International Research Journal of Engineering and Technology (IRJET)
e-ISSN: 2395 -0056
Volume: 04 Issue: 04 | Apr -2017
p-ISSN: 2395-0072
www.irjet.net
Using AMNESIA to secure web applications and database against SQL injection attack Disha Sharma1, Komal Kale2, Chandrakala Date3, Prof. Diksha Bhave4 1,2,3
B.E. Students, Department of Computer Engineering, Shivajirao S. Jondhale College of Engineering, Dombivli(E) 4Assistant Professor, Department of Computer Engineering, Shivajirao S. Jondhale College of Engineering, Dombivli(E) Mumbai University, Maharashtra, India
---------------------------------------------------------------------***---------------------------------------------------------------------
Abstract - In today’s world use of the internet and web
applications has become more and more common in our routine activities, like reading the news, paying bills, and shopping on-line. As the availability of these services grows, we are witnessing a rise within the variety and class of attacks that target them. The sensitive data of the user may get leaked from the database resulting in serious losses of liveliness and intellectual property. The current approach uses AMNESIA, which detects and prevents SQL injection attacks by combining static analysis and runtime monitoring. Key Words: Internet, web applications, AMNESIA, static analysis, run time monitoring.
1. INTRODUCTION This SQLIA (Structured query language Injection Attacks) is type of code injection technique that targets the databases to steal information from the organizations. The attacker enters the malicious SQL commands into a SQL statement via the unconstrained user input parameters to manipulate the SQL queries logic. This leads to the threat to all those web applications that access their databases, through SQL commands establish with external input data. Through SQL injection the attacker neglects authentication phase and provides confidential information to the attacker. Authorized access to confidential information by a crafted user has unprotected their authority, confidentiality and integrity. The results could be like the system couldn't deliver proper services to its customers. During this paper, we present this method, which will act against all those malicious content and can actively work on those hotspots wherever injection may occur [1]. SQL injection vulnerabilities are due to poor input validation. As the input from the user to a web application leads to the creation of a database query but it does with poor validation, thus SQL injection occurs. An attacker uses this vulnerability of the application as an opportunity by enclosed malicious SQL commands within the input that are then executed by the databases. SQLIAs could also be prevented by plenty of application of defensive coding techniques. However, these techniques have been less than effective in addressing the matter as a result of they are in © 2017, IRJET
|
Impact Factor value: 5.181
|
danger of human errors and expensive to use on large inheritance code-bases.
2. EXISTING SYSTEMS When we mention the defense techniques that are being used, then we have a pair of defensive techniques specifically defensive coding and Runtime monitoring. Defensive coding has subclasses like Parameterized query Insertion, Manual Defensive coding practices, SQL DOM. This defensive coding technique ensured secure code but is labor intensive and time-consuming. Manual defensive coding practices are performed manually and might be finished with the assistance of OWASP. SQL DOM is helpful in terms of larger flexibility when developer needs to use the dynamic queries rather than parameterized one. Runtime checking could also be a technique used for against the illegitimate SQL statements for every variety of SQLIA‘s by checking them at the runtime. However, its disadvantage is that it needs a robust dynamic observation system.
3. PROPOSED SYSTEM Our proposed solution is amnesia, which is technique that works by combining static and dynamic part for detecting web application vulnerabilities at the runtime. The concept behind this solution is that the source code contains enough knowledge to interpret models of the authorized SQL queries generated by the application. The static part of our technique uses program analysis to automatically build a model of the authorized queries which will be generated by the application. In its dynamic part, it supervises the dynamically generated queries at runtime and checks them for conformation with the model that was generated at the static part. SQL Queries that violate the model represent potential SQLIAs and are therefore prevented from execution on the database and noted. The technique consists of 4 main steps. We have describes the steps in summarized detail.
ISO 9001:2008 Certified Journal
|
Page 908