SPECIAL THANKS TO….

OUR GUIDE SK.RIAZ

William G.J. Halfond

Alessandro Orso

Panagiotis Manolios

Special thanks to our authors

PRESENTATORS

PASALA SIVAKRISHNA

MANNAVA SAIKRISHNA

VADINNENI ATCHYUTH

MD.UBEDULLA MOHIB

WASP:PROTECTING WEB APPLICATIONS

BY USING POSTIVE TAINTING

AND SYNTAX-AWARE

EVALUATION

ABSTRACT• Many software systems have evolved as Web-based that

makes them available to the public via the Internet and can expose them to a variety of Web-based attacks.

• One of these attacks is SQL Injection vulnerability (SQLIV), which can give

• attackers unrestricted access to the databases that underlie Web applications and has become increasingly frequent and serious.

• The intent is that Web applications will limit the kinds of queries that can be generated to a safe subset of all possible queries, regardless of what input user provides.

ABSTRACT• SQL Injection attacks are possible due to the design

drawbacks of the web sites, which interact with back-end databases.

• Successful attacks may damage more. • We introduce a system that deals with new automated

technique for preventing SQL Injection Attacks based on the novel concept of regular expressions is to detect SQL Injection attacks.

• The proposed system can detect the attacks that are from Internet and Insider Attacks, by analyzing the packets of the network servers.

INTRODUCTION• Web applications build SQL queries to access these

Databases, in part , on user-provided input.• One way in which this happens is that attackers

can provide input strings that contain especially encoded database commands

• Researchers have provided many alternatives for addressing SQL injective attacks

• In this paper , we propose a new highly automated approach for dynamic detection and prevention of SQL injective attacks

Introduction

DB

Internet

End Users Web

Server

Deployment context of a typical Web application.

Other

Systems

Introduction

DB

Internet

End Users Web

Server

Deployment context of a typical Web application.

Other

Systems

SQL Injective attacks…..!?• SQL injective attacks are class of code injection

attacks• A SQL Injection attack is a form of attack that

comes from user input that has been checked to see that it is valid.

• SQL injective attackers change the developers intended

• SQL injective attacks leverage a wide range of mechanisms and input channels to inject malicious commands

Login algorithm• 1. String login = getParameter("login");• 2. String pin = getParameter("pin");• 3. Statement stmt = connection.createStatement();• 4. String query = "SELECT acct FROM users WHERE login=’ “; • 5. query += login + "’ AND pin=" + pin;• 6. ResultSet result = stmt.executeQuery(query);• 7. if (result != null)• 8. displayAccount(result); // Show account• 9. else• 10. sendAuthFailed(); // Authentication failed

Main techniques for performing SQL injective attacks

• Here we perform some different main techniques from performing SQL injective attacks . They are

1. Tautologies2.Union queries3.Piggybacked queries 4.Malformed queries5.Interface

Tautologies

Union queries• Sophisticated type of SQL injective attacks• In this attackers insert the statement “UNION <injected query>”.• Out come will be union of results of original

query• SELECT acct FROM users WHERE login=‘ ‘

UNION SELECT cardNo from CreditCards where accto=7032 AND pin=

Piggybacked queries• If the attack is successful the database executes multiple

distinct queries• These attacks are harmful• These are used to inject any type SQL command.• The example is SELECT acct FROM users WHERE login=‘doe’ and pin=0;

drop table users• These query is treated as two quries.• drop table users this query is used to have catastrophic

consequence of deleting users info

Malformed queries

• Inorder to have union queries and piggybacked queries we require prior knowledge of database

• Error messages are generated when rejected.• The example for malformed query is SELECT acct FROM users WHERE login=‘ ‘ AND pin

=convert(int,(select top 1 name from sysobjects where xtype=‘u’))

Inference• This discover information about database schema.• Often rejected makes side effects to result.• Inference is a timing attack.• If-then condition based query.• This injection produces the following query: SELECT acct FROM users WHERE login=‘legalUser’ and

ASCII (SUBSTRING(select top 1 name from sysobjects),1,1))>X WAITFOR 10 ---’ AND pin=

Our approach• Our approach is based on dynamic tainting.• This is based on certain un trusted data as tainted.• Takes advantages of the characteristics of SQL injective

attacks and web application.• This is based on identification of trusted data and

untrusted data.• This makes several conceptual and practical

improvements over this dynamic tainting.

Bases

• Our approach is based on,• A novel concept of positive tainting ,identification of

trusted data and un trusted data.• Performs accurate and efficient taint propagation

and marking of trusted.• Performs syntax aware evaluation of query

strings ,without trust markings.• Has minimal deployment requirements makes

practical and portable.

Trusted data and untrusted data

• So we are going to get our proposal extended by using the methods on our bases they are,

1.Positive tainting.2.Syntax-aware evaluation.Our paper title isWASP : protecting web applications by using positive

tainting and syntax-aware evaluationThis entire was based on trusted and un trusted data.Which will b e understood upcoming………..

Positive tainting• This based on marking and tracking of trusted data ,

rather than un trusted data.• It helps the address problems by incompleteness in the

identification.• This incompleteness was the major challenges.• This having different consequences in negative and

positive tainting• In negative tainting incompleteness leads to trusting data

that should not be trusted.

Incompleteness • Incompleteness , thus leave application vulnerable.• With positive tainting incompleteness lead to false

positives.• If false positives generated likely to be detected and

eliminated• Positive tainting uses a white-list using a black-list.• It follows general principal fail-safe defaults.• In this case positive tainting fails in the security of

system.

Conceptual advantages• Way in which web applications are especially

created.• The identification of most trusted data

straightforward.• There are often many potential external un trusted

sources of input.• Positive tainting identifies trusted data straight

forward and less error prone.

Accurate and efficient taint propagation

• Taint propagation consists of tracking taint markings associated with the data.

• In our approach , we provide a mechanism to accurately mark and propagate taint information by

• Tracking taint markings at the right level of granularity

• Precisely accountinga for the effect of functions that operate on the tainted data

Syntax-Aware Evaluation

• Use the taint markings to distinguish legitimate from malicious queries.

• Simply for bidding the use of untrusted data is not a perfect solution to make input as injective attacks.

• The concept of declassification , use the tainted input as processed by a sanitizing function.

Declassification

• This is based on the assumption that sanitizing functions are able to eliminate.

• There is no guarantee of solutions are adequate.• Based on this , tainting approaches false negatives.• False positives are also generated .• Syntax Aware evaluation does not rely on any a• assumptions about the effectiveness of sanitizing(sanitizing functions are a filter that performs regular

expression matching or subsequent replacement).

Feature

• The key is that the context in which trusted and untrusted data is used to make all parts.

• As untrusted data is confined to literals we guaranteed no SQL injective attacks can perform.

• We can assume that the operator has bee ij=njected by an attacker and identify query as an atttack

Technique • Performs syntax aware evaluation of a query string

immediately before the string is sent to the database is executed.

• To evaluate the uses SQL parser to break the strings into tokens.

• Tokens other than literals contain trusted data.• If an attack is detected , a developer specification

action can be invoked.

CONCLUSION

1. Identifying trusted data sources and marking data coming from these sources from as trusted

2. Using dynamic tainting to track trusted data at runtime

3. Allowing only trusted data to form semantically relevant parts of queries such as SQL keywords and operators

Bubye…!• This is the basic introductions of our

proposal………………………………….

thank you!!!!!!!!!!!!!!!!