Table Of ContentImplementation of a Prototype to Secure Web
Applications from SQL Injection and Cross Site
Scripting Attacks Using an Intelligent Pattern Matching
Approach
GRADUATE PROJECT REPORT
Submitted to the Faculty of
the Department of Computing Sciences
Texas A&M University-Corpus Christi
Corpus Christi, Texas
In Partial Fulfillment of the Requirements for the Degree of
Master of Science in Computer Science
By
Ismail Aamir Mohammed
Fall 2016
Committee Members
Dr. Mario A. Garcia ____________________________
Committee Chairperson
Dr. David Thomas ____________________________
Committee Member
i
Abstract
Nowadays, due to development of the Internet, there is a substantial increase in
the use of web and, the web applications have become the significant part of everyone’s
life. Because of the increase in cyber-attacks, web application security has become one
of the most important ongoing issue. There is an increase in risk of web attacks because
of web developers not being aware of the cyber-attacks, and because of the loopholes in
the prevailing technologies. The web applications have become target to many attacks
like SQL injection, session management, cross site scripting and broken authentication.
A lot of research is going on to safeguard these web applications from such malicious
attacks. Also, there have been few tools developed to protect the web applications from
malicious attacks but each of them has some specific flaws. This paper discusses an
approach the flaws in the previous tools. The approach used here analyzes the validity of
requests to the web applications and then generates cases for different attacks. These
cases then help in differentiating the malicious and non-malicious traffic in the web
applications.
ii
TABLE OF CONTENTS
Abstract ................................................................................................................... ii
Table of Contents ................................................................................................... iii
List of Figures ..........................................................................................................v
List of Tables ........................................................................................................ vii
1. Background and Rationale ...................................................................................1
1.1 Introduction ....................................................................................................1
1.2 Literature Review ...........................................................................................2
1.3 Problems in Existing System .........................................................................3
2. Narrative ..............................................................................................................5
2.1 Problem Statement .........................................................................................5
2.2 Motivation ......................................................................................................5
2.3 Objective .......................................................................................................6
2.4 Scope ..............................................................................................................6
3. Proposed System Design......................................................................................7
3.1 Target Web Application .................................................................................8
3.2 Intelligent Pattern Matching Module .............................................................8
3.3 Unified Modelling Language .......................................................................15
4. Implementation of the Modules .........................................................................21
5. Testing and Evaluation ......................................................................................25
5.1 User Interface ...............................................................................................25
5.2 Test Case 1: Entering Malicious Script .......................................................27
iii
5.3 Test Case 2: Malicious script to retrieve Confidential Information ............30
5.4 Test Case 3: SQLI attack to Retrieve Information .......................................33
5.5 Test Case 4: SQLI attack to Delete Table ....................................................36
5.6 Test Case 5: XSS Attack to Steal the Cookies .............................................38
5.7 Test Case 6: URL Redirection using XSS Attack .......................................41
5.8 Summary of Test Cases ...............................................................................44
5.9 Unit Test Case List.......................................................................................45
6.Conclusion and Future Enhancements ................................................................46
6.1 Conclusion ...................................................................................................46
6.2 Future work ..................................................................................................47
Bibliography ..........................................................................................................48
iv
LIST OF FIGURES
Fig 1. System Architecture ......................................................................................7
Fig 2. Architecture Workflow ..................................................................................8
Fig 3. Intelligent Pattern Matching Module .............................................................9
Fig 4. Invalid Request Showing SQL Injection Attack .........................................11
Fig 5. Invalid Request Showing XSS attack ..........................................................12
Fig 6. Examples of Regular Expressions ...............................................................13
Fig 7. Rules Stored in the Database .......................................................................14
Fig 8. Use Case Diagram for the Pattern Matching Module ..................................16
Fig 9. Use Case Diagram for Filtering on Target Application ..............................17
Fig 10: Class Diagram for the Pattern Matching Module ......................................19
Fig 11: Class Diagram for Filtering on Target Application ...................................20
Fig 12: Code Snippet for My Filter Class ..............................................................21
Fig 13: Code Snippet for Typesafe Request ..........................................................22
Fig 14: Log Table with its Different Columns .......................................................22
Fig 15: Table for List Analyzer .............................................................................23
Fig 16: Code Snippet for Process log info .............................................................24
Fig 17: Regular Expressions for SQLI Attacks .....................................................24
Fig 18: Scenario for Invalid Username or Password .............................................26
Fig 19: Scenario after Logging in to Application ..................................................26
Fig 20: Scenario where User Enters Malicious Script ...........................................27
Fig 21: Scenario where Script Starts Executing ....................................................28
v
Fig 22: Scenario where Log ID is Set to Vulnerable .............................................29
Fig 23: Scenario where IP address is set to Block in Database .............................29
Fig 24: Error Page ..................................................................................................30
Fig 25: Scenario of XSS Attack to Retrieve Information ......................................31
Fig 26: Scenario where Attacker Retrieves the Information .................................31
Fig 27: Scenario where the Log ID is Set to Vulnerable .......................................32
Fig 28: Scenario where the IP Address is Set to Blocked ......................................33
Fig 29: Scenario of SQLI attack ............................................................................34
Fig 30: Scenario where the Log ID is Set to Vulnerable .......................................35
Fig 31: Scenario where the IP address is Set to Blocked .......................................35
Fig 32: Another scenario of SQLI Attack ..............................................................36
Fig 33: Scenario where the Log Id is Set to Vulnerable ........................................37
Fig 34: Scenario where the IP Address is Set to Blocked ......................................37
Fig 35: XSS Attack to Steal the Cookies ...............................................................38
Fig 36: XSS Attack Showing Current Session Value ............................................39
Fig 37: Scenario where the Log ID is set to Vulnerable ........................................40
Fig 38: Scenario IP Address of Attacker is Blocked .............................................40
Fig 39: URL Redirection using XSS Attack ..........................................................41
Fig 40: Scenario after URL Redirection Attack ....................................................42
Fig 41: Scenario where the Log ID is set to Vulnerable ........................................43
Fig 42: Scenario IP Address of Attacker is Blocked .............................................43
vi
LIST OF TABLES
Table 1: Access log header information ................................................................10
Table 2: Summary of the Test Cases .....................................................................44
Table 3: Scenario to Test Pattern Matching Module .............................................45
vii
1. Background and Rationale
1.1 Introduction:
Increase in usage of web based applications has made it mandatory to secure them
from a plethora of attacks. Web application layer is one of the main layer targeted by
these attacks. The most important reason for these kind of attacks is because of flaws in
the existing technologies and lack of understanding about security among web
application developers. From the recent studies, it can be seen that more than 70% percent
of attacks happen in payment card industry and also, more than 50% of authentic data is
exposed to attackers from the organizations who use shared credentials [5]. Based on this
figures, web security should be the most important thing to be considered while
developing a web application.
The two main techniques that are being used widely are default deny model and
default allow model. The default allow model maintains a list of exploits, so whenever
traffic passes through the application gateway, it is compared with the list and if any of
the input matches the content in the list, it will be considered malicious and will be
blocked [1][6].
Whereas the default deny model maintains a white list which contains all the legit
values which are considered non malicious for the web applications. These legit values
will be obtained from the user input of several web applications. So, whenever there will
be an input to the web application, it will be compared to the values in list. If the input
matches with the values in the white list, it will be considered legit and will be allowed
1
to enter. In case if it does not match the values in the white list, it will be considered
malicious [1] [6]. Many issues were faced with manual maintenance of the list of cases
that were used in default allow model and default deny model. In the proposed technique,
an intelligent pattern matching approach will be introduced which will address the issues
being faced in maintaining a list.
1.2 Literature Review
Various techniques have been proposed to address the attacks in web applications.
But each existing technique has its own flaws. A model has been proposed by C.M. Frenz
et al., to detect cross site scripting attacks in web applications [9]. In this paper, the
authors have made use of regular expressions to detect malicious attacks in web
applications. This approach was not found to be robust as it only works for simple web
applications [9].
Lwin Khin Shar et al., have proposed a technique which makes use of two phases
to detect XSS attacks in web applications [10]. In the first phase, a taint based analysis
approach is used which provides an output in HTML document showing flow of user
data. In the next phase data dependency and pattern matching is analyzed which prevents
the injection into the code due to cross site scripting. Again, this technique only focuses
on prevention of one type of attack.
A.M Chandrasekhar et al., [11] have combined K-means, fuzzy neural networks
and support vector machine classifier techniques to implement a web attack detection
mechanism [11]. In this mechanism, K-means algorithm is used to cluster the input
2
dataset into K clusters which are then trained using fuzzy logic. Each of the data is passed
through fuzzy classifier which then generates vectors. Then a classification is done using
support vector machine which helps in the detection of web attacks.
In [14] Zhang et al., have proposed a technique which uses taint analysis approach
to detect SQL injection and Cross site scripting attacks in web applications. This
approach makes use of a flow graph to detect sink and source points in the data flow. It
then taints the data in source code if the data is coming from an insecure source and
targeting a sensitive sink. The main drawback of this approach is that it has a high positive
false rate [14].
Sharma et al., [15] have presented an integrated approach which makes use of
two modes called production mode and safe mode to detect cross site scripting and SQL
injection attacks in web applications. The main drawback of this technique is that it is
not able to detect vulnerabilities from more dynamic and complex applications [15].
1.3 Problems in Existing System
The most important issue was to update and maintain the list of attacks. The list
of attacks being specific to each web application, it will be required to modify the list for
different types of applications. It will also require continuous development due to
increasing number of attacks every day [7].
Maintenance of the list of attacks is also a time consuming task. The big
applications like business applications have lots of user inputs, so it will be more time
3
Description:Texas A&M University-Corpus Christi. Corpus Christi Nowadays, due to development of the Internet, there is a substantial increase in the use of The web applications have become target to many attacks like SQL Figure 4 shows an example of invalid request in which SQL injection attack was.
