Presentation is loading. Please wait.

Presentation is loading. Please wait.

Database Intrusion Detection in Web Applications

Published byなつき とどろき Modified over 5 years ago

Similar presentations

Presentation on theme: "Database Intrusion Detection in Web Applications"— Presentation transcript:

1 Database Intrusion Detection in Web Applications
Matt Heightland CSCE 824 Section J60

2 Web-Based Application Security Risks
Top 10 List produced by OWASP (Open Web Application Security Project) Threats include Injection Broken Authentication XML External Entities (XXE) Cross-Site Scripting

3 Web-Based Application Vulnerabilities
According to the OWASP Top Ten Most Critical Web Application Security Risks, injection attacks are the number one security risk facing web applications. Injection vulnerabilities can be found in: SQL LDAP XML Parsers SMTP Headers Etc. Since this is a very broad topic, I will be looking into SQL Injection Attacks

4 Relevance? Two individuals were just sentenced in the UK related to the TalkTalk telcom data breach [3] This breach used SQL injection attacks to obtain personal information for over 157,000 customers Company reports that it cost them £77m (~$100.7 million) One of largest ever credit card disclosure breaches, Heartland Payment Systems, was possible, in part, by SQL injection vulnerabilities [4] Attack affected around 130 million customers and was reported to have cost the affected companies over $300 million

5 Types of SQL Injection Attacks
Eight different types of attacks (depending on the author) Tautologies Used to bypass authentication, identify injectable parameters, and/or to extract data Attacks use a WHERE clause condition which always evaluates to true Example: Web Application uses the following SQL statement for authentication: SELECT Profile FROM Accounts WHERE username = ‘id_input’ AND password = ‘passwd_input’; A malicious party could enter ‘ or 1=1;-- as either the username or password field This will result in the following query: SELECT Profile FROM Accounts WHERE username = ‘Matt’ AND password = ‘’ OR 1=1; --

6 Types of SQL Injection Attacks
Logically Incorrect Queries Used to identify injectable parameters, perform database fingerprinting, and extract data from a database Attacks include causing invalid conversions, incorrect logic, or by using an AND operator to perform incorrect queries Piggy-Backed Queries Used to extract data, modify data, perform Denial of Service (DoS) attacks, and/or execute remote commands on a database Takes advantage of the fact that a database has been misconfigured to allow multiple statements to be executed in one query

7 Types of SQL Injection Attacks
Union Queries Used to bypass authentication or extract data by merging two separate SQL SELECT statements in to a single UNION SELECT Allows the malicious party to obtain more data from the database than what was originally intended by the application developer Stored Procedures Used to escalate privilege, conduct DoS attacks, and to run remote commands

8 Types of SQL Injection Attacks
Inference Blind Attacks Used to force a database to throw an error by asking true-false questions Gives an attacker inside knowledge of how the database is configured based on its response Inference Timing Attacks Conducted by inserting a time delay into a query, in order to determine the difference between a true or false answer from a database Alternate Encoding Attempts to hide their injected commands by encoding their input with ASCII, hexadecimal, or Unicode character encodings

9 Little Bobby Tables Source:

10 Intrusion Detection Systems (IDS) and Machine Learning
Use machine learning techniques to discern between legitimate SQL queries and malicious SQL injection attacks Can determine the type of attack and the appropriate action to take based on the type of SQL injection attacks described above

11 Machine Learning IDS Naghmeh Moradpoor Sheykhkanloo SQL-IDS: evaluation of SQLi attack detection and classification based on machine learning techniques. In Proceedings of the 8th International Conference on Security of Information and Networks (SIN '15). ACM, New York, NY, USA, DOI: Defines signatures for each type of attack Used during the machine learning ‘teaching’ phase

12 Machine Learning IDS Yong Fang, Jiayi Peng, Liang Liu, and Cheng Huang WOVSQLI: Detection of SQL Injection Behaviors Using Word Vector and LSTM. In Proceedings of the 2nd International Conference on Cryptography, Security and Privacy (ICCSP 2018). ACM, New York, NY, USA, DOI: Uses tokenization and Long Short-Term Memory neural networks in order to detect malicious SQL queries

13 Machine Learning IDS William G. J. Halfond and Alessandro Orso Preventing SQL injection attacks using AMNESIA. In Proceedings of the 28th international conference on Software engineering (ICSE '06). ACM, New York, NY, USA, DOI: Code-based approach by determining statistically likely queries that can be generated by an application and comparing it with real-time queries

14 Anomalous Queries on Relation Databases
Mohammad Saiful Islam, Mehmet Kuzu, and Murat Kantarcioglu A Dynamic Approach to Detect Anomalous Queries on Relational Databases. In Proceedings of the 5th ACM Conference on Data and Application Security and Privacy (CODASPY '15). ACM, New York, NY, USA, DOI: Uses access control mechanisms already present in some Database Management Systems (DBMS) Each attribute in a database is given a ‘sensitivity score’ based on the level of protection of the data

15 Anomalous Queries on Relation Databases
Each query result will be given an overall sensitivity score based on a combination of each individual attribute’s score Hidden Markov Models (HMM) are trained with clean query sensitivity scores that represent normal user behavior During the detection phase, each query is assigned an anomaly score from the HMM depending on the sensitivity score Queries with a higher sensitivity score are more likely to be SQL injection attacks than queries that are after less sensitive data

16 Anomalous Queries on Relation Databases
Authors also assume that the underlying Relational Database Management System (RDBMS) has Role Based Access Control (RBAC) in place Roles are used to build usage profiles that are used within the intrusion detection system HMM is trained with respect to each role for a given valid query set For each query set and role, the sensitivity score is calculated and a ‘role threshold’ is created Role threshold is used to help determine whether a query is appropriate for the role of the user running the query If it is not appropriate, it is flagged as an anomaly

17 Solutions Integrate security into the early stages of the Software Development Lifecycle Sanitize Inputs Escape special characters Use of a safe API that avoids the interpreter or a provides parametrized interface Use LIMIT commands within SQL to limit mass disclosure What about legacy applications?

18 Extension of Investigated Work
Investigate machine learning-based intrusion detection systems combined with access control mechanisms Queries can be flagged by a suitable intrusion detection system (similar to those mentioned above), and an appropriate de-elevation of access rights can be conducted for the account conducting the SQL query

19 Extension of Investigated Work
Example: A user attempts to drop a table, in an area of code that is not intended to have that feature, their security level will be changed such that they will no longer be able to modify any database entries Example: An SQL injection attack is attempted at login. The machine learning-based IDS detects the attack, and prevents the user’s session from ever authenticating by not allowing the session to run queries on the database.

20 References (not mentioned above)
[1] OWASP. Open Web Application Security Project. OWASP Top 10 – 2017 The Ten Most Critical Web Application Security Risks. Retrieved February 21, [2] Navdeep Kaur and Parminder Kaur Mitigation of SQL Injection Attacks using Threat Modeling. SIGSOFT Softw. Eng. Notes 39, 6 (December 2014), DOI: [3] TalkTalk hack attack: Friends jailed for cyber-crimes. November 19, Retrieved March 31, 2019 from staffordshire [4] Hackers sentenced for SQL injection that cost $300 million. February 19, Retrieved March 31, 2019 from injections-that-cost-300-million/

Download ppt "Database Intrusion Detection in Web Applications"

Similar presentations

Understand Database Security Concepts

Understand Database Security Concepts
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Barracuda Web Application Firewall

Barracuda Web Application Firewall
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias.

Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
SQL Injection and Buffer overflow

SQL Injection and Buffer overflow
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Department Of Computer Engineering

Department Of Computer Engineering
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
SQL INJECTION COUNTERMEASURES &

SQL INJECTION COUNTERMEASURES &
Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.

Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.
A Framework for Automated Web Application Security Evaluation

A Framework for Automated Web Application Security Evaluation
BUSINESS B1 Information Security.

BUSINESS B1 Information Security.

Similar presentations

Ads by Google