DATABASE LEVEL IDS FOR DETECTING AND PREVENTING SQL INJECTION ATTACKS

Abstract

SQL Injection attacks are the costly and critical attacks on web applications: it is a code injection technique that allows attackers to obtain unrestricted access to the databases and to the potentially sensitive information like usernames, passwords, email ids, credit card details of these databases contain. Various techniques have been proposed to address the problem of SQL Injection attack such as defense coding practices, detection and prevention techniques, and ._ 'intrusion detection systems. However most of these techniques have one or more disadvantages such as requires code modification, applicable to some type of web applications, and address only some attack types.. In this dissertation entitled "Database Level Ids for Detecting and Preventing SQL Injection Attacks", a secure mechanism for protecting web applications from SQL Injection attacks by using framework and database firewall is proposed and implemented. This mechanism uses combined static and dynamic analysis technique. In static analysis, we list all the URLs, forms, injection points, and vulnerable parameters of web application. Thus, we identify valid queries that could be generated by the application. In dynamic analysis, we use database firewall to monitor runtime generated queries and check them against the whitelist of queries. The results show that implemented mechanism is capable of detecting all types of SQL Injection attacks .: without requiring any code modification to the existing web application but with an additional element of deploying a proxy.