以SQL語句剖析結合剖面技術設計實作資料隱碼攻擊之防禦工具 / An Anti-SQLIA tool based on SQL parsing and aspect technology

王瑛瑛, Wang, Ying Ying

Unknown Date

資料隱碼攻擊（SQLIA）是一種Web應用程式弱點，這個弱點為Web客戶端輸入值隱藏攻擊字串而改變了動態產生的SQL語句結構。根據OWASP(Open Web Application Security Project）2010年的網站風險評鑑報告，資料隱碼攻擊被列為最嚴重的Web應用程式風險。資料隱碼攻擊的弱點可能讓攻擊者能夠直接存取資料庫，導致敏感性資料遭到修改或竊取，有經驗的攻擊者，甚至可以利用一個資料隱碼攻擊的漏洞，而接管整個應用系統。 在本篇論文中，我們基於資料隱碼攻擊的原理實作一個自動化的防禦工具。我們的工具以SQL語句剖析結合剖面技術實作，利用窮舉法，動態分析及動態監控應用程式所執行的SQL語句，毋須開發者學習新的程式寫法或修改應用程式，即能將防禦機制套用於應用程式(原始碼及中間碼)，並透過使用者介面設定可動態調整防禦監控的範圍，提供一個有效保護WEB應用程式的資料隱碼攻擊防禦機制。 / SQL injection attack (SQLIA) is a type of attack on web applications that exploits the fact that input provided by web clients may be directly included in the dynamically generated SQL statements. According to the WASP Foundation, injection attacks, particularly SQL injection, were the most serious web application vulnerability type in 2010. By using SQLIA, an attacker may directly access the database underlying a web application and modify or expose sensitive information. A proficient attacker can even use an SQLIA to completely compromise the host system. In this thesis, we study SQL injection attacks and develop a fully automated, configurable tool for protecting web applications against SQLIA. Our tool uses a heuristic method that combines runtime learning and runtime monitoring of valid/legal SQL statements, by parsing them to calculate and verify MD5 represented patterns (called SQL fingerprints) respectively, and is implemented in Java and AspectJ in order to achieve the goal that requires no training of developers and no modification of the legacy applications. Our evaluation results have shown this tool to be highly effective at protecting web applications from all types of SQL injection attacks.

剖面導向程式設計

剖面

資料隱碼攻擊

AOP

Aspect

SQLIA

A pattern-driven corpus to predictive analytics in mitigating SQL injection attack

Uwagbole, Solomon

January 2018

The back-end database provides accessible and structured storage for each web application's big data internet web traffic exchanges stemming from cloud-hosted web applications to the Internet of Things (IoT) smart devices in emerging computing. Structured Query Language Injection Attack (SQLIA) remains an intruder's exploit of choice to steal confidential information from the database of vulnerable front-end web applications with potentially damaging security ramifications. Existing solutions to SQLIA still follows the on-premise web applications server hosting concept which were primarily developed before the recent challenges of the big data mining and as such lack the functionality and ability to cope with new attack signatures concealed in a large volume of web requests. Also, most organisations' databases and services infrastructure no longer reside on-premise as internet cloud-hosted applications and services are increasingly used which limit existing Structured Query Language Injection (SQLI) detection and prevention approaches that rely on source code scanning. A bio-inspired approach such as Machine Learning (ML) predictive analytics provides functional and scalable mining for big data in the detection and prevention of SQLI in intercepting large volumes of web requests. Unfortunately, lack of availability of robust ready-made data set with patterns and historical data items to train a classifier are issues well known in SQLIA research applying ML in the field of Artificial Intelligence (AI). The purpose-built competition-driven test case data sets are antiquated and not pattern-driven to train a classifier for real-world application. Also, the web application types are so diverse to have an all-purpose generic data set for ML SQLIA mitigation. This thesis addresses the lack of pattern-driven data set by deriving one to predict SQLIA of any size and proposing a technique to obtain a data set on the fly and break the circle of relying on few outdated competitions-driven data sets which exist are not meant to benchmark real-world SQLIA mitigation. The thesis in its contributions derived pattern-driven data set of related member strings that are used in training a supervised learning model with validation through Receiver Operating Characteristic (ROC) curve and Confusion Matrix (CM) with results of low false positives and negatives. We further the evaluations with cross-validation to have obtained a low variance in accuracy that indicates of a successful trained model using the derived pattern-driven data set capable of generalisation of unknown data in the real-world with reduced biases. Also, we demonstrated a proof of concept with a test application by implementing an ML Predictive Analytics to SQLIA detection and prevention using this pattern-driven data set in a test web application. We observed in the experiments carried out in the course of this thesis, a data set of related member strings can be generated from a web expected input data and SQL tokens, including known SQLI signatures. The data set extraction ontology proposed in this thesis for applied ML in SQLIA mitigation in the context of emerging computing of big data internet, and cloud-hosted services set our proposal apart from existing approaches that were mostly on-premise source code scanning and queries structure comparisons of some sort.