Transcript My second presentation

Analysis of SQL injection
prevention using
a proxy server
By: David Rowe
Supervisor: Barry Irwin
Presentation Outline
•
•
•
•
•
•
•
Introduction to the problem (SQL injection)
Motivation for the project (example)
Block diagram of work focus
Current status
Timeline
Concluding remarks
Questions
SQL injection
• SQL Injection is a method by which the
parameters of a Web-based application
are modified in order to change the SQL
statements that are passed to a database.
• An attacker is able to insert a series of
SQL statements into a 'query' by
manipulating data input.
SQL injection
Example
Vulnerable web page
Example
• In ASP, a critical vulnerability is the
way in which the query string is created.
• example:
var SQL = "select * from users
where
username = ' "+ username +" '
and
password = ' "+ password +" '";
Example
• Username: ‘;drop table users-• the 'users' table will be deleted, denying
access to the application for all users
Example
Query executed:
select * from users where username = “
drop table users
Example
Implementation Step
Current Status
• Analyse the structure of SQL query commands
• Build a filter that will check allowable patterns of SQL
statements
• Create a proxy server that will filter SQL commands.
• Prevent a SQL injection attack to a database using this
proxy server.
• Prove that SQL injection can be prevented using the filter
developed to work on the proxy server.
• Produce a list of best practices for
– Web design
– Database administration
Current Status
• Working proxy server
– Extracts the SQL from a TDS packet
– Prevents SQL injection attacks
• White list
• Black list
• Gray list
– Logs
• Extracted SQL queries
• Halted SQL
• Work in progress:
– Benchmarking
– Error reporting to database administrator
– Project write up
Results - Filter
Results - Filter
• diagrams; : ;
• Sql injection attempt with: “diagrams; in design - in this
section we design the class diagrams; this is because the
class”
• Found with search signature: ;
• found match using black list
• by : by
• Sql injection attempt with: “by in diagrams define the data
structure required by an application. We also look at”
• Found with search signature: by
• found match using white list, so this query is safe
•
•
•
•
Query Count: 950
bad query count: 150
took 45.4673 seconds
average time to process a query: 0.0478603 seconds
Performance issues
• Advantages
– Independent of flaws in application coding
and database privileges
– Separate server with real time analysis
• Disadvantages
– False positives also filtered out too
– Won’t work if data is encrypted
– May turn out to be resource intensive
Timeline
• First semester:
–
–
–
–
–
Project proposal
Presentation 1
Literature survey
Project website and Honours Blog
Design and implementation
• Second Semester
– Benchmarking
– Final write up
• thesis
• short paper
– Project poster
Questions