CFP last date
20 May 2024
Call for Paper
June Edition
IJCA solicits high quality original research papers for the upcoming June edition of the journal. The last date of research paper submission is 20 May 2024

Submit your paper
Know more
The week's pick
Responsive image
Enhancing Privacy Preservation: Multi-Attribute Protection with P-Sensitive K-Anonymity

Twinkle Patel Kiran Amin
Random Articles
Reseach Article

CIDT: Detection of Malicious Code Injection Attacks on Web Application

by Atul S. Choudhary, M. L. Dhore
journal cover thumbnail

International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Volume 52 - Number 2
Year of Publication: 2012
Authors: Atul S. Choudhary, M. L. Dhore
10.5120/8174-1493

Atul S. Choudhary, M. L. Dhore . CIDT: Detection of Malicious Code Injection Attacks on Web Application. International Journal of Computer Applications. 52, 2 ( August 2012), 19-26. DOI=10.5120/8174-1493

@article{ 10.5120/8174-1493,
author = { Atul S. Choudhary, M. L. Dhore },
title = { CIDT: Detection of Malicious Code Injection Attacks on Web Application },
journal = { International Journal of Computer Applications },
issue_date = { August 2012 },
volume = { 52 },
number = { 2 },
month = { August },
year = { 2012 },
issn = { 0975-8887 },
pages = { 19-26 },
numpages = {9},
url = { https://ijcaonline.org/archives/volume52/number2/8174-1493/ },
doi = { 10.5120/8174-1493 },
publisher = {Foundation of Computer Science (FCS), NY, USA},
address = {New York, USA}
}
%0 Journal Article
%1 2024-02-06T20:51:21.425809+05:30
%A Atul S. Choudhary
%A M. L. Dhore
%T CIDT: Detection of Malicious Code Injection Attacks on Web Application
%J International Journal of Computer Applications
%@ 0975-8887
%V 52
%N 2
%P 19-26
%D 2012
%I Foundation of Computer Science (FCS), NY, USA
Abstract

Security is one of the major concerns in communication networks and other online Internet based services, which are becoming pervasive in all kinds of domains like business, government, and society. Network security involves activities that all organizations, enterprises, and institutions undertake to protect the value and usability of their assets and to maintain the integrity and continuity of operations that are performed at their end. Network security exists on all the different layers of an OSI model, Application-level web security comes at the application layer and it refers to vulnerabilities inherent in the code of a web-application itself irrespective of the technologies in which it is implemented. Security in web applications is becoming very important because of the real time transactions that are required over the internet these days. Various attacks are carried out on the web applications and behind every attack; there is vulnerability of some types or the other. Now-a-days application-level vulnerabilities have been exploited with serious consequences: E-commerce sites are tricked by attackers and they lead into shipping goods for no charge, usernames and passwords have been cracked, and confidential and important credentials of users have been leaked. SQL Injection attacks and Cross-Site Scripting attacks are the two most common attacks on web application. Proposed method is a new policy based Proxy Agent, which classifies the request as a scripted request, or query based request, and then, detects the respective type of attack, if any in the request. This method detects both SQL injection attack as well as the Cross-Site Scripting attacks.

References
  1. Bibliography: Bernard Menezes, Indian Institute of Tech, Mumbai, "Network Security and Cryptography", Cenage Learning Publiactions.
  2. An Article on Web Application Security 101 by Appliclure technologies "dotDefender Web Application Security" published in year 2011.
  3. Research Report by Ponemon Institute "Second Annual Cost of Cyber Crime Study Benchmark Study of U. S. Company" Sponsored by ArcSight, an HP Company Independently conducted by Ponemon Institute LLC, Publication Date: August 2011.
  4. Inyong Lee, Soonki Jeong, Sangsoo Yeoc, Jongsub Moon, "A novel method for SQL injection attack detection based on removing SQL query attribute values", Volume 55, Issues 1–2, January 2012, pp 58–68.
  5. Diallo Abdoulaye Kindy and Al-Sakib Khan Pathan "A Survey on SQL Injection: Vulnerabilities, attacks, and Prevention Techniques" 2011 IEEE 15th International Symposium on Consumer Electronics, pp 468-471.
  6. Stephen Kost "An Introduction to SQL Injection Attacks for Oracle Developers", White Paper, Version 1. 3 - March 2007.
  7. K. Amirtahmasebi, S. R. Jalalinia, S. Khadem, "A survey of SQL injection defense mechanisms," Proc. Of ICITST 2009, pp. 1-8, 9-12 Nov. 2009.
  8. Qian XUE, Peng HE Shannxi College of Communication Technology Xi'an, P. R. China "On Defence and Detection of SQL SERVER Injection Attack" Wireless Communication Networking and Mobile Computing (WiCOM), pp 1- 4, 2011 IEEE.
  9. S. W. Boyd and A. D. Keromytis. SQLrand: Preventing SQL Injection Attacks. In Proceedings of the 2nd Applied Cryptography and Network Security Conference, pp 292–302, June 2004.
  10. R. A. McClure, and I. H. Kruger, "SQL DOM: compile time checking of dynamic SQL statements," Software Engineering, 2005. ICSE 2005. Proceedings. 27th International Conference on, pp. 88- 96, 15-21 May 2005.
  11. William G. J. Halfond, Alessandro Orso, "AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks", ACM-05 USA, November 7-11, 2005, pp 174-183 Long Beach, California.
  12. S. Ali, SK. Shahzad and H. Javed, "SQLIPA: An Authentication Mechanism against SQL Injection," European Journal of Scientific Research ISSN 1450-216X Vol. 38 No. 4 (2009), pp 604-611.
  13. MeiJunjin, "An Approach for SQL injection vulnerability detection" International conference on Information Technology: New Generations, 2009 6th pp 1411-1414.
  14. Mr. Dan Kuykendall, "Detecting Persistent Cross-Site Scripting", White paper, Volume 11211, eEye Digital Security, 2010.
  15. Rattipong Putthacharoen, Pratheep Bunyatnoparat, "Protecting Cookies from Cross Site Script Attacks Using Dynamic Cookies Rewriting Technique", ICACT 2011 pp 1090-1094.
  16. E. Galan, A. Alcaide, A. Orfila, J. Blasco, "A Multi-agent Scanner to Detect Stored-XSS Vulnerabilities", Internet Technology and Secured Transactions (ICITST), Nov 2010, pp 1-6.
  17. David Scott, Richard Sharp, "Abstracting Application Level Web Security", WWW '02 11th International Conference on World Wide Web, ACM, Network 2002, pp 396-407. .
  18. Peter Wurzinger, Christian Platzer, Christian Ludl, Engin Kirda, and Christopher Kruegelk, "SWAP: Mitigating XSS Attacks using a Reverse Proxy" SESS'09, May 19, 2009 pp 33-39, Vancouver, Canada, 2009 IEEE.
  19. Engin Kirda, Christopher Kruegel, Giovanni Vigna, and Nenad Jovanovic, "Noxes: A Client-Side Solution for Mitigating XSS Attacks", SAC'06 April 23-27, 2006 pp 33-39, Dijon, France.
  20. "Open Web Application Security Project (OWASP)", www. OSWAP. Org".
  21. "Collection of various Attack Vectors", http://ha. ckers. org/.
  22. Chris Palmer "Secure Session Management with Cookies for Web Applications", iSEC Partners, Inc San Francisco, Version 1. 1, Sept 10 2008.
  23. "Ethical Hacking Tutorials", http://www. breakthesecurity. com/2012/01/how-to-do-cookie-stealing-with-cross. html.
  24. Chris Anley, "Advanced SQL Injection in SQL Server Applications", An NGS Software Insight Security Research (NISR) Publication in 2002 Next Generation Security Software Ltd.
  25. Paul Johnston, "Authentication and Session Management on the web" GIAC Security Essentials Certification Practical Assignment Version 1. 4b, 24 Nov, 2004.
  26. Pattern Matching using Regular Expression, www. dotnetpearl. com.
Index Terms

Computer Science
Information Sciences

Keywords

Code Injection SQL Injection Cross Site Scripting HTTP Protocol

Powered by PhDFocusTM