International Journal of Computer Trends and Technology (IJCTT) volume4Issue8August 2013

ISSN: 2231-2803 http://www.ijcttjournal.org Page 2816

A Framework for Detecting Infractions in Multi-tier
Web Applications
Narender Armulla
#1
, K. Durga Prasad
*2
, BetamSuresh
*3

1
Pursuing M.Tech(CSE), Vikas Group of Institutions (Formerly known as Mother Theresa Educational Society Group of
Institutions), Nunna, Vijayawada. Affiliated to JNTU- Kakinada, A.P, India
2
Working as an Assistant Professor in Department of CSE at Vikas College of Engineering and Technology, Nunna, Vijayawada,
India.
3
Betam Suresh, working as an HOD at Vikas Group of Institutions (Formerly known as Mother Theresa Educational Society
Group of Institutions), Nunna, Vijayawada, Affiliated to JNTU Kakinada, A.P , India.

Abstract Now- a-days internet applications have grasped a lot
of attention and every business is made online. The risk in online
business is that whether the transaction done through online is
safe or not and there could a chance of data being hacked by
intruders. There could be a Phishing attack in the system where
a user cannot know the correct website in which the details are
being entered. Also one more type of attack that could be
possible is Injection attacks where an intruder can access the
details even without proper authentication.
In this paper, we are designing a DoubleGuard which is an
intruder detection system that models the network behaviour of
user sessions across both front-end web server and back-end web
databases. This system will monitor all the requests coming in
from the users and will block the injection attacks coming from
the intruders. Intrusion is the term that can be linked to attacker
and hacker in network security domain. Hacker is the person
who tries to solve the problem with that single request sent and
where as Attacker is the user who just sends the request and will
never wait long for the response. This paper considers Hacker
and will block intrusion attacks trying to destroy the system.

Keywords Phishing attacks, Double Guard, Intruder Detection
System, SQL Injection, Attacker, Hacker.
I. INTRODUCTION
Double Guard, the term means that providing security in two
ways. As already said that current market is all online so it
becomes very important for a developer to develop an
application with complete security to avoid attacks of
intruders. Any web application involves both the things i.e.
static nature and dynamic nature in the application.
Intrusion Detection system is a device or software that
monitors network or system activities for malicious activities
and produce report to the manager. Some systems may
attempt to stop an intrusion attempt but this is neither required
nor expected of a monitoring system. Intrusion detection and
prevention systems (IDPS) are primarily focused on
identifying possible incidents, logging information about
them, and reporting attempts. In addition, organizations use
IDPSes for other purposes, such as identifying problems with
security policies, documenting existing threats and deterring
individuals from violating security policies. IDPSes have
become a necessary addition to the security infrastructure of
nearly every organization.
IDPSes typically record information related to observed
events; notify security administrators of important observed
events and produce reports. Many IDPSes can also respond to
a detected threat by attempting to prevent it from succeeding.
They use several response techniques, which involve the IDPS
stopping the attack itself, changing the security environment
or changing the content.
Fig 1: Intrusion Detection System
International Journal of Computer Trends and Technology (IJCTT) volume4Issue8August 2013
ISSN: 2231-2803 http://www.ijcttjournal.org Page 2817


Intruders main aim is to use the data without permission or
make the content not available to the end user. Intruders may
be Attacker or it can be Hacker, Attacker is the user who tries
to destruct the file with many number of requests but whereas
Hacker is the user who tries to decode the bar kept before the
file accessing with single request that is sent. Attacker may
hijack the application using the sql injection queries, so it is
very important to take care of the code designed for accessing
the content from the database. SQL injection is a code
injection technique meaning when a user enters some values
through the form it is modified by the intruder and the
statement is automatically modified as per the attacker will
i.e., unauthorized login is made by the attacker.
Fig 2: sample login form
In the above sample login form, when user fills correct
details and posts the application will connect to the database
and will execute this query,
Query: select * from register where name=+name+ and
password=+password+;
With the above query the genuine user will get
authenticated and will navigate to the user home page and in
case if the attacker wants to hijack the applications database
and the application then the query will be modified as,
Query 1: select * from register where name=+name+ or
1=1;
In the above query we can see that the attacker has
modified the query and a parameter is added into the query
which is or operator. In the above query if even one
condition is satisfied then the user can navigate to their home
page. This process explained above is SQL Injection and we
need to design an application that will protect from injection
attacks and also should take care about the web database at the
backend generally could be MySQL or Oracle.
II BACKGROUND
In this paper we are going to show the way security is
provided to the application in both ways i.e. static part and
also to the dynamic web database from the intruders and
through the SQL injections. To give more clarity for this work
consider a application which simulates Bank application, first
of all we are going to show the way to prevent the application
from SQL injection because it is the most critical part in any
application, once the hacker has got the access into the user
application then it becomes very difficult for the bank
authorities to stop the transactions being done by that user.
The question here arises is, how a user can perform database
related transactions though not being a genuine user, it is
because the user is hacker and already got the access to the
application because of SQL injection.

As already told above in this paper that SQL injection
is a code injection technique where the values which are
actually posted will get modified and the hacker will get
access to the application. Normal ways when a registered user
logs in to the application the query will be given as,

First of all the values will be retrieved i.e. name and password,
these values will be compared with the actual values of the
user which were given at the time of registration in this
manner,

Step 1: Statement st=con.createStatement();
Step 2: ResultSet rs=st.executeQuery(Select * from
register where name=+user+ and password=+secure+
);

In the above query written, name & password are the column
names in the register table and at the same time user & secure
are the values which user has entered in the login form. The
above query written is the query which will be executed by
Statement of JDBC.

Statement is the interface which helps user to perform some
task that is linked up with the database and then proceed
further. Using Statement, there is a chance that the process
might get corrupted and data may be hacked. To overcome
this problem we are going to use PreparedStatement which is
the correct solution for SQL injections.

If the above two steps are to be overwritten by using
PreparedStatement then the queries will change as follows,

Step 1: PreparedStatement pst=con.prepareStatement(Select
* from register where name=? and password=? );
International Journal of Computer Trends and Technology (IJCTT) volume4Issue8August 2013
ISSN: 2231-2803 http://www.ijcttjournal.org Page 2818


Step 2: pst.setString(1,user);
Pst.setString(2,secure);
Step 3: ResultSet rs=st.executeQuery();

In the above process we have used PreparedStatement
interface which actually takes ? which is called Place
Holder. Whenever we use preparedstatement we can see
placeholders coming into the picture and the values for which
need to be substituted in the later step i.e. in step 2 we can see
that vales are substituted using the methods setXXX(). Step 3
remains same as like in Statement where the query will get
executed.

By using PreparedStatement in the application for the static
user check the possibility of Hacker coming into picture is
very rare i.e. the values will have to get substituted in the
place holders and where as the query is precompiled query
meaning it wont change even if the user changes.
PreparedStatement is executed only once and depending on
the users the placeholder values will be substituted for the
validation check.

The way that the SQL injection can happen in any
application is by modifying the query which is actually
written in the application. The query is modified as like,

Step 1: ResultSet rs=st.executeQuery(Select * from register
where name=+user + or 1=1 );
Step 2: if(rs.next())
{
// move to home page
}

In the above query written we can see that there is a condition
written in the query which is asking that is 1 equal to 1. We
can see that there are two conditions that are being checked
first being the username which is checked and second is
asking whether 1 is equal to 1. Now, even if the username is
wrong the second condition is always true and because of
which the unauthorized users can access the database and
hack the application for illegal transactions.

There are many attack scenarios like,

1. Privilege Escalation Attack
2. Hijack Future Session Attack
3. Injection Attack
4. Direct DB Attack

Privilege Escalation Attack, the user may try to change the
identity and will login as like admin to access the data of
admin from the application and this type of unauthenticated
action may be checked by DB or application or web server.

Hijack Future Session Attack, in this the hacker may try to
access the details of the last user logged in to the application
as their session details will be available at the server side and
this could lead to a problem so it should be taken care and the
way to prevent it is the application should be designed in a
proper manner where after the logout all the session data
should get deleted meaning it should not be available at server
side.

Injection Attack, in this type of attacks, attacker will modify
the structure when the input is being fed to the application and
thus can access the application without having the genuine
authentication. So, it is very important for the programmer to
design the code using the correct methods to avoid this kind of
injections in the applications.


Fig 3: Privilege Escalation Attack


Fig 4: Hijack Future Session Attack


Fig 5: Injection Attack


Fig 6: Direct DB Attack

Direct DB Attack, here it is possible for an attacker to bypass
the web server or firewalls and connect directly to the
database and hijack the content of the database. An attacker
could also have taken over the web server and then sending
the queries without even sending web requests. However this
type of attack will not be taken into consideration in our paper
because we are providing the authentication check for server
login and also for the application login. As there is a security
check being done there is no chance that a user can hijack the
database.
International Journal of Computer Trends and Technology (IJCTT) volume4Issue8August 2013
ISSN: 2231-2803 http://www.ijcttjournal.org Page 2819



Fig 7: Analysis on different attacks
Our work was conducted on the bank application and to show
that the dynamic web database is also provided security we
are considering four different tasks of the banking sector and
out of which we are considering two being the functionalities
which are linked with the DB and to perform any further
action upon these functionalities the user need to undergo a
verification process so as to avoid the data corruption. The
features added in the application are like mini statement, funds
transfer, online offers and online shopping. From these
options provided we can provide security check to funds
transfer and online shopping where the second action is being
done like making changes in the database. So even if hacker
tries to hijack the application through the injection techniques
the second check which will be provided the user cannot
proceed further until and unless its the genuine user. There by
the work shows the security for static web page i.e. login
authentication and also for the web server database.

REFFRENCES

A. Stavrou, G. Cretu-Ciocarlie, M. Locasto, and S. Stolfo.
Keep your friends close: the necessity for updating an
anomaly sensor with legitimate environment changes. In
Proceedings of the 2nd ACM Workshop on Security and
Artificial Intelligence, 2009.

G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure
program execution via dynamic information flow tracking.
ACM SIGPLAN Notices, 39(11), Nov. 2004.

B. I. A. Barry and H. A. Chan. Syntax, and semantics-based
signature database for hybrid intrusion detection systems.
Security and Communication Networks, 2(6), 2009.

D. Bates, A. Barth, and C. Jackson. Regular expressions
considered harmful in client-side xss filters. In Proceedings of
the 19th international conference on World wide web, 2010.

P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Krugel, and
G. Vigna. Cross site scripting prevention with dynamic data
tainting and static analysis. In NDSS 2007.

D. Wagner and D. Dean. Intrusion detection via static
analysis. In Symposium on Security and Privacy (SSP 01),
May 2001.

M. Roesch. Snort, intrusion detection system.
http://www.snort.org.

A. Schulman. Top 10 database attacks.
http://www.bcs.org/server.php?show=ConWebDoc.8852.

R. Sekar. An efficient black-box technique for defeating web
application attacks. In NDSS. The Internet Society, 2009.

Some links from where the information collected,

http://www.sans.org/top-cyber-security-risks/.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-
4332.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-
4333.


AUTHORS PROFILE



Narender Armulla,
Pursuing M.Tech(CSE)
from Vikas Group Of
Institutions (Formerly
known as Mother Theresa
Educational Society Group
of Institutions), Nunna,
Vijayawada. Affiliated to
JNTU-Kakinada, A.P., India

K. Durga Prasad,
working as a Assistant
Professor of CSE department
at Vikas College of
Engineering and
Technology, Nunna,
Vijayawada, Affiliated to
JNTU-Kakinada, A.P., India
Betam Suresh, is working
as an HOD, Department of
Computer science
Engineering at Vikas Group
of Institutions (Formerly
Mother Teresa Educational
society Group of
Institutions), Nunna,
Vijayawada, Affiliated to
JNTU-Kakinada, A.P., India