scholarly journals A combined approach of fine Role-Based Access Control and dynamic/static parse tree comparison to mediate SQL Injection Attacks within a selected West African case system and context

2020 ◽  
Author(s):  
◽  
Evans Dogbe
Keyword(s):  
West African ◽  
Parse Tree ◽  
Test Cases ◽  
Role Based Access Control ◽  
Sql Injection ◽  
Fine Grained ◽  
Injection Attacks ◽  
Tree Comparison ◽  
Sql Injection Attacks ◽  
F Measure

Business legacy systems, when migrated to the Web, often face increased chances of Structured Query Language (SQL) injection attacks; these attacks are compounded when this system lacks proper security mechanisms and security training for its staff. This study seeks to determine how the researcher’s new theory of amalgamating two established techniques for defence namely; fine-grained Role-Based Access Control (RBAC) and static/dynamic parse tree comparison; can be combined to form a single centralized defence in order to effectively mitigate SQL injection attacks in a web-based environment, using a selected recently migrated legacy system as an exemplar. This proposed defence first involves redefining existing RBAC security to a fine-grained RBAC to act as the first tier of defence. Those queries, legitimate or not, which successfully pass through the first tier are analysed by the second tier of defence that is designed to both do a static and dynamic parse tree analysis and comparison of the queries in order to identify legitimate queries from illegitimate queues. During the study, it was discovered that the basic RBAC in control system and the fine grained RBAC could only mitigate a fraction of the selected test cases and thereby generated a number of false positives but no false negatives. However, those false positives were successfully identified and mitigated by the second tier of static/dynamic parse tree comparison. As such the measurement of performance using precision, recall and f-measure were determined in three cases namely basic RBAC defence in control with 31% precision,100% recall and f-measure of 32%; Fine grained RBAC without dynamic parse tree comparism with 54% precision ,100% recall and fmeaure of 54% and hybrid defence of fine grained RBAC and dynamic parse tree comparism with 100 % precision with a 100 % recall and f-measure of 100% with the test cases used in a repeated experimentation. However extensive real-world testing might expose weaknesses not observed during experimentation and such is the recommendation of the study. This entire approach is centralized in a security aspect in order to easily incorporate it into vulnerable newly migrated legacy systems to the web which requires minimal training of security staff for deployment. The hybrid was then tested using a case sample system that represents the West African context of inadequate security mechanisms and poor staff training. Standard test cases were used to test each defence tier in the hybrid as well as the individual tiers. This testing detected and halted illegitimate SQL queues and demonstrated this aspect’s effectiveness and suitability for the West African context.

scholarly journals Retrofitting Existing Web Applications with Effective Dynamic Protection Against SQL Injection Attacks

2010 ◽  
Vol 1 (1) ◽  
pp. 20-40 ◽  
Author(s):  
San-Tsai Sun ◽  
Konstantin Beznosov
Keyword(s):  
Web Applications ◽  
False Positives ◽  
Sql Injection ◽  
Injection Attacks ◽  
Track Parameter ◽  
Effective Dynamic ◽  
Protection Mechanisms ◽  
Sql Injection Attacks ◽  
Application Developers ◽  
Parameter Values

This article presents an approach for retrofitting existing Web applications with run-time protection against known, as well as unseen, SQL injection attacks (SQLIAs) without the involvement of application developers. The precision of the approach is also enhanced with a method for reducing the rate of false positives in the SQLIA detection logic, via runtime discovery of the developers’ intention for individual SQL statements made by Web applications. The proposed approach is implemented in the form of protection mechanisms for J2EE, ASP.NET, and ASP applications. Named SQLPrevent, these mechanisms intercept HTTP requests and SQL statements, mark and track parameter values originating from HTTP requests, and perform SQLIA detection and prevention on the intercepted SQL statements. The AMNESIA testbed is extended to contain false-positive testing traces, and is used to evaluate SQLPrevent. In our experiments, SQLPrevent produced no false positives or false negatives, and imposed a maximum 3.6% performance overhead with 30 milliseconds response time for the tested applications.

SQL Injection Attacks Countermeasures

2012 ◽  
pp. 194-213
Author(s):  
Kasra Amirtahmasebi ◽  
Seyed Reza Jalalinia
Keyword(s):  
Web Application ◽  
Web Applications ◽  
Confidential Information ◽  
Sql Injection ◽  
Unauthorized Access ◽  
Injection Attacks ◽  
Prevention Techniques ◽  
Sql Injection Attack ◽  
Sql Injection Attacks ◽  
The Web

Due to the huge growth in the need for using Web applications worldwide, there have been huge efforts from programmers to develop and implement new Web applications to be used by companies. Since a number of these applications lack proper security considerations, malicious users will be able to gain unauthorized access to confidential information of organizations. A concept called SQL Injection Attack (SQLIA) is a prevalent method used by attackers to extract the confidential information from organizations’ databases. They work by injecting malicious SQL codes through the web application, and they cause unexpected behavior from the database. There are a number of SQL Injection detection/prevention techniques that must be used in order to prevent unauthorized access to databases.

Sign in / Sign up

Export Citation Format

Share Document