57
i Implementation of a Prototype to Secure Web Applications from SQL Injection and Cross Site Scripting Attacks Using an Intelligent Pattern Matching Approach GRADUATE PROJECT REPORT Submitted to the Faculty of the Department of Computing Sciences Texas A&M University-Corpus Christi Corpus Christi, Texas In Partial Fulfillment of the Requirements for the Degree of Master of Science in Computer Science By Ismail Aamir Mohammed Fall 2016 Committee Members Dr. Mario A. Garcia ____________________________ Committee Chairperson Dr. David Thomas ____________________________ Committee Member

Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

  • Upload
    others

  • View
    6

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

i

Implementation of a Prototype to Secure Web

Applications from SQL Injection and Cross Site

Scripting Attacks Using an Intelligent Pattern Matching

Approach

GRADUATE PROJECT REPORT

Submitted to the Faculty of

the Department of Computing Sciences

Texas A&M University-Corpus Christi

Corpus Christi, Texas

In Partial Fulfillment of the Requirements for the Degree of

Master of Science in Computer Science

By

Ismail Aamir Mohammed

Fall 2016

Committee Members

Dr. Mario A. Garcia ____________________________

Committee Chairperson

Dr. David Thomas ____________________________

Committee Member

Page 2: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

ii

Abstract

Nowadays, due to development of the Internet, there is a substantial increase in

the use of web and, the web applications have become the significant part of everyone’s

life. Because of the increase in cyber-attacks, web application security has become one

of the most important ongoing issue. There is an increase in risk of web attacks because

of web developers not being aware of the cyber-attacks, and because of the loopholes in

the prevailing technologies. The web applications have become target to many attacks

like SQL injection, session management, cross site scripting and broken authentication.

A lot of research is going on to safeguard these web applications from such malicious

attacks. Also, there have been few tools developed to protect the web applications from

malicious attacks but each of them has some specific flaws. This paper discusses an

approach the flaws in the previous tools. The approach used here analyzes the validity of

requests to the web applications and then generates cases for different attacks. These

cases then help in differentiating the malicious and non-malicious traffic in the web

applications.

Page 3: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

iii

TABLE OF CONTENTS

Abstract ................................................................................................................... ii

Table of Contents ................................................................................................... iii

List of Figures ..........................................................................................................v

List of Tables ........................................................................................................ vii

1. Background and Rationale ...................................................................................1

1.1 Introduction ....................................................................................................1

1.2 Literature Review ...........................................................................................2

1.3 Problems in Existing System .........................................................................3

2. Narrative ..............................................................................................................5

2.1 Problem Statement .........................................................................................5

2.2 Motivation ......................................................................................................5

2.3 Objective .......................................................................................................6

2.4 Scope ..............................................................................................................6

3. Proposed System Design......................................................................................7

3.1 Target Web Application .................................................................................8

3.2 Intelligent Pattern Matching Module .............................................................8

3.3 Unified Modelling Language .......................................................................15

4. Implementation of the Modules .........................................................................21

5. Testing and Evaluation ......................................................................................25

5.1 User Interface ...............................................................................................25

5.2 Test Case 1: Entering Malicious Script .......................................................27

Page 4: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

iv

5.3 Test Case 2: Malicious script to retrieve Confidential Information ............30

5.4 Test Case 3: SQLI attack to Retrieve Information .......................................33

5.5 Test Case 4: SQLI attack to Delete Table ....................................................36

5.6 Test Case 5: XSS Attack to Steal the Cookies .............................................38

5.7 Test Case 6: URL Redirection using XSS Attack .......................................41

5.8 Summary of Test Cases ...............................................................................44

5.9 Unit Test Case List.......................................................................................45

6.Conclusion and Future Enhancements ................................................................46

6.1 Conclusion ...................................................................................................46

6.2 Future work ..................................................................................................47

Bibliography ..........................................................................................................48

Page 5: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

v

LIST OF FIGURES

Fig 1. System Architecture ......................................................................................7

Fig 2. Architecture Workflow ..................................................................................8

Fig 3. Intelligent Pattern Matching Module .............................................................9

Fig 4. Invalid Request Showing SQL Injection Attack .........................................11

Fig 5. Invalid Request Showing XSS attack ..........................................................12

Fig 6. Examples of Regular Expressions ...............................................................13

Fig 7. Rules Stored in the Database .......................................................................14

Fig 8. Use Case Diagram for the Pattern Matching Module ..................................16

Fig 9. Use Case Diagram for Filtering on Target Application ..............................17

Fig 10: Class Diagram for the Pattern Matching Module ......................................19

Fig 11: Class Diagram for Filtering on Target Application ...................................20

Fig 12: Code Snippet for My Filter Class ..............................................................21

Fig 13: Code Snippet for Typesafe Request ..........................................................22

Fig 14: Log Table with its Different Columns .......................................................22

Fig 15: Table for List Analyzer .............................................................................23

Fig 16: Code Snippet for Process log info .............................................................24

Fig 17: Regular Expressions for SQLI Attacks .....................................................24

Fig 18: Scenario for Invalid Username or Password .............................................26

Fig 19: Scenario after Logging in to Application ..................................................26

Fig 20: Scenario where User Enters Malicious Script ...........................................27

Fig 21: Scenario where Script Starts Executing ....................................................28

Page 6: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

vi

Fig 22: Scenario where Log ID is Set to Vulnerable .............................................29

Fig 23: Scenario where IP address is set to Block in Database .............................29

Fig 24: Error Page ..................................................................................................30

Fig 25: Scenario of XSS Attack to Retrieve Information ......................................31

Fig 26: Scenario where Attacker Retrieves the Information .................................31

Fig 27: Scenario where the Log ID is Set to Vulnerable .......................................32

Fig 28: Scenario where the IP Address is Set to Blocked ......................................33

Fig 29: Scenario of SQLI attack ............................................................................34

Fig 30: Scenario where the Log ID is Set to Vulnerable .......................................35

Fig 31: Scenario where the IP address is Set to Blocked .......................................35

Fig 32: Another scenario of SQLI Attack ..............................................................36

Fig 33: Scenario where the Log Id is Set to Vulnerable ........................................37

Fig 34: Scenario where the IP Address is Set to Blocked ......................................37

Fig 35: XSS Attack to Steal the Cookies ...............................................................38

Fig 36: XSS Attack Showing Current Session Value ............................................39

Fig 37: Scenario where the Log ID is set to Vulnerable ........................................40

Fig 38: Scenario IP Address of Attacker is Blocked .............................................40

Fig 39: URL Redirection using XSS Attack ..........................................................41

Fig 40: Scenario after URL Redirection Attack ....................................................42

Fig 41: Scenario where the Log ID is set to Vulnerable ........................................43

Fig 42: Scenario IP Address of Attacker is Blocked .............................................43

Page 7: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

vii

LIST OF TABLES

Table 1: Access log header information ................................................................10

Table 2: Summary of the Test Cases .....................................................................44

Table 3: Scenario to Test Pattern Matching Module .............................................45

Page 8: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

1

1. Background and Rationale

1.1 Introduction:

Increase in usage of web based applications has made it mandatory to secure them

from a plethora of attacks. Web application layer is one of the main layer targeted by

these attacks. The most important reason for these kind of attacks is because of flaws in

the existing technologies and lack of understanding about security among web

application developers. From the recent studies, it can be seen that more than 70% percent

of attacks happen in payment card industry and also, more than 50% of authentic data is

exposed to attackers from the organizations who use shared credentials [5]. Based on this

figures, web security should be the most important thing to be considered while

developing a web application.

The two main techniques that are being used widely are default deny model and

default allow model. The default allow model maintains a list of exploits, so whenever

traffic passes through the application gateway, it is compared with the list and if any of

the input matches the content in the list, it will be considered malicious and will be

blocked [1][6].

Whereas the default deny model maintains a white list which contains all the legit

values which are considered non malicious for the web applications. These legit values

will be obtained from the user input of several web applications. So, whenever there will

be an input to the web application, it will be compared to the values in list. If the input

matches with the values in the white list, it will be considered legit and will be allowed

Page 9: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

2

to enter. In case if it does not match the values in the white list, it will be considered

malicious [1] [6]. Many issues were faced with manual maintenance of the list of cases

that were used in default allow model and default deny model. In the proposed technique,

an intelligent pattern matching approach will be introduced which will address the issues

being faced in maintaining a list.

1.2 Literature Review

Various techniques have been proposed to address the attacks in web applications.

But each existing technique has its own flaws. A model has been proposed by C.M. Frenz

et al., to detect cross site scripting attacks in web applications [9]. In this paper, the

authors have made use of regular expressions to detect malicious attacks in web

applications. This approach was not found to be robust as it only works for simple web

applications [9].

Lwin Khin Shar et al., have proposed a technique which makes use of two phases

to detect XSS attacks in web applications [10]. In the first phase, a taint based analysis

approach is used which provides an output in HTML document showing flow of user

data. In the next phase data dependency and pattern matching is analyzed which prevents

the injection into the code due to cross site scripting. Again, this technique only focuses

on prevention of one type of attack.

A.M Chandrasekhar et al., [11] have combined K-means, fuzzy neural networks

and support vector machine classifier techniques to implement a web attack detection

mechanism [11]. In this mechanism, K-means algorithm is used to cluster the input

Page 10: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

3

dataset into K clusters which are then trained using fuzzy logic. Each of the data is passed

through fuzzy classifier which then generates vectors. Then a classification is done using

support vector machine which helps in the detection of web attacks.

In [14] Zhang et al., have proposed a technique which uses taint analysis approach

to detect SQL injection and Cross site scripting attacks in web applications. This

approach makes use of a flow graph to detect sink and source points in the data flow. It

then taints the data in source code if the data is coming from an insecure source and

targeting a sensitive sink. The main drawback of this approach is that it has a high positive

false rate [14].

Sharma et al., [15] have presented an integrated approach which makes use of

two modes called production mode and safe mode to detect cross site scripting and SQL

injection attacks in web applications. The main drawback of this technique is that it is

not able to detect vulnerabilities from more dynamic and complex applications [15].

1.3 Problems in Existing System

The most important issue was to update and maintain the list of attacks. The list

of attacks being specific to each web application, it will be required to modify the list for

different types of applications. It will also require continuous development due to

increasing number of attacks every day [7].

Maintenance of the list of attacks is also a time consuming task. The big

applications like business applications have lots of user inputs, so it will be more time

Page 11: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

4

consuming to differentiate between the legitimate and illegitimate user inputs and then

saving of these user inputs into the list [1] [7].

Another issue is incorporating the list of attacks for existing web applications. As

the source code for already existing web applications is copyrighted, it will get difficult

to add the list of attacks to the already existing web applications [4].

Another significant issue is that there exist multiple input sources for a web

application. Different input sources like input from the third party applications, input

from the front end of the application, input through the databases and input through

another network exist for a web application. It will be an enormous task to maintain list

of attacks manually from multiple sources of input.

Hence in order to overcome some of the problems discussed above, an intelligent pattern

matching approach will be developed which will automate the blocking of vulnerable

attacks.

Page 12: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

5

2. Narrative

2.1 Problem statement:

Mitigating advanced malicious activities against network has become a big and a

continuous challenge. Existing techniques failed in securing web applications against

cornucopia of unwanted, potentially malicious attacks. Another technique, called default

deny approach, was introduced. The default deny model encountered trouble in

incorporating new attacks into the list of existing attacks. Hence, there was a need for a

new technique which can automatically incorporate the new attacks to the existing list of

attacks.

2.2 Motivation:

The two mechanisms that were used to protect web applications from malicious

attacks include the default allow model and default deny model. The disadvantage

associated with default allow model, which allows all traffic but just prevents traffic

noticed by web application firewall, is that it failed in keeping web applications safe from

various attacks like SQLI, Input validation, XSS etc. The issues encountered with default

deny model were updating and maintenance issues, time intensive tasks, multiple sources

of input etc. Hence, it can be discerned that with little changes in the system, networks can

be secured from the illegitimate websites. Therefore, an Intelligent pattern matching

approach is introduced which secures the web application against SQLI and XSS attacks

efficiently.

Page 13: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

6

2.3 Objective:

The main objective of this research is to implement a prototype to secure web

applications from malicious attacks using an Intelligent pattern matching technique. In this

approach, a technique is implemented which detects different attacks and stores them in a

database to validate future authentication.

2.4 Scope:

This research is an adaptation of a novel technique [16] which will automate the

process of detecting vulnerable attacks and appending them to the existing list of attacks.

The mechanism is effective in securing web applications against SQLI attacks, and Cross

Site Scripting attacks efficiently.

Page 14: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

7

3. Proposed System Design

An architecture has been designed to resolve the problems that were discussed in the

existing techniques. The primal features of the aimed system are:

Initial examination of the log would be done and consequently a profile of the web

application would be generated that corresponds to the semi-structured XML

format.

The creation of list of attacks is an offline process which would eventually save run

time processing.

System architecture is described in Figure 1 and the architecture workflow is described in

Figure 2.

Figure 1: System Architecture

Page 15: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

8

Figure 2: Architecture Workflow

The proposed architecture has two main components. The target web application and the

Intelligent pattern matching module. Each of the components is explained below.

3.1 Target Web Application

The target web application is the web application that will be secured from

vulnerable attacks; For testing, a hotel management web application will be used as a target

web application. All the HTTP requests and responses to the target web application will be

sent to the access log of the intelligent pattern matching module. The Intelligent pattern

matching module after comparing the HTTP requests and responses with different cases

validates user details on the target web application.

3.2 Intelligent Pattern Matching Module:

The pattern matching module automatically generates cases for the attacks in the

form of semi structured XML format and saves them in the database. The generated cases

Page 16: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

9

will help in securing the web application from the attackers in future. Detailed architecture

of the pattern matching module is depicted in the figure 3.

Figure 3: Intelligent Pattern Matching Module

Each component illustrated in figure 3 is explained as follows:

A. Access log: Access log constitutes the salient segment of the module structure. It is a

log table which stores all the information about HTTP request and response. And based on

this data, a vivid distinction is made between the legitimate and the illegitimate requests.

This log also permits users to view the HTTP request in addition to the response generated

by the web application for that request. Moreover, log scanning can be used to collect all

the data from the access log. Table 1 illustrates the access log header information and their

description. Date time stamp represents the time at which the web application was

accessed. Hostname with port number represents the hostname of the user accessing the

target web application. Client address with port number represents the IP address of the

client. Accept language represents the type of language that is requested by the client

Access Log

List of Attacks

Pattern Matching Case

Generator

Regular Expression

Repository

Page 17: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

10

browser. Full resource URL represents all the input parameters that are requested. Method

name is the type of method requested by the client.

Table 1: Access log header information

B. Pattern Matching: The response of the requests is reexamined and legitimate requests

are separated from the invalid requests. Furthermore, this module carries out following

possible operations.

Based on the response, it analyses illegitimate requests and then blocks them.

For example, an IP which made attacks in the past is identified and all the requests

from that IP are terminated.

HTTP Header Fields Description

Date time stamp The time at which the web application was

accessed.

Hostname with port number Hostname of the user accessing target web

application.

Client address with port number Represents the IP address of the client.

Accept Language Language requested by the client browser

Full resource URL with parameter Represents parameters requested by the

client along with the URL.

Method Name Type of Http method (GET or POST)

Page 18: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

11

Then the intelligent pattern matching is used to examine resemblance and disparity

of various parts of requests using the regular expressions stored in the regular

expression repository while determining the matching patterns.

Channels the information to the next module which is case generator module.

Figure 4 shows an example of invalid request in which SQL injection attack was

carried out by the attacker. The user entered username as “anything’ OR ’x’=’x”

and password as “anything’ OR ’x’=’x” to carry out a SQL injection attack.

Figure 4: Invalid Request showing SQL injection attack [13]

Page 19: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

12

Figure 5 shows another example of invalid request in which an attacker carries out

a XSS attack by inserting a script into POST method of the HTTP request.

Figure 5: Invalid Request showing XSS attack [13]

C. Regular Expressions Repository: The regular expressions repository contains various

kinds of regular expressions and this helps in setting up of configuration file. These regular

expressions are used for detection of SQLI attacks. The input received to the web

application will be compared to these regular expressions to analyze if any similarity is

Page 20: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

13

existing or not. If there exists any similarity between the input and the regular expression

that particular IP address will be set to block by the Case generator module. Updated

repository can be used to share usual updates to the intended system. Some examples of

regular expressions [18] are depicted in the Figure 6.

Figure 6: Examples of Regular Expressions [18]

D. Case Generator Module: Here, all the extracted information from the Intelligent

pattern matching module is used to create a semi structured XML format. Its essential

component is to generate cases for new attacks. Few of the advantages are listed below:

It is a good safeguard against cross site scripting and SQL injection attacks.

All the log information about a new URL is directed to pattern matching module

where it is compared with different regular expressions. Now, based on the results

Page 21: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

14

given by pattern matching module, semi structure XML cases are generated for the

new attacks as illustrated in figure 7 and stored in the database.

Figure 7: Rules Stored in the Database

Page 22: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

15

Salient features of the Intelligent Pattern Matching Module:

Scanning of log is done for the case which uses pattern matching. It carries out log

scanning to separate the legitimate and illegitimate requests based on the response

generated by the web server.

Learns about cardinality and size of the parameters. cardinality function is used to

find out free and fixed parameters.

Checks the correspondence of regular expression with input.

Finally, generates semi structured XML cases and stores them in the database.

3.3 Unified Modelling Language (UML)

Unified modelling language is used to represent the design of the system software.

The main aim of UML diagrams is to help users understand about interaction between

different components of the application.

A. Use Case diagram:

Use case diagram consists of the actors and the use cases. Actor represents

the role played by the user or any external system whereas the use cases describe

the functionality of the application.

Figure 8 shows the use case diagram for the pattern matching module. It

consists of one actor which is the pattern matching module and six use cases. The

six use cases are Analyze log messages, Intercept input request and response, start

learning cycle, generate cases, generate rules and send rules to target application.

Page 23: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

16

Figure 8: Use Case Diagram for the Pattern Matching Module

a. Analyze Log Messages: This use case represents the action performed by the

pattern matching module to analyze the log messages from target application.

b. Intercept Input Request and Response: This use case represents the action

performed by the pattern matching module to separate the legitimate and

illegitimate requests.

c. Start Pattern Matching: This use case represents the action performed by the

pattern matching module to start the pattern matching process based on the request

type.

Page 24: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

17

d. Generate Cases: This use case represents the different cases created by the pattern

matching module.

e. Send Rules to Target Application: It represents the action performed by the

pattern matching module to send the generated cases to the target web application.

Figure 9 shows the use case diagram for filtering on target application. It consists of two

actors and six use cases. Among two actors, one is legitimate user and the other one is

target application. The six use cases are Login, web authentication, check filter category,

authenticate based on rules, log the rules and send the rules to pattern matching module.

Figure 9: Use Case Diagram for Filtering on Target Application

Page 25: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

18

a. Login: Existing users can login to food ordering system by entering their username

and password.

b. Web Authentication: Web authentication is done on the input values given by the

user.

c. Check Filter Category: It represents the action performed by the target application

to check the filter category of user input.

d. Authenticate Based on Rules: It represents the authentication that is done based

on the rules in the database.

e. Log it: It represents the action performed to the log based on the input values given

by the user.

f. Send to Pattern Matching Module: It represents the action performed to send

the rules to the pattern matching module.

B. Class Diagram: The relationship between different classes and objects can be

showed using a class diagram. The class diagram consists of three sections, the first

section shows the name of the class, second section shows the attributes, and third

section represents the functions which are required for implementation of the logic.

The arrows are used to illustrate the relationship between different classes.

Figure 10 shows the class diagram for Intelligent pattern matching module

which is used to secure the target application. The classes used in the intelligent

pattern matching module are istCategory, ProcessLoginfo, learnvalidateengine and

shareDB. The listCategory consists of functions like get error message, get log id

Page 26: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

19

and set status message. It is associated with Learn Validate Engine class which

consists of functions like request method, request parameters and response body.

The Learn validate engine class is associated with shareDB which consists of

functions like insert query, update query and select query. The ProcessLoginfo class

consists of functions like ProcessLogin, validip, and it is associated with ShareDB

class.

Figure 10: Class Diagram for the Pattern Matching Module

Page 27: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

20

Figure 11 shows the class diagram for the filter used on the target application in order to

authenticate the user input. It consists of classes like MyFilter, Buffered Request

Wrapper, ProcessLogInfo, BufferedServletInputStream, and ShareDB. MyFilter class is

responsible for functions like dofilter, destroy and getClientIpAddr. It is associate with

BufferedRequestWrapper and ProcessLoginfo.

Figure 11: Class Diagram for filtering on Target Application

Page 28: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

21

4. Implementation of the Module

The web application is developed using Eclipse IDE and MySql for databases. The

main modules that have been implemented are as follows:

1) My Filter.

2) Log Table.

3) List Analyzer.

4) Process Log info.

5) Learn Validate Engine.

1) My Filter Class: My Filter class is responsible for taking in the Http requests and

comparing them with the existing rules. If the user input contains any malicious code, the

IP address of that particular user will be blocked and will be logged as vulnerable in Log

Table. Figure 12 shows the code snippet for My Filter class. It has a method called

getclientipaddress which takes the http request from the user and validates it against

different combinations to extract the original IP address without any proxy settings.

Figure 12: Code snippet for My Filter class

Page 29: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

22

My Filter class also has method called getTypesafeRequestMap which is responsible for

traversing the request parameters and converting them in the form of map and key values.

Figure 13 shows the code snippet for getTypesafeRequestMap.

Figure 13: Code snippet for Typesafe Request

2) Log Table: Log table is responsible for storing all the log records of Http requests. It

stores id of the request, request body, requested parameters, IP address of the client, and

the requested method. Figure 14 represents the Log Table with its different columns.

Figure 14: Log Table with its Different Columns

Page 30: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

23

3) List Analyzer: List Analyzer is responsible for analyzing, and separating legitimate and

illegitimate requests. It consists of id, number of errors, description about the error, id of

the request from the log table, and status about the request if it is vulnerable or not. Figure

15 shows the table for List Analyzer.

Figure 15: Table for List Analyzer

4) Process Log info: Process log info is responsible for initializing all log information by

capturing log messages. Each new request parameter which is not already stored is

captured and stored in the database. Validate client IP method validates each client IP

address by comparing them with the rules in the list generated by the learning module.

The code snippet for Process log info is shown in figure 16.

Page 31: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

24

Figure 16: Code snippet for process log info

5) Learn Validate Engine: Learn validate engine is responsible for separating the

input request parameters. It also contains the regular expressions for detection of

SQLI attacks. Figure 17 shows the regular expressions that have been used for

detection of SQLI attacks [18].

Figure 17: Regular Expressions for SQLI attack [18]

Page 32: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

25

5. Testing and Evaluation

Testing is done to find if there are any errors in the final web application. Testing

the final web application makes sure that the application functions without any errors.

During testing, behavior of the application is analyzed by giving different inputs to it.

A Hotel management based food ordering application was implemented to be

utilized as a target web application for the evaluation of automated list rules generating

technique. For testing; the target application will be executed from a virtual operating

system. Different regular expressions which describe common fields such as passwords,

credit cards and broadly used data types likes hex, digits etc., will be utilized for testing

purposes.

5.1 User Interface:

To make an order, the user should login to the system using the username and

password provided to him. The user should login using proper username and password. If

the user forgets to enter either the user name or the password, error message will be

displayed. Figure 18 depicts the scenario where the user forgot to enter his password. An

error message saying Invalid username or password is displayed.

Page 33: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

26

Figure 18: Scenario for Invalid username or password

After logging in successfully, the user will be navigated to main page where he can

perform different functions such as ordering the food, viewing the bill etc. Figure 19

shows the scenario after logging in to the application.

Figure 19: Scenario after logging in to application

Page 34: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

27

5.2 Test Case 1: Entering Malicious Script

Now, if the user tries to enter any malicious code in any text box on home page, it

will get logged into the database table and the user will be blocked from accessing the

website in future. Figure 20 shows a scenario where user is trying to enter malicious script

‘<script>alert();</script>’ in to the text box.

Figure 20: Scenario where User Enters Malicious Script

Using a malicious script, the user will try to make the web application irresponsive. Figure

21 shows a scenario where user entered script starts displaying unwanted dialog boxes.

Page 35: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

28

Figure 21: Scenario where Script Starts Executing

Then the pattern matching module runs its batch process internally which will compare the

input parameters with the XML file containing the information about attacks. If the input

parameters match the list of attacks, it blocks the IP address of the user and stores all the

inputs given by that user in the database for future analysis. Figure 22 and 23 depict the

scenario after running the batch process internally by the pattern matching module. Figure

22 shows the scenario where log id related to IP address of that user is set to vulnerable in

the list of attacks and figure 23 shows the scenario where the status for IP address of the

user who entered the malicious script is changed to blocked. Now the IP address of the

attacker will be blocked from accessing the web application in future.

Page 36: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

29

Figure 22: Scenario where Log ID is Set to Vulnerable

Figure 23: Scenario where IP address is set to Block in database

Page 37: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

30

An error page as shown in figure 24 will be displayed if the blocked user tries to access

the web application in future.

Figure 24: Error Page

5.3 Test Case 2: Malicious Script to Retrieve Confidential Information

Figure 25 shows another scenario of XSS attack where user is trying to retrieve

information about the web application by entering a malicious script in the text box for

category name. Here the user entered malicious script as

<script>alert(document.title);</script> which returns the information about the title of the

document. The attacker may enter different scripts to retrieve confidential information.

Page 38: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

31

Figure 25 Scenario of XSS Attack to Retrieve Information

Figure 26 shows how the previously entered script starts executing and shows the

confidential information about the web application. In this case, the script tag is trying to

retrieve the title of the web page.

Figure 26: Scenario where Attacker Retrieves the Information

Page 39: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

32

Now, after executing the batch process internally by the pattern matching module, the IP

address of the user who entered the malicious script will be set to blocked in the database

and log id of that user will be set to vulnerable in the list of attacks. Figure 27 shows the

scenario where log id related to IP address of that user is set to vulnerable in the list of

attacks and figure 28 shows the scenario where the status for IP address of the user who

entered the malicious script is changed to blocked. Now the IP address of the attacker will

be blocked from accessing the web application in future.

Figure 27: Scenario where the Log ID is Set to Vulnerable

Page 40: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

33

Figure 28: Scenario where the IP Address is Set to Blocked

5.4 Test Case 3: SQLI attack to Retrieve Information

Figure 29 shows the scenario of SQLI attack where an attacker is trying to retrieve

the details about other users which are stored in the database. Here, the user entered the

SQL query as “is null or 1=1” to retrieve the details about other users. This way user can

get access to confidential information.

Page 41: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

34

Figure 29: Scenario of SQLI attack

Now, after running the batch process in the background, the IP address of the user trying

to enter the query will be set to blocked in the database and log id related to that IP address

will be set to vulnerable in the of list rules. Figure 30 shows the scenario where log id

related to IP address of that user is set to vulnerable in the list of attacks and figure 31

shows the scenario where the status for IP address of the user who entered the malicious

script is changed to blocked. Now the IP address of the attacker will be blocked from

accessing the web application in future.

Page 42: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

35

Figure 30: Scenario where the Log ID is Set to Vulnerable

Figure 31: Scenario where the IP Address is Set to Blocked

Page 43: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

36

5.5 Test Case 4: SQLI attack to Delete Table

Figure 32 shows the scenario of SQLI attack where user trying to enter a vulnerable

query to perform some piggy back attack. Here, the user entered the SQL query as “drop

table test” to perform a malicious operation. This helps user in erasing some confidential

information stored in the database.

Figure 32: Another scenario of SQLI Attack

Now, after running the batch process in the background, the IP address of the user

trying to enter the query to drop the table will be set to blocked and logged in to the set of

list of attacks. Figure 33 shows the scenario where the IP address of the attacking user is

set to blocked and figure 34 shows the scenario where the log id related to that IP address

will be set to vulnerable.

Page 44: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

37

Figure 33: Scenario where the Log Id is Set to Vulnerable

Figure 34: Scenario where the IP address Set to Blocked

Page 45: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

38

5.6 Test Case 5: XSS Attack to Steal the Cookies

Here the user is trying to do a session hijack by stealing the cookies from the victim’s

browser. The attacker enters a malicious script as <script>alert(document.cookie);</script> to get

the current session information from the victim’s browser. Figure 35 shows the scenario where an

attacker enters the script to be executed.

Figure 35: XSS Attack to Steal the Cookies

Figure 36 shows a scenario where the script entered by the attacker starts executing.

It returns the current session value of the victim’s computer. Using this session value, the

attacker can perform session hijacking.

Page 46: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

39

Figure 36: XSS Attack Showing Current Session Value

Now, as the batch process gets executed internally, the IP address of the attacker trying

to perform a session hijacking attack will be blocked from accessing the web application

in future. This will be done by taking the request parameters given by the user and

comparing them with the regular expressions stored in the pattern repository. Based on

similarity between the regular expressions and input parameters, the case generator module

generates the cases. Figure 37 shows the scenario where the log id related to IP address of

the attacker is set to vulnerable and figure 38 shows the scenario where the IP address of

the attacking user is set to blocked.

Page 47: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

40

Figure 37: Scenario where the Log ID is set to Vulnerable

Figure 38: Scenario IP Address of Attacker is Blocked

Page 48: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

41

5.7 Test Case 6: URL Redirection using XSS Attack

In this scenario, the attacker injects a script at client side of the web application.

This script contains URL of some specific web page. So whenever a user clicks on the link

he will redirected to the page injected by the attacker in the script instead of the actual page.

Figure 39 depicts a scenario where attacker entered the script containing URL of

the web page.

Figure 39: URL Redirection using XSS Attack

Now, when a user clicks on add item link he will be redirect to view bill details

instead of add item page. Figure 40 depicts a scenario when a user clicks on an add item

link.

Page 49: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

42

Figure 40: Scenario after URL Redirection Attack

Now, as the batch process gets executed internally, the IP address of the attacker trying

to perform a session hijacking attack will be blocked from accessing the web application

in future. This will be done by taking the request parameters given by the user and

comparing them with the regular expressions stored in the pattern repository. Based on

similarity between the regular expressions and input parameters, the case generator module

generates the cases. Figure 41 shows the scenario where the log id related to IP address of

the attacker is set to vulnerable and figure 42 shows the scenario where the IP address of

the attacking user is set to blocked.

Page 50: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

43

Figure 41: Scenario where the Log ID is set to Vulnerable

Figure 42: Scenario IP Address of Attacker is Blocked

Page 51: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

44

5.8 Summary of Test Cases:

This section summarizes all the test cases discussed above in a table. Table 2 depicts the

summary of all the test cases.

Table 2: Summary of the Test Cases

S.

No.

Type of

Attack

Input Expected

Result

Actual

Result

Status

1 XSS

Attack

<script>alert();</script> Attack

detected

Same as

expected

Pass

2 XSS

Attack

<script>alert(document.title);</script> Attack

Detected

Same as

expected

Pass

3 SQLI

Attack

is null or 1=1; Attack

Detected

Same as

expected

Pass

4 SQLI

Attack

drop table test Attack

Detected

Same as

expected

Pass

5 XSS

Attack

<script>alert(document.cookie);</script> Attack

Detected

Same as

expected

Pass

6 XSS

Attack

<script>window.location="http://

ViewBillToCook.jsp"</script>

Attack

Detected

Same as

expected

Pass

Page 52: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

45

5.9 Unit Test Case List:

Table 3 depicts a scenario to test pattern matching module’s filter capturing

request and response with the target application from virtual OS.

Table 3: Scenario to Test Pattern Matching Module

ID Test Case Description Expected

Result

Actual

Result

Status

1 Capture request and

response of each

interaction with Target

Application

Verify Log

Table with

each updated

Request

Same as

expected

Pass

2 Capture Request

Method

Verify POST

or GET

method

Same as

expected

Pass

3 Capture IP addresses Capture client

IP addresses

Same as

expected

Pass

Page 53: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

46

6. Conclusion and Future Enhancements

6.1 Conclusion

The main idea of this research is to implement a prototype to secure web

applications from malicious attacks using an Intelligent pattern matching technique. This

intelligent pattern matching technique is proved to address the conventional problems of

securing the web applications from malicious attacks.

This approach mainly comprises of four modules: access log, pattern matching

module, pattern repository, and case generator module. Each module is responsible for

performing some task in securing a web application from XSS and SQLI Injection attacks.

The access log is responsible for storing all the log header information like request

parameters, IP address of the client, page requested by the client, HTTP method etc.

The pattern matching module is responsible for analyzing all the request parameters

received by the target application, and then comparing those request parameters with the

regular expressions stored in the pattern repository. Pattern repository consists of different

regular expressions that represent vulnerable attacks. After comparison, the pattern

matching module forwards the requests to case generator module which is responsible for

creating the cases based on the results generated by the pattern matching module.

Different test cases have been used for testing the intelligent pattern matching

technique. It was tested by passing different inputs containing vulnerable queries and

scripts. Testing results prove this technique detects cross site scripting and SQL injection

attacks efficiently.

Page 54: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

47

Due to its matching capability, intelligent pattern matching module is developed to

read the changes in the application which helps in crafting the list of attacks based on the

changes.

6.2 Future work

Machine learning algorithm can be used for automatically forming the new attack

rules by analyzing the existing list of attacks. In the current technique generation of regular

expressions is done manually. System can be made more feasible by making generation of

regular expressions automatic. This can be done by using Machine Learning algorithm and

then forming regular expressions for new attacks by analyzing the new attack patterns from

the existing list of attacks.

Page 55: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

48

Bibliography

[1] Bruce Schneier Blog, “black listing vs. white listing”, retrieved from

http://www.schneier.com/blog/archives/2011/01/whitelistingvs.html.

[2] OWASP, “Web application attacks statistic”, Retrieved from http://www.owasp.org.

[3] Yao-WenHuang,Shih-KunHuang,Chung-HungTsai, “Web Application Security

Assessment by Fault Injection and Behavior Monitoring”, ACM ,May 20-24, 2003.

[4] Federico Maggi, William Robertson, Christopher Kruegel, and Giovanni Vigna,

“Protecting a Moving Target: Addressing Web Application Concept Drift”, Raid 2009.

[5] Jeff Orloff, “Applicure Webhacking Facts and Figure”, Retrieved from

http://www.applicure.com/blog/web-application-hacking-facts-figures

[6] ModSecurity, “Mod security”, Retrieved from http://www.modsecurity.org

[7] Bockermann, C.; Mierswa, I.; Morik, K., “On the Automated Creation of

Understandable Positive Security Models for Web Applications,” in Pervasive

Computing and Communications, 2008. PerCom 2008. Sixth Annual IEEE International

Conference, vol., no., pp.554-559, 17-21 March 2008

[8] William Robertson, Giovanni Vigna, Christopher Kruegel, and Richard A.

Kemmerer, “Using Generalization and Characterization Techniques in the Anomaly-

based Detection of Web Attacks”, Proceeding of the Network and Distributed System

Security NDSS Symposium San Diego, CA February 2006.

Page 56: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

49

[9] C. M. Frenz,J. P. Yoon, “XSSmon: A Perl Based IDS for the Detection of Potential

XSS Attacks”,Systems, Applications and Technology Conference (LISAT), IEEE Long

Island, 2012.

[10] Lwin Khin Shar, Hee Beng Kuan Tan, "Automated removal of cross site scripting

vulnerabilities in web applications", Information and Software Technology 54, 467–478,

2012.

[11] A. M. Chandrasekhar, K. Raghuveer “Intrusion Detection Technique by using K-

means, Fuzzy Neural Network and SVM classifiers”, 2013 International Conference on

Computer and Informatics(ICCCI), Coimbatore, INDIA, Jan04-06,2013

[12] J. Abirami; R. Devakunchari; C. Valliyammai “A top web security vulnerability

SQL injection attack — Survey”, Seventh International Conference on Advanced

Computing (ICoAC), 2015

[13] Niklas Särökaari, “How to identify malicious HTTP Requests” retrieved from

https://www.sans.org/reading-room/whitepapers/detection/identify-malicious-http-

requests-34067,2012

[14] Z.Xin-Hua; Z .Wang, "A Static Analysis Tool for Detecting Web Application

Injection Vulnerabilities for ASP Program," 2nd International Conference on e-Business

and Information System Security (EBISS), 22-23 May 2010.

[15] P. Sharma, R. Johari, S.S. Sarma, “Integrated approach to prevent SQL injection

attack and reflected cross site scripting attack”, Int. J. Syst. Assur. Eng. Manag.3 (4) 343–

351, 2012

Page 57: Implementation of a Prototype to Secure Web Applications ...sci.tamucc.edu/~cams/projects/507.pdfto detect SQL injection and Cross site scripting attacks in web applications. This

50

[16] Syed Mishal Murtaza, Asif Sohail Abid “Automated White-List Learning Technique

for Detection of Malicious Attack on Web Application”, Centres of Excellence in

Sciences & Applied Technology, (CESAT)

[17] https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project

[18] https://www.symantec.com/connect/articles/detection-sql-injection-and-cross-site-

scripting-attacks