Mumbai, India. Kamal Mistry ... Input Validation Attacks, SQLIA, XSS, BOF, Utility Tool,. Prevention. 1. ..... International Conference on 2008 Nov 11 (Vol. 2, pp.
Circulation in Computer Science Vol.2, No.5, pp: (23-27), June 2017 https://doi.org/10.22632/ccs-2017-252-21
DE-PRE Tool for Detection and Prevention from Input Validation Attacks on Website Prathamesh P. Churi
Kamal Mistry
Assistant Professor Department of Computer Engineering SVKM’s NMIMS Mukesh Patel School of Technology Management and Engineering Mumbai, India
Assistant Professor Department of Computer Engineering SVKM’s NMIMS Mukesh Patel School of Technology Management and Engineering Mumbai, India
ABSTRACT In most cases, usually, when a web application or a website is fully developed it is released over the internet and if not provided with proper security then it is susceptible to input validation attacks; specifically SQLIA, XSS, Buffer Overflow. A website can be hacked within hours of its release on the internet. It is at this point the developing team realizes to consider security issues and to backtrack and repair. Applying security at this stage is a costly, time consuming process which would also include some software overhead. To avoid this and to prevent websites from input validation attacks we plan to impart security at the software development cycle itself such that the website is protected prior to its release considering the vulnerabilities of the same and the behaviour of the attacks and later it will not be under any threat by the specific input validation attacks. To implement this, we are designing a useful utility tool that imparts security at the software development cycle of any website that requires protection.
Keywords Input Validation Attacks, SQLIA, XSS, BOF, Utility Tool, Prevention.
1. INTRODUCTION Our aim is to develop a software utility tool that can be used as software development cycle of a website such that each page of the same can be imported in the software and tested for its vulnerabilities, becomes less susceptible and is prevented from major input validation attacks which are specifically SQL Injection (SQLIA), Cross-site Scripting (XSS) and Buffer Overflow (BOF). In short your website becomes hack-resilient. The software follows two modules: Detection and Prevention module to make it effective to test each and every webpage of the website under development and to remove all the vulnerabilities such that the website is protected against input validation attacks once and when it is hosted or is live over the internet. In proposed software we implement prevention using Mutation testing and have a graphical user interface that allows you to select the attack and its variants against which you want to protect your website. Selecting a specific attack, the next step lets you import your web page and test your webpage for the vulnerabilities it might contain for the specific attack to facilitate.
Copyright © 2017 Prathamesh P. Churi et al. This is an open-access article distributed under the terms of the Creative Commons Attribution License 4.0, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.
The particular vulnerabilities can be selected with the interface and the software creates a report for that specific attack and removes all the vulnerabilities [2, 3]. Further detection of attacks and IP address tracking is also featured by this software.
2. EXISTING INPUT VALIDATION ATTACKS Papers Input Validation Attacks [4,10] are where an attacker intentionally sends unusual input in the hopes of confusing an application.
2.1 SQL Injection (SQLIA): SQLIA kind of attacks occur when the attacker uses specifically crafted SQL questions or commands to execute malicious activities on the victim system. This weakness exists when there is no validation of input while a database query is made via the Internet. The worst thing is this can be done with only browser. Obviously, the first step for an SQL injection is to find a vulnerable target. Unfortunately, Web applications are also vulnerable to a variety of new security threats. SQL Injection Attacks (SQLIAs) are one of the most significant of such threats. SQLIAs have become increasingly frequent and pose very serious security risks because they can give attackers unrestricted access to the databases that underlie Web applications [8].
2.2 Cross Site Scripting (XSS): Cross site scripting (also known as XSS) [5] occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or email message. Usually the attacker will encode the malicious portion of the link to the site in HEX (or other encoding methods) so the request is less suspicious looking to the user when clicked on. After the data is collected by the web application, it creates an output page for the user containing the malicious data that was originally sent to it, but in a manner to take it appear as valid content from the website. Many popular guestbook and forum programs allow users to submit posts with html and java script embedded in them. Attacker can make use of these java scripts to steal cookies for session hijacking.
Circulation in Computer Science, Vol.2, No.5, pp: (23-27), June 2017 www.ccsarchive.org
Table I : Literature Cited
2.3 Buffer Overflow (BOF): Buffer Overflow [6] attacks comes under Input Invalidation as well as sloppy programming or poor memory management category. In this paper we have concentrated on Buffer Overflow due to Input Invalidation. Measurably on web string overflow attack takes place. Let‟s discuss on it. Generally Buffer Overflow Attack takes Place on C and C++ programs on Java it is somewhat difficult to do Buffer Overflow.
Sr. No
Title of the paper and authors
1
Web Application Intrusion Detection System for Input Validation Attack [1]
3. PREVIOUS RESEARCH Please IBM reported that the cost to fix an error found after product release was 4 to 5 times as much as one uncovered during design, and up to 100 times more than one identified in the maintenance phase. Research by @Stake demonstrated that on average an organization caught only a quarter of its software security holes and had typically seven significant bugs within its enterprise software. Their findings verified that fixing the same defects during the testing phase cost around seven times less than after deployment. They concluded building security into software engineering at the design stage would net a 21% ROSI (Return on IT security Investment); waiting until the implementation stage would reduce that to 15% and at the testing stage, the ROSI would fall to 12%. Integrating security early into the application development lifecycle produces more secure, robust applications at a lower cost.
2
Random security is not enough. To make your application hack-resilient, you need a holistic and systematic approach to securing your network, host, and application. The responsibility spans phases and roles across the product life cycle [7,4]. In this project , main intention is to focuses on detection and prevention of Input Validation attacks like SQL Injection, Cross Site Scripting and Buffer Overflow by incorporating security in software development life cycle. We have introduced a novel approach of preclusion and uncovering of Input Validation Attacks. Moreover, existing tools do not have prevention and detection in one. Security cannot be incorporated at the end of program; Security should be involved in software development life cycle. Following this base line our tool will work in two phases testing and deployment. Prevention module will work in testing phase. Detection module is design for deployment phase in which security functions get called while writing code [9]. For testing above proposed tool we need web application. We found that there is necessity of secure web based conference management system in which many things are involve right from paper submission till registration of the paper where money transaction is involved. So we decided to construct secure web based conference management system using proposed tool.
3
HMM-Web: a framework for the detection of attacks against Web applications [11]
SBSQLID: Securing Web Applications with Service Based SQL Injection Detection [12]
Description
The paper presents Web Application Intrusion Detection System (WAIDS)
The approach is based on web application parameters which has identical structures and values
WAIDS derives a new intrusion detection method using generated profile from web request data in normal situation. By doing this, it is possible to reduce analysis time and false positives rate.
The results parameters and evaluation is significant.
Author propose a new formulation of query analysis through Hidden Markov Models (HMM) and show that HMM are effective in detecting a wide range of either known or unknown attacks on web applications
Experimental results on real world data, show the effectiveness of the proposed system in terms of very high detection rates and low false alarm rates.
This paper proposes a methodology for the detection of exploitations of SQL injection vulnerabilities
In this work, an independent Web Service is intended to generalize syntactic structure of SQL query and validate the user inputs. When the user submits the SQL query at the runtime, the query has to be parsed by the independent service for the correctness of the syntactic structure and user data.
This approach is to prevent all forms of SQL injections, independent of the target system, independent to platform and Backend DB server.
3.1 Existing System and Literature Cited AMNESIA, SQLGaurd, SQLCheck, SQLrand, TAUTOLOGYCheker, are some tools for SQL Attack detection but they do not provide prevention management with the same. XSS Me: XSS Me is a plug in for Mozilla Firefox that aids in cross site scripting testing, as mentioned it is a plugin not a lone tool to test each webpage.
24
Circulation in Computer Science, Vol.2, No.5, pp: (23-27), June 2017 www.ccsarchive.org
4
A Black-box Testing Tool for Detecting SQL Injection Vulnerabilities [13]
5
Securing web applications with better “patches”: an architectural approach for systematic input validation with security patterns [14]
6
Websites Input Validation and Input Misuse Based Attacks [15]
The primary focus of our research was to develop a reliable black-box vulnerability scanner for detecting SQLI vulnerability - SQLIVDT (SQL Injection Vulnerability Detection Tool). The black-box approach is based on simulation of SQLI attacks against web applications. Thus, the scope of analysis is limited to HTTP responses and HTML pages received from the application server. In order to achieve efficient SQLI vulnerability detection, an efficient algorithm for HTML page similarity detection is used. The proposed tool showed promising results as compared to six well-known web application scanners. This paper examines the current ways of how input validation is conducted in major open-source projects and attempts to confirm the main source of the problem as these ad hoc responses to the input validation-related attacks such as SQL injection and cross-site scripting (XSS) attacks through a case study In addition , Authors have proposed a more systematic security approach by promoting the adoption of proactive , architectural design based solutions to move away from current practice of chronic vulnerability-centric and reactive approaches.
In this paper, we conducted an evaluation study of how much input validation is used by web-designers.
We used some of the web attacks that target improper input validations as indicators to show the quality of the input validation process for the evaluated websites.
be effective and serious methods.
Results showed also that there is a need for systematic and frequent evaluation for those websites to ensure that basic input validation guidelines are observed.
This paper includes the following contributions: An SQL-injection-vulnerability assessment of a dataset of several selected websites, and the proposal of a mutation, fault-based model to test websites for possible SQLinjection vulnerabilities.
4. WORKING PROTOTYPE Our software consists of two modules: Detection module and Prevention module.
4.1 Detection Module Detection module will work when user supplies input data to web application. This part of tool basically does input testing i.e. black box testing. Layer 1 (Removal of illegal character): In the first stage the form information is scanned and illegal characters (mostly wild characters) are detected if any. This stage basically deals with the issue of Cross Site Scripting (XSS) and SQL Injection Attack (SQLIA). Example scripts are always written in < and > symbols. Piggybacking queries are separated with semicolon (;). Such suspicious characters can be filter out in this stage. Layer 2 (Validation through regular expression check): In stage two the information in the form is compared with the set of valid regular expressions and evaluated. This stage deals with Buffer overflow criteria, XSS and SQLIA. Regular expression "^ [\\w_\.]*[\\w-_\.]\@[\\w]\.+[\\w]+[\\w]$" check for validity of email address likewise we can write regular expression for all inputs so any change made by user during input can be detected easily. Layer 3 (IP address tracking):In stage three the form contents are matched with potentially harmful set of statements which are recognized and stored in a knowledge base, thus tackling the security threat called SQLIA and XSS. For example user can type tautology „or „1‟ = „1‟ in password filed. Password can be combination of special characters and symbols so we can‟t put any restriction on password field. As it is a well know attack can be detected just by comparing it with list of suspicious input. Main advantage of this phase is coding knowledge is not required only input values are sufficient for detection of attack. In detection module what we want have multiple layers so that it can detect any kind of attack.
Results showed that those types of attacks continue to
25
Circulation in Computer Science, Vol.2, No.5, pp: (23-27), June 2017 www.ccsarchive.org
Mutation testing is a powerful method for finding errors in software programs. Mutation testing introduces faults into software by creating many different versions of the program. Each version has one very small change (which introduces a fault) compared to the actual implementation. The idea is to see if the test cases that were written can detect the new fault. There are different mutation operators such as RMWH stands for “remove where” and NEGC for „negate each of unit expression.
5. CONCLUSION
Fig 1. De-Pre Detection Module
Analysis output of all three modules for Complete Vulnerability
In this project, we presented detailed information of the Input validation attacks in which main focus was on SQLIA, XSS and Buffer Overflow. We discussed different types of SQLIA, XSS and BOF. We then stated need of security in software development life cycle. We demonstrated that the how attackers perform the attack on the web sites We discussed the design and implementation of the new hybrid tool that was developed for this project. We demonstrated that the tool provides a robust web-server security against input validation attacks. The tool contains two modules prevention and detection. These modules works is different phases of software development as the security is incorporated early in software development life cycle definitely it is beneficial. Testing applications for SQL Injection, XSS and Buffer Overflow is being performed today using many different approaches. But the method used by us for prevention was Mutation-based testing because Mutation testing is the most powerful technique for the assessment and enhancement of tests. For detection we have used multilayer defense mechanism. Due to multiple layers it can catch any kind of attack on web-site. We have successfully developed an application aimed at detecting and preventing web vulnerabilities. The designed system will allow a web developer to determine various Application Security Risks and vulnerabilities. The system also makes the appropriate suggestions to ensure security of web applications against various threats and risks, thereby giving solutions to overcome them
6. ACKNOWLEDGMENT The author wants to say thanks to his brother Mr. Rohan Chaudhari for his encouragement for this research.
7. REFERENCES Fig 2. De-Pre Prevention Module
4.2 Prevention Module In prevention module we are trying to avoid attacks, so this module gets placed in the testing phase. In web programming prevention is try to find out vulnerabilities in a program. Once you know about vulnerabilities in a code you can modify that code to remove vulnerability from the code. If there is no vulnerability present in your code attacker cannot succeeds. No vulnerability no attack. In prevention module we are going do code testing for finding vulnerabilities in code. Here we will try to find out vulnerabilities for SQL injection, buffer overflow and cross site scripting. Moreover, existing testing approaches do not address the issue of generating adequate test data sets that can detect SQLIA, XSS and buffer overflow. We think mutation base testing will give better result than other testing methodology. After development phase program is given as input to prevention module which will check for the SQLI, XSS and BOF vulnerability by mutation testing.
[1] Park Y, Park J. Web application intrusion detection system for input validation attack. In Convergence and Hybrid Information Technology, 2008. ICCIT'08. Third International Conference on 2008 Nov 11 (Vol. 2, pp. 498-504). IEEE. [2] Brinhosa RB, Westphall CB, Westphall CM. A security framework for input validation. InEmerging Security Information, Systems and Technologies, 2008. SECURWARE'08. Second International Conference on 2008 Aug 25 (pp. 88-92). IEEE. [3] Hayati P, Jafari N, Rezaei SM, Sarenche S, Potdar V. Modeling input validation in uml. InSoftware Engineering, 2008. ASWEC 2008. 19th Australian Conference on 2008 Mar 26 (pp. 663-672). IEEE. [4] Halfond W, Orso A, Manolios P. WASP: Protecting Web applications using positive tainting and syntax-aware evaluation. IEEE Transactions on Software Engineering. 2008 Jan;34(1):65-81.
26
Circulation in Computer Science, Vol.2, No.5, pp: (23-27), June 2017 www.ccsarchive.org
[5] Shahriar H, Zulkernine M. MUSIC: Mutation-based SQL injection vulnerability checking. InQuality Software, 2008. QSIC'08. The Eighth International Conference on 2008 Aug 12 (pp. 77-86). IEEE.
[11] Corona, Igino, Davide Ariu, and Giorgio Giacinto. "HMM-Web: A framework for the detection of attacks against web applications." Communications, 2009. ICC'09. IEEE International Conference on. IEEE, 2009.
[6] Lin JC, Chen JM. The automatic defense mechanism for malicious injection attack. InComputer and Information Technology, 2007. CIT 2007. 7th IEEE International Conference on 2007 Oct 16 (pp. 709-714). IEEE.
[12] Shanmughaneethi, Shri V., Smt C. Emilin Shyni, and S. Swamynathan. "SBSQLID: Securing web applications with service based SQL injection detection." Advances in Computing, Control, & Telecommunication Technologies, 2009. ACT'09. International Conference on. IEEE, 2009.
[7] Zhenyu Q, Jing X, Baoguo L, Fang T. MBDS: modelbased detection system for cross site scripting. InWireless, Mobile and Sensor Networks, 2007.(CCWMSN07). IET Conference on 2007 Dec 12 (pp. 849-852). IET. [8] Shahriar H, Zulkernine M. Mutec: Mutation-based testing of cross site scripting. InProceedings of the 2009 ICSE Workshop on Software Engineering for Secure Systems 2009 May 19 (pp. 47-53). IEEE Computer Society. [9] Johns M, Engelmann B, Posegga J. Xssds: Server-side detection of cross-site scripting attacks. InComputer Security Applications Conference, 2008. ACSAC 2008. Annual 2008 Dec 8 (pp. 335-344). IEEE. [10] Ingle, D.R. and Meshram, B.B., 2012. ATTACKS ON WEB BASED SOFTWARE AND MODELLING DEFENCE MECHANISMS. International Journal of UbiComp, 3(3), p.11.
CCS | 2017 | ISSN 2456-3692 Published by: CSL Press, USA
[13] Djuric, Zoran. "A black-box testing tool for detecting SQL injection vulnerabilities." Informatics and Applications (ICIA), 2013 Second International Conference on. IEEE, 2013. [14] Sohn, Jung-Woo, and Jungwoo Ryoo. "Securing Web Applications with Better" Patches": An Architectural Approach for Systematic Input Validation with Security Patterns." Availability, Reliability and Security (ARES), 2015 10th International Conference on. IEEE, 2015. [15] Alsmadi, Izzat, and Iyad Alazzam. "Websites' Input Validation and Input-Misuse-Based Attacks." Cybersecurity and Cyberforensics Conference (CCC), 2016. IEEE, 2016.
27
