which are actually posted will get modified and the hacker will get access to the application. Normal ways when a registered user logs in to the application the query will be given as,
First of all the values will be retrieved i.e. name and password, these values will be compared with the actual values of the user which were given at the time of registration in this manner,
Step 1: Statement st=con.createStatement(); Step 2: ResultSet rs=st.executeQuery(Select * from register where name=+user+ and password=+secure+ );
In the above query written, name & password are the column names in the register table and at the same time user & secure are the values which user has entered in the login form. The above query written is the query which will be executed by Statement of JDBC.
Statement is the interface which helps user to perform some task that is linked up with the database and then proceed further. Using Statement, there is a chance that the process might get corrupted and data may be hacked. To overcome this problem we are going to use PreparedStatement which is the correct solution for SQL injections.
If the above two steps are to be overwritten by using PreparedStatement then the queries will change as follows,
Step 1: PreparedStatement pst=con.prepareStatement(Select * from register where name=? and password=? ); International Journal of Computer Trends and Technology (IJCTT) volume4Issue8August 2013 ISSN: 2231-2803 http://www.ijcttjournal.org Page 2818
In the above process we have used PreparedStatement interface which actually takes ? which is called Place Holder. Whenever we use preparedstatement we can see placeholders coming into the picture and the values for which need to be substituted in the later step i.e. in step 2 we can see that vales are substituted using the methods setXXX(). Step 3 remains same as like in Statement where the query will get executed.
By using PreparedStatement in the application for the static user check the possibility of Hacker coming into picture is very rare i.e. the values will have to get substituted in the place holders and where as the query is precompiled query meaning it wont change even if the user changes. PreparedStatement is executed only once and depending on the users the placeholder values will be substituted for the validation check.
The way that the SQL injection can happen in any application is by modifying the query which is actually written in the application. The query is modified as like,
Step 1: ResultSet rs=st.executeQuery(Select * from register where name=+user + or 1=1 ); Step 2: if(rs.next()) { // move to home page }
In the above query written we can see that there is a condition written in the query which is asking that is 1 equal to 1. We can see that there are two conditions that are being checked first being the username which is checked and second is asking whether 1 is equal to 1. Now, even if the username is wrong the second condition is always true and because of which the unauthorized users can access the database and hack the application for illegal transactions.
There are many attack scenarios like,
1. Privilege Escalation Attack 2. Hijack Future Session Attack 3. Injection Attack 4. Direct DB Attack
Privilege Escalation Attack, the user may try to change the identity and will login as like admin to access the data of admin from the application and this type of unauthenticated action may be checked by DB or application or web server.
Hijack Future Session Attack, in this the hacker may try to access the details of the last user logged in to the application as their session details will be available at the server side and this could lead to a problem so it should be taken care and the way to prevent it is the application should be designed in a proper manner where after the logout all the session data should get deleted meaning it should not be available at server side.
Injection Attack, in this type of attacks, attacker will modify the structure when the input is being fed to the application and thus can access the application without having the genuine authentication. So, it is very important for the programmer to design the code using the correct methods to avoid this kind of injections in the applications.
Fig 3: Privilege Escalation Attack
Fig 4: Hijack Future Session Attack
Fig 5: Injection Attack
Fig 6: Direct DB Attack
Direct DB Attack, here it is possible for an attacker to bypass the web server or firewalls and connect directly to the database and hijack the content of the database. An attacker could also have taken over the web server and then sending the queries without even sending web requests. However this type of attack will not be taken into consideration in our paper because we are providing the authentication check for server login and also for the application login. As there is a security check being done there is no chance that a user can hijack the database. International Journal of Computer Trends and Technology (IJCTT) volume4Issue8August 2013 ISSN: 2231-2803 http://www.ijcttjournal.org Page 2819
Fig 7: Analysis on different attacks Our work was conducted on the bank application and to show that the dynamic web database is also provided security we are considering four different tasks of the banking sector and out of which we are considering two being the functionalities which are linked with the DB and to perform any further action upon these functionalities the user need to undergo a verification process so as to avoid the data corruption. The features added in the application are like mini statement, funds transfer, online offers and online shopping. From these options provided we can provide security check to funds transfer and online shopping where the second action is being done like making changes in the database. So even if hacker tries to hijack the application through the injection techniques the second check which will be provided the user cannot proceed further until and unless its the genuine user. There by the work shows the security for static web page i.e. login authentication and also for the web server database.
REFFRENCES
A. Stavrou, G. Cretu-Ciocarlie, M. Locasto, and S. Stolfo. Keep your friends close: the necessity for updating an anomaly sensor with legitimate environment changes. In Proceedings of the 2nd ACM Workshop on Security and Artificial Intelligence, 2009.
G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. ACM SIGPLAN Notices, 39(11), Nov. 2004.
B. I. A. Barry and H. A. Chan. Syntax, and semantics-based signature database for hybrid intrusion detection systems. Security and Communication Networks, 2(6), 2009.
D. Bates, A. Barth, and C. Jackson. Regular expressions considered harmful in client-side xss filters. In Proceedings of the 19th international conference on World wide web, 2010.
P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Krugel, and G. Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. In NDSS 2007.
D. Wagner and D. Dean. Intrusion detection via static analysis. In Symposium on Security and Privacy (SSP 01), May 2001.
M. Roesch. Snort, intrusion detection system. http://www.snort.org.
A. Schulman. Top 10 database attacks. http://www.bcs.org/server.php?show=ConWebDoc.8852.
R. Sekar. An efficient black-box technique for defeating web application attacks. In NDSS. The Internet Society, 2009.
Narender Armulla, Pursuing M.Tech(CSE) from Vikas Group Of Institutions (Formerly known as Mother Theresa Educational Society Group of Institutions), Nunna, Vijayawada. Affiliated to JNTU-Kakinada, A.P., India
K. Durga Prasad, working as a Assistant Professor of CSE department at Vikas College of Engineering and Technology, Nunna, Vijayawada, Affiliated to JNTU-Kakinada, A.P., India Betam Suresh, is working as an HOD, Department of Computer science Engineering at Vikas Group of Institutions (Formerly Mother Teresa Educational society Group of Institutions), Nunna, Vijayawada, Affiliated to JNTU-Kakinada, A.P., India