Abstract
Internet and web applications have grown exponentially and have become an essential part of day-to-day living. But level of security that this Internet provides has not grown as fast as the Internet applications. The drawbacks, such as the intrusions, that are attached with the Internet applications sustain the growth of these applications. Two such vulnerabilities that dominate are the SQL Injection attacks (SQLIA) and the Cross Site Scripting Attack (XSS), contributing to 30% of the total Internet attacks. Much research is being carried out in this area. In this paper we propose a system that uses MD5 algorithm and grammar expression rules, manipulated in a reverse proxy, to mitigate SQL injection and Cross Site Scripting Attacks. This system provides a server side solution for XSS attack. The system has been tested on standard test bed applications and our work has shown significant improvement detecting and curbing the SQLIA and primary XSS attacks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Litchfield, D.: Data-mining with SQL Injection and Inference. Next Generation Security software Ltd., White Paper (2005)
Huang, Y., Huang, F., Lin, T., Tsai, C.: Web Application Security Assessment by Fault Injection and Behavior Monitoring. In: 12th International World Wide Web Conference 2003, pp. 148–159 (2003)
Gould, C., Su, Z., Devanbu, P.: JDBC Checker: A Static Analysis Tool for SQL/JDBC Application. In: 26th International Conference on Software Engineering 2004, pp. 697–698 (2004)
Halfond, W.G., Orso, A.: AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In: 20th IEEE/ACM International Conference on Automated Software Engineering 2005, pp. 174–183 (2005)
Buehrer, G., Bruce Weide, W., Paolo Sivilotti, A.G.: Using Parse Tree Validation to Prevent SQL Injection Attacks. In: 5th International Workshop on Software Engineering and Middleware, pp. 106–113 (2005)
Su, Z., Wassermann, G.: The Essence of Command Injection Attacks in Web Applications. In: 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages 2006, pp. 372–382 (2006)
Huang, Y., Yu, F., Hang, C., Tsai, C.H., Lee, D.T., Kuo, S.Y.: Securing Web Application Code by Static Analysis and Runtime Protection. In: 13th International World Wide Web Conference 2004, pp. 40–52 (2004)
Livshits, V.B., Lam, M.S.: Finding Security Errors in Java Programs with Static Analysis. In: 14th Usenix Security Symposium 2005, pp. 271–286 (2005)
Scott, D., Sharps, R.: Abstracting Application-level Web Security. In: 11th International Conference on the World Wide Web 2002, pp. 396–407 (2002)
Boyd, S.W., Keromytis, A.D.: SQLrand: Preventing SQL Injection Attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 292–302. Springer, Heidelberg (2004)
Kenneth Ingham, L., Somayaji, A., Burge, J., Forrest, S.: Learning DFA Representations of HTTP for Protecting Web Applications. Computer Networks 51, 1239–1255 (2007)
Kemalis, K., Tzouramanis, T.: SQL-IDS: a specification-based approach for SQL-injection detection. In: 2008 ACM Symposium on Applied Computing, pp. 2153–2158 (2008)
Smith, B., Williams, L., Austin, A.: Idea: Using System Level Testing for Revealing SQL Injection-Related Error Message Information Leaks. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 192–200. Springer, Heidelberg (2010)
Wurzinger, P., Platzer, C., Ludl, C., Kirda, E., Kruegel, C.: SWAP: Mitigating XSS Attacks using a Reverse Proxy. In: ICSE Workshop on Software Engineering for Secure Systems, SESS, pp. 33–39. IEEE Computer Society Press (2009)
Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: A client-side solution for mitigating cross-site scripting attacks. In: 21st ACM Symposium on Applied Computing, SAC 2006, pp. 330–337 (2006)
Erlingsson, U., Livshits, B., Xie, Y.: End to End Application Security. In: 11th USENIX Workshop on Hot Topics in Operating Systems, pp. 1–6 (2007)
Van Gundy, M., Chen, H.: Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart XSS Attacks. In: 16th Annual Network and Distributed System Security Symposium (2009)
Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically Hardening Web Applications Using Precise Tainting. In: Sasaki, R., Qing, S., Okamoto, E., Yoshiura, H. (eds.) Security and Privacy in the Age of Ubiquitous Computing. IFIP, vol. 181, pp. 295–307. Springer, Boston (2005)
Fouzul Hidhaya, S., Geetha, A.: COMPVAL – A system to mitigate SQLIA. In: International Conference on Computer, Communication and Intelligence, ICCCI 2010, pp. 337–342 (2010)
Burp suite, http://portswigger.net/burp/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Hidhaya, S.F., Geetha, A. (2012). Intrusion Protection against SQL Injection and Cross Site Scripting Attacks Using a Reverse Proxy. In: Thampi, S.M., Zomaya, A.Y., Strufe, T., Alcaraz Calero, J.M., Thomas, T. (eds) Recent Trends in Computer Networks and Distributed Systems Security. SNDS 2012. Communications in Computer and Information Science, vol 335. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34135-9_26
Download citation
DOI: https://doi.org/10.1007/978-3-642-34135-9_26
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-34134-2
Online ISBN: 978-3-642-34135-9
eBook Packages: Computer ScienceComputer Science (R0)