SPECIAL THANKS TO….
OUR GUIDE SK.RIAZ
William G.J. Halfond
Alessandro Orso
Panagiotis Manolios
Special thanks to our authors
PRESENTATORS
PASALA SIVAKRISHNA
MANNAVA SAIKRISHNA
VADINNENI ATCHYUTH
MD.UBEDULLA MOHIB
WASP:PROTECTING WEB APPLICATIONS
BY USING POSTIVE TAINTING
AND SYNTAX-AWARE
EVALUATION
ABSTRACT• Many software systems have evolved as Web-based that
makes them available to the public via the Internet and can expose them to a variety of Web-based attacks.
• One of these attacks is SQL Injection vulnerability (SQLIV), which can give
• attackers unrestricted access to the databases that underlie Web applications and has become increasingly frequent and serious.
• The intent is that Web applications will limit the kinds of queries that can be generated to a safe subset of all possible queries, regardless of what input user provides.
ABSTRACT• SQL Injection attacks are possible due to the design
drawbacks of the web sites, which interact with back-end databases.
• Successful attacks may damage more. • We introduce a system that deals with new automated
technique for preventing SQL Injection Attacks based on the novel concept of regular expressions is to detect SQL Injection attacks.
• The proposed system can detect the attacks that are from Internet and Insider Attacks, by analyzing the packets of the network servers.
INTRODUCTION• Web applications build SQL queries to access these
Databases, in part , on user-provided input.• One way in which this happens is that attackers
can provide input strings that contain especially encoded database commands
• Researchers have provided many alternatives for addressing SQL injective attacks
• In this paper , we propose a new highly automated approach for dynamic detection and prevention of SQL injective attacks
Introduction
DB
Internet
End Users Web
Server
Deployment context of a typical Web application.
Other
Systems
Introduction
DB
Internet
End Users Web
Server
Deployment context of a typical Web application.
Other
Systems
SQL Injective attacks…..!?• SQL injective attacks are class of code injection
attacks• A SQL Injection attack is a form of attack that
comes from user input that has been checked to see that it is valid.
• SQL injective attackers change the developers intended
• SQL injective attacks leverage a wide range of mechanisms and input channels to inject malicious commands
Login algorithm• 1. String login = getParameter("login");• 2. String pin = getParameter("pin");• 3. Statement stmt = connection.createStatement();• 4. String query = "SELECT acct FROM users WHERE login=’ “; • 5. query += login + "’ AND pin=" + pin;• 6. ResultSet result = stmt.executeQuery(query);• 7. if (result != null)• 8. displayAccount(result); // Show account• 9. else• 10. sendAuthFailed(); // Authentication failed
Main techniques for performing SQL injective attacks
• Here we perform some different main techniques from performing SQL injective attacks . They are
1. Tautologies2.Union queries3.Piggybacked queries 4.Malformed queries5.Interface
Tautologies
Union queries• Sophisticated type of SQL injective attacks• In this attackers insert the statement “UNION <injected query>”.• Out come will be union of results of original
query• SELECT acct FROM users WHERE login=‘ ‘
UNION SELECT cardNo from CreditCards where accto=7032 AND pin=
Piggybacked queries• If the attack is successful the database executes multiple
distinct queries• These attacks are harmful• These are used to inject any type SQL command.• The example is SELECT acct FROM users WHERE login=‘doe’ and pin=0;
drop table users• These query is treated as two quries.• drop table users this query is used to have catastrophic
consequence of deleting users info
Malformed queries
• Inorder to have union queries and piggybacked queries we require prior knowledge of database
• Error messages are generated when rejected.• The example for malformed query is SELECT acct FROM users WHERE login=‘ ‘ AND pin
=convert(int,(select top 1 name from sysobjects where xtype=‘u’))
Inference• This discover information about database schema.• Often rejected makes side effects to result.• Inference is a timing attack.• If-then condition based query.• This injection produces the following query: SELECT acct FROM users WHERE login=‘legalUser’ and
ASCII (SUBSTRING(select top 1 name from sysobjects),1,1))>X WAITFOR 10 ---’ AND pin=
Our approach• Our approach is based on dynamic tainting.• This is based on certain un trusted data as tainted.• Takes advantages of the characteristics of SQL injective
attacks and web application.• This is based on identification of trusted data and
untrusted data.• This makes several conceptual and practical
improvements over this dynamic tainting.
Bases
• Our approach is based on,• A novel concept of positive tainting ,identification of
trusted data and un trusted data.• Performs accurate and efficient taint propagation
and marking of trusted.• Performs syntax aware evaluation of query
strings ,without trust markings.• Has minimal deployment requirements makes
practical and portable.
Trusted data and untrusted data
• So we are going to get our proposal extended by using the methods on our bases they are,
1.Positive tainting.2.Syntax-aware evaluation.Our paper title isWASP : protecting web applications by using positive
tainting and syntax-aware evaluationThis entire was based on trusted and un trusted data.Which will b e understood upcoming………..
Positive tainting• This based on marking and tracking of trusted data ,
rather than un trusted data.• It helps the address problems by incompleteness in the
identification.• This incompleteness was the major challenges.• This having different consequences in negative and
positive tainting• In negative tainting incompleteness leads to trusting data
that should not be trusted.
Incompleteness • Incompleteness , thus leave application vulnerable.• With positive tainting incompleteness lead to false
positives.• If false positives generated likely to be detected and
eliminated• Positive tainting uses a white-list using a black-list.• It follows general principal fail-safe defaults.• In this case positive tainting fails in the security of
system.
Conceptual advantages• Way in which web applications are especially
created.• The identification of most trusted data
straightforward.• There are often many potential external un trusted
sources of input.• Positive tainting identifies trusted data straight
forward and less error prone.
Accurate and efficient taint propagation
• Taint propagation consists of tracking taint markings associated with the data.
• In our approach , we provide a mechanism to accurately mark and propagate taint information by
• Tracking taint markings at the right level of granularity
• Precisely accountinga for the effect of functions that operate on the tainted data
Syntax-Aware Evaluation
• Use the taint markings to distinguish legitimate from malicious queries.
• Simply for bidding the use of untrusted data is not a perfect solution to make input as injective attacks.
• The concept of declassification , use the tainted input as processed by a sanitizing function.
Declassification
• This is based on the assumption that sanitizing functions are able to eliminate.
• There is no guarantee of solutions are adequate.• Based on this , tainting approaches false negatives.• False positives are also generated .• Syntax Aware evaluation does not rely on any a• assumptions about the effectiveness of sanitizing(sanitizing functions are a filter that performs regular
expression matching or subsequent replacement).
Feature
• The key is that the context in which trusted and untrusted data is used to make all parts.
• As untrusted data is confined to literals we guaranteed no SQL injective attacks can perform.
• We can assume that the operator has bee ij=njected by an attacker and identify query as an atttack
Technique • Performs syntax aware evaluation of a query string
immediately before the string is sent to the database is executed.
• To evaluate the uses SQL parser to break the strings into tokens.
• Tokens other than literals contain trusted data.• If an attack is detected , a developer specification
action can be invoked.
CONCLUSION
1. Identifying trusted data sources and marking data coming from these sources from as trusted
2. Using dynamic tainting to track trusted data at runtime
3. Allowing only trusted data to form semantically relevant parts of queries such as SQL keywords and operators
Bubye…!• This is the basic introductions of our
proposal………………………………….
thank you!!!!!!!!!!!!!!!!