Database Intrusion Detection in Web Applications

Slides:



Advertisements
Similar presentations
Understand Database Security Concepts
Advertisements

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Security Issues and Challenges in Cloud Computing
Barracuda Web Application Firewall
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
SQL Injection and Buffer overflow
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Department Of Computer Engineering
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
SQL INJECTION COUNTERMEASURES &
Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.
A Framework for Automated Web Application Security Evaluation
BUSINESS B1 Information Security.
Preventing SQL Injection Attacks in Stored Procedures Alex Hertz Chris Daiello CAP6135Dr. Cliff Zou University of Central Florida March 19, 2009.
AMNESIA: Analysis and Monitoring for NEutralizing SQL- Injection Attacks Published by Wiliam Halfond and Alessandro Orso Presented by El Shibani Omar CS691.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
Attacking Applications: SQL Injection & Buffer Overflows.
SEC835 Practical aspects of security implementation Part 1.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
Security Vulnerabilities and Their Impact upon Poirot Jun Lin Supervised by Dr. Jane Huang.
Copyright © 2013 Curt Hill Database Security An Overview with some SQL.
 Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1.
Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.
Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
Sumanth M Ganesh B CPSC 620.  SQL Injection attacks allow a malicious individual to execute arbitrary SQL code on your server  The attack could involve.
ITGS Databases.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.
Database Security Lesson Introduction ●Understand the importance of securing data stored in databases ●Learn how the structured nature of data in databases.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.
Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.
Secure Authentication. SQL Injection Many web developers are unaware of how SQL queries can be tampered with SQL queries are able to circumvent access.
INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.
SQL INJECTION Lecturer: A.Prof.Dr. DANG TRAN KHANH Student :Le Nguyen Truong Giang.
SQL Injection Attacks S Vinay Kumar, 07012D0506. Outline SQL Injection ? Classification of Attacks Attack Techniques Prevention Techniques Conclusion.
DOWeR Detecting Outliers in Web Service Requests Master’s Presentation of Christian Blass.
Introduction SQL Injection is a very old security attack. It first came into existence in the early 1990's ex: ”Hackers” movie hero does SQL Injection.
SQL INJECTION Diwakar Kumar Dinkar M.Tech, CS&E Roll Diwakar Kumar Dinkar M.Tech, CS&E Roll
Cosc 5/4765 Database security. Database Databases have moved from internal use only to externally accessible. –Organizations store vast quantities of.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Database and Cloud Security
SQL Injection.
Database System Implementation CSE 507
Module: Software Engineering of Web Applications
Web Application Protection Against Hackers and Vulnerabilities
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Chapter 7: Identifying Advanced Attacks
World Wide Web policy.
Secure Software Confidentiality Integrity Data Security Authentication
Theodore Lawson CSCE548 Student Presentation, Topic #2
SQL INJECTION ATTACKS.
SQL Injection Attacks Many web servers have backing databases
A Security Review Process for Existing Software Applications
PHP: Security issues FdSc Module 109 Server side scripting and
Lecture 2 - SQL Injection
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Exploring DOM-Based Cross Site Attacks
Anomalous Database Transaction Detection
Presentation transcript:

Database Intrusion Detection in Web Applications Matt Heightland CSCE 824 Section J60

Web-Based Application Security Risks Top 10 List produced by OWASP (Open Web Application Security Project) Threats include Injection Broken Authentication XML External Entities (XXE) Cross-Site Scripting

Web-Based Application Vulnerabilities According to the OWASP Top Ten Most Critical Web Application Security Risks, injection attacks are the number one security risk facing web applications. Injection vulnerabilities can be found in: SQL LDAP XML Parsers SMTP Headers Etc. Since this is a very broad topic, I will be looking into SQL Injection Attacks

Relevance? Two individuals were just sentenced in the UK related to the TalkTalk telcom data breach [3] This breach used SQL injection attacks to obtain personal information for over 157,000 customers Company reports that it cost them £77m (~$100.7 million) One of largest ever credit card disclosure breaches, Heartland Payment Systems, was possible, in part, by SQL injection vulnerabilities [4] Attack affected around 130 million customers and was reported to have cost the affected companies over $300 million

Types of SQL Injection Attacks Eight different types of attacks (depending on the author) Tautologies Used to bypass authentication, identify injectable parameters, and/or to extract data Attacks use a WHERE clause condition which always evaluates to true Example: Web Application uses the following SQL statement for authentication: SELECT Profile FROM Accounts WHERE username = ‘id_input’ AND password = ‘passwd_input’; A malicious party could enter ‘ or 1=1;-- as either the username or password field This will result in the following query: SELECT Profile FROM Accounts WHERE username = ‘Matt’ AND password = ‘’ OR 1=1; --

Types of SQL Injection Attacks Logically Incorrect Queries Used to identify injectable parameters, perform database fingerprinting, and extract data from a database Attacks include causing invalid conversions, incorrect logic, or by using an AND operator to perform incorrect queries Piggy-Backed Queries Used to extract data, modify data, perform Denial of Service (DoS) attacks, and/or execute remote commands on a database Takes advantage of the fact that a database has been misconfigured to allow multiple statements to be executed in one query

Types of SQL Injection Attacks Union Queries Used to bypass authentication or extract data by merging two separate SQL SELECT statements in to a single UNION SELECT Allows the malicious party to obtain more data from the database than what was originally intended by the application developer Stored Procedures Used to escalate privilege, conduct DoS attacks, and to run remote commands

Types of SQL Injection Attacks Inference Blind Attacks Used to force a database to throw an error by asking true-false questions Gives an attacker inside knowledge of how the database is configured based on its response Inference Timing Attacks Conducted by inserting a time delay into a query, in order to determine the difference between a true or false answer from a database Alternate Encoding Attempts to hide their injected commands by encoding their input with ASCII, hexadecimal, or Unicode character encodings

Little Bobby Tables Source: https://xkcd.com/327/

Intrusion Detection Systems (IDS) and Machine Learning Use machine learning techniques to discern between legitimate SQL queries and malicious SQL injection attacks Can determine the type of attack and the appropriate action to take based on the type of SQL injection attacks described above

Machine Learning IDS Naghmeh Moradpoor Sheykhkanloo. 2015. SQL-IDS: evaluation of SQLi attack detection and classification based on machine learning techniques. In Proceedings of the 8th International Conference on Security of Information and Networks (SIN '15). ACM, New York, NY, USA, 258-266. DOI: https://doi.org/10.1145/2799979.2800011 Defines signatures for each type of attack Used during the machine learning ‘teaching’ phase

Machine Learning IDS Yong Fang, Jiayi Peng, Liang Liu, and Cheng Huang. 2018. WOVSQLI: Detection of SQL Injection Behaviors Using Word Vector and LSTM. In Proceedings of the 2nd International Conference on Cryptography, Security and Privacy (ICCSP 2018). ACM, New York, NY, USA, 170-174. DOI: https://doi.org/10.1145/3199478.3199503 Uses tokenization and Long Short-Term Memory neural networks in order to detect malicious SQL queries

Machine Learning IDS William G. J. Halfond and Alessandro Orso. 2006. Preventing SQL injection attacks using AMNESIA. In Proceedings of the 28th international conference on Software engineering (ICSE '06). ACM, New York, NY, USA, 795-798. DOI: https://doi.org/10.1145/1134285.1134416 Code-based approach by determining statistically likely queries that can be generated by an application and comparing it with real-time queries

Anomalous Queries on Relation Databases Mohammad Saiful Islam, Mehmet Kuzu, and Murat Kantarcioglu. 2015. A Dynamic Approach to Detect Anomalous Queries on Relational Databases. In Proceedings of the 5th ACM Conference on Data and Application Security and Privacy (CODASPY '15). ACM, New York, NY, USA, 245-252. DOI: https://doi.org/10.1145/2699026.2699120 Uses access control mechanisms already present in some Database Management Systems (DBMS) Each attribute in a database is given a ‘sensitivity score’ based on the level of protection of the data

Anomalous Queries on Relation Databases Each query result will be given an overall sensitivity score based on a combination of each individual attribute’s score Hidden Markov Models (HMM) are trained with clean query sensitivity scores that represent normal user behavior During the detection phase, each query is assigned an anomaly score from the HMM depending on the sensitivity score Queries with a higher sensitivity score are more likely to be SQL injection attacks than queries that are after less sensitive data

Anomalous Queries on Relation Databases Authors also assume that the underlying Relational Database Management System (RDBMS) has Role Based Access Control (RBAC) in place Roles are used to build usage profiles that are used within the intrusion detection system HMM is trained with respect to each role for a given valid query set For each query set and role, the sensitivity score is calculated and a ‘role threshold’ is created Role threshold is used to help determine whether a query is appropriate for the role of the user running the query If it is not appropriate, it is flagged as an anomaly

Solutions Integrate security into the early stages of the Software Development Lifecycle Sanitize Inputs Escape special characters Use of a safe API that avoids the interpreter or a provides parametrized interface Use LIMIT commands within SQL to limit mass disclosure What about legacy applications?

Extension of Investigated Work Investigate machine learning-based intrusion detection systems combined with access control mechanisms Queries can be flagged by a suitable intrusion detection system (similar to those mentioned above), and an appropriate de-elevation of access rights can be conducted for the account conducting the SQL query

Extension of Investigated Work Example: A user attempts to drop a table, in an area of code that is not intended to have that feature, their security level will be changed such that they will no longer be able to modify any database entries Example: An SQL injection attack is attempted at login. The machine learning-based IDS detects the attack, and prevents the user’s session from ever authenticating by not allowing the session to run queries on the database.

References (not mentioned above) [1] OWASP. Open Web Application Security Project. OWASP Top 10 – 2017 The Ten Most Critical Web Application Security Risks. Retrieved February 21, 2019. https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf [2] Navdeep Kaur and Parminder Kaur. 2014. Mitigation of SQL Injection Attacks using Threat Modeling. SIGSOFT Softw. Eng. Notes 39, 6 (December 2014), 1-6. DOI: http://dx.doi.org/10.1145/2674632.2674638 [3] TalkTalk hack attack: Friends jailed for cyber-crimes. November 19, 2018. Retrieved March 31, 2019 from https://www.bbc.com/news/uk-england-stoke- staffordshire-46264327 [4] Hackers sentenced for SQL injection that cost $300 million. February 19, 2018. Retrieved March 31, 2019 from https://nakedsecurity.sophos.com/2018/02/19/hackers-sentenced-for-sql- injections-that-cost-300-million/