CFP last date
20 May 2024
Call for Paper
June Edition
IJCA solicits high quality original research papers for the upcoming June edition of the journal. The last date of research paper submission is 20 May 2024

Submit your paper
Know more
The week's pick
Responsive image
Enhancing Privacy Preservation: Multi-Attribute Protection with P-Sensitive K-Anonymity

Twinkle Patel Kiran Amin
Random Articles
Reseach Article

An Authentication Mechanism to prevent SQL Injection Attacks

by Indrani Balasundaram, E. Ramaraj
journal cover thumbnail

International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Volume 19 - Number 1
Year of Publication: 2011
Authors: Indrani Balasundaram, E. Ramaraj
10.5120/2324-3013

Indrani Balasundaram, E. Ramaraj . An Authentication Mechanism to prevent SQL Injection Attacks. International Journal of Computer Applications. 19, 1 ( April 2011), 30-33. DOI=10.5120/2324-3013

@article{ 10.5120/2324-3013,
author = { Indrani Balasundaram, E. Ramaraj },
title = { An Authentication Mechanism to prevent SQL Injection Attacks },
journal = { International Journal of Computer Applications },
issue_date = { April 2011 },
volume = { 19 },
number = { 1 },
month = { April },
year = { 2011 },
issn = { 0975-8887 },
pages = { 30-33 },
numpages = {9},
url = { https://ijcaonline.org/archives/volume19/number1/2324-3013/ },
doi = { 10.5120/2324-3013 },
publisher = {Foundation of Computer Science (FCS), NY, USA},
address = {New York, USA}
}
%0 Journal Article
%1 2024-02-06T20:05:53.092621+05:30
%A Indrani Balasundaram
%A E. Ramaraj
%T An Authentication Mechanism to prevent SQL Injection Attacks
%J International Journal of Computer Applications
%@ 0975-8887
%V 19
%N 1
%P 30-33
%D 2011
%I Foundation of Computer Science (FCS), NY, USA
Abstract

SQL Injection attacks target databases that are accessible through a web front-end, and take advantage of flaws in the input validation logic of Web components such as CGI scripts.In the last few months application-level vulnerabilities have been exploited with serious consequences by the hackers have tricked e-commerce sites into shipping goods for no charge, usernames and passwords have been harvested and confidential information such as addresses and credit-card numbers has been leaked. The reason for this occurrence is that web applications and detection systems do not know the attacks thoroughly and use limited sets of attack patterns during evaluation. SQL Injection attacks can be easily prevented by applying more secure authentication schemes in login phase itself. To address this problem, this paper presents an authentication scheme for preventing SQL Injection attack using Advance Encryption Standard (AES). Encrypted user name and password are used to improve the authentication process with minimum overhead. The server has to maintain three parameters of every user: user name, password, and user’s secret key. This paper proposed a protocol model for preventing SQL Injection attack using AES (PSQLIA-AES).

References
  1. C. Anley, 2002, “Advanced SQL Injection In SQL Server Applications,” White paper, Next Generation Security Software Ltd.
  2. D. Aucsmith, 2004 “Creating and Maintaining Software that Resists Malicious Attack,” http://www.gtisc.gatech.edu/bioaucsmith.html, September 2004. Distinguished Lecture Series.
  3. F. Bouma, 2003. Stored Procedures are Bad, O’kay Technical report, Asp.Net Weblogs, November http://weblogs.asp.net/fbouma/archive/2003/11/18/38178.aspx.
  4. S. W. Boyd and A. D. Keromytis, 2004. “SQLrand: Preventing SQL Injection Attacks,” In Proceedings of the 2nd Applied Cryptography and Network Security (ACNS) Conference, pages 292–302.
  5. Kemalis, K. and T. Tzouramanis 2008. “SQL-IDS: a specification-based approach for SQLinjection detection,” SAC’08. Fortaleza, Ceará, Brazil, ACM: pp. 2153-2158.
  6. W. R. Cook and S. Rai, 2005, “Safe Query Objects: Statically Typed Objects as Remotely Executable Queries,” In Proceedings of the 27th International Conference on Software Engineering (ICSE 2005).
  7. E. G. Barrantes, D. H. Ackley, S. Forrest, T. S. Palmer, D. Stefanovic, and D. D. Zovi, 2003. “Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks,” In Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS), pp 281–289.
  8. Shaukat Ali, Azhar Rauf, and Huma Javed, 2009. “SQLIPA: An Authentication Mechanism Against SQL Injection,” European Journal of Scientific Research, ISSN 1450-216X Vol.38 No.4, pp 604-611.
  9. E. Larson and T. Austin, 2003. “High Coverage Detection of Input-Related Security Faults,” In Proceedings of the 12th USENIX Security Symposium, pages 121–136
  10. C. Cowan, S. Beattie, J. Johansen, and P. Wagle, 2003. “PointGuard: Protecting Pointers From Buffer Overflow Vulnerabilities,” In Proceedings of the 12th USENIX Security Symposium, pages 91–104.
  11. G. S. Kc, A. D. Keromytis, and V. Prevelakis, 2003. “Countering Code-Injection Attacks With Instruction-Set Randomization,” In Proceedings of the ACM Computer and Communications Security (CCS) Conference, pages 272–280.
  12. D. Larochelle and D. Evans, 2001. “Statically Detecting Likely Buffer Overflow Vulnerabilities,” In Proceedings of the 10th USENIX Security Symposium, pages 177–190.
  13. T. Garfinkel, 2003. “Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools,” In Proceedings of the Symposium on Network and Distributed Systems Security (SNDSS), pages 163–176.
  14. N. Dor, M. Rodeh, and M. Sagiv, 2003. “CSSV: Towards a realistic tool for statically detecting all buffer overflows in C,” In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI).
  15. J. Foster, M. Fa¨hndrich, and A. Aiken, 1999. “A theory of type qualifiers,” In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI)
  16. Pietraszek, T. and C. V. Berghe 2005. “Defending against Injection Attacks through Context- Sensitive String Evaluation,” Recent Advances in Intrusion Detection (RAID2005).
  17. Halfond, W. G. J. and A. Orso 2008. "WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation." IEEE 34(01): pp. 65-81.
  18. Su, Z. and G. Wassermann 2006. “The Essence of Command Injection Attacks in Web Applications,” POPL. Charleston, South Carolina, USA, ACM: pp. 372 – 382
Index Terms

Computer Science
Information Sciences

Keywords

SQL Injection attack Web security authentication AES Secret Key password security

Powered by PhDFocusTM