01-04-2010, 08:54 PM
Presented By:
R. Ezumalai, G. Aghila
Department of Computer Science, Pondicherry University
I. INTRODUCTION
Today's modern web era, expects the organization to concentrate more on web application security. This is the major challenge faced by all the organization to protect their precious data against malicious access or corruptions. Generally the program developers show keen interest in developing the application with usability rather than incorporating security policy rules. Input validation issue is a security issue if an attacker finds that an application makes unfounded assumptions about the type, length, format, or range of input data. The attacker can then supply a malicious input that compromises an application. When a network and host level entry points are fully secured; the public interfaces exposed by an application become the only source of attack. The cross site scripting attacks, SQL Injections attacks and Buffer Overflow are the major threat in the web application security through this input validation security issues . Especially SQL Injection attacks breach the database mechanism such as Integration, Authentication, Availability and authorization . Since 2002, nearly 50% of total cyber vulnerabilities were input validation vulnerabilities.
Since 2002, 20% of the input validation issues are SQL Injection vulnerabilities (SQLIVs) and, therefore, 10%o of total cyber vulnerabilities since 2002 . SQL injection attack involves placing SQL statements in the user input for corrupting or accessing the Database . Even the SQL Injection attacks can bypass the security mechanism such as Firewall, cryptography and traditional Intrusion detection systems. If the trend of providing web-based services continues, the prevalence of SQLIVs is likely to increase.
The most worrying aspect of SQL Injection attack are; it is very easy to perform, even if the developers of the application are well known about this type of attacks. The basic idea behind in this attack is that the malicious user counterfeits the data that a web application sends to the database aiming at the modification of the SQL Query that will be executed by the DBMS software. Input validation issues can allow the attackers to gain complete access to such databases. Technologies vulnerable to SQL Injection attacks are dynamic Script languages like ASP, ASP.net, PHP, JSP, CGI, etc. In addition, all types of database have been severely vulnerable in such type of SQL Injection attacks .
Researchers have proposed a different techniques to provide a solution for SQLIAs (SQL Injection attacks), but many of these solutions have limitations that affect their effectiveness and practicality. Researchers have indicated that solution to these types of attacks may be based on defense coding practices. But it's not efficient because of three reasons. First, it is very hard to bring out a rigorous defensive coding discipline. Second, many solutions based on defensive coding address only a subset of the possible attacks. Third, legacy software poses a particularly difficult problem because of the cost and complexity of retrofitting existing code so that it is compliant with defensive coding practices. In this work, an attempt has been made to increase the efficiency of the above techniques by a combinatorial approach for protecting web application against SQL Injection attacks.
The remainder of the paper is organized as follows: Section 2 contains background and related work; Section 3 describes our proposed approach. Section 4 describes the conclusion and future work
read full report
http://ieeexplore.ieeexpl/freeabs_all.js...er=4809188
and please read related document
http://ethesis.nitrkl.ac1504/1/thesis_to_upload.pdf
http://eurojournalsejsr_38_4_11.pdf