30-05-2010, 11:30 PM
[attachment=3663]
PREVENTION OF SQL INJECTION AND DATA THEFTS USING DIVIDE AND CONQUER APPROACH
Domain : Security
Presented By:
S.Sivarama Krishnan
S.Manikandan
R.Senthil vason
Abstract
The SQL Injection provides the full unrestricted access to the malicious user. So that attackers can easily enter into the application.
The signature based method is a drawback , since the time taken to check the signature is very high
The SQL Injection access the application only by using special character
Introduction
Sql Injection:
SQL injection is an injection attack that exploits security vulnerability occurring in the database layer of an application.
Divide and Conquer:
A divide and conquer approach works by recursively breaking down a problem into two or more sub-problems of the same (or related) type, until these become simple enough to be solved directly. The solutions to the sub-problems are then combined to give a solution to the original problem.
Hirschberg algorithms
Some sql Injection for examples
The standard sql query format is :
Select * from table where UserName=Ëœramâ„¢ and Password=Ëœraviâ„¢;
Malicious user inject the following sql injection in this field as
UserName : ram
Password : anything™ or ˜1™=˜1
Select * from table where UserName=˜ram™ and Password=˜anything™ or ˜1™=˜1™;
Existing System
The SQL Injection attacks were prevented by using Signature based method.
Here the drawback is time complexity.
Next defense coding practices were done. But it is not much efficient because of the cost and complexity.
Proposed System
This approach is used for preventing the SQL Injection attack.
The SQL Injection accesses the application only by using the special characters.
So in our approach the special characters were totally avoided.
Modules
Monitoring Module
Analyzing Module
Preventing Module
Our approach
Monitoring module :
It gets the input from the web application and send it to analysis module . If analysis module finds any suspicious activity in sends error message and blocks the further transaction
SPECIFICATION :
Specifications comprise the predefined keywords and send it to analysis module for comparisons. These modules have all predefined keywords which is stored in the database.
ANALYSIS MODULE :
Analyzer module get the input from the monitoring module and it uses Hirschberg algorithm matrix for string comparison.
Data Flow Diagram
Hirschberg algorithm
Time complexity : O(nm)
Space complexity : O(min(nm))
Hirschberg algorithm
SOFTWARE & HARDWARE REQUIREMENTS
SOFTWARE REQUIREMENTS
Java1.5 or More
Tomcat 5.5
MS-SqlServer
HARDWARE REQUIREMENTS
Hard disk : 40 GB
RAM : 128mb
Processor : Pentium
REFERENCE
[1] Xiang Fu, Xin Lu, Boris Peltsverger, Shijun Chen, "A Static Analysis Framework For Detecting SQL Injection Vulnerabilities", IEEE Dynamic SQL Transaction of computer software and application conference, 2007.
[2] William G.J. Halfond, Alessandro Orso,Panagiotis Manolios, "WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation", IEEE Transaction of Software Engineering Vol 34, Nol, Twentieth January/February 2008. 2005.
[3] Konstantinos Kemalis and Theodoros Tzouramanis, "Specification [18] Xin based approach on SQL Injection detection", ACM, 2008.
Thank You