SlideShare ist ein Scribd-Unternehmen logo

IJEI - Study of SQL injection in banking transactions

International Journal of Engineering Inventions www.ijeijournal.com
International Journal of Engineering Inventions www.ijeijournal.com

This document discusses SQL injection attacks in banking transactions and methods to prevent them. It begins with an abstract discussing how SQL injections are a major security issue for banking applications and can be used to access secret information like usernames and passwords or bank databases. The document then provides examples of SQL injection attacks on banks, describes how hackers perform SQL injections, and discusses approaches like input validation, static query statements, and least privilege to prevent injections. It also introduces tools like Amnesia and the X-Log Authentication technique to detect and block injection attacks. The conclusion is that Amnesia and X-Log Authentication are effective techniques for preventing SQL injections in banking transactions.

1 von 6
Downloaden Sie, um offline zu lesen
International Journal of Engineering Inventions ISSN: 2278-7461, www.ijeijournal.com Volume 1, Issue 8 (October2012) PP: 70-75 A STUDY OF SQL INJECTION IN BANKING TRANSACTION Varun Tiwari1, Kimmi Makhija2, Jyoti Ratra3 1 Research Scholar NWMDI University South Africa. 2,3 Asst. Prof. KIRAS, (Affiliated GGSIP University) Abstract:––In these days the use of the World Wide Web (WWW) is increasingly rapidly, so there are lot of problems comes from hacking. One of the most important fields of Hacking is Banking Sector. In case of Banking System there are lots of transactions daily, soproviding the security from the attackers is necessary. Now these days the major issues of the security in the Banking Transaction are SQL Injections, which are creating a serious issues regarding the attacks of Banking applications and acquiring the secret information‘s such as id and Password and accessing the bank databases through the SQL injections. My main motive to presenting this paper is describing the sql injection method, techniques and how to prevent this situation? These methods we can protect transaction from the attack by using SQL injections.These methods are used to denote the parameters that are used to attack by the SQL injections and analyzed by the transactions which cause illegal access. By these methods we can totally protect the applications without any hacking of the database and completely condemned the attacks and it will not generate any wrong transactions as a correct one. In an SQL injection attack, an attacker might insert a malicious SQL query as input to perform an unauthorized database operation. Using SQL injection attacks, an attacker can retrieve or modify confidential and sensitive information from the database. Keywords:––SQLInjection, Security, Detection and Prevention. I. INTRODUCTION "An attack technique used to exploit web sites by altering backend SQL statements through manipulating application input." SQL injection is an attack in which malicious code is inserted In to strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker. List of some SQL Injection attacker bank are 1. Forex Swiss Bank Vulnerable to SQL Injection [1] 2. HDFC Bank Database Hacked by zSecure team using SQL injection vulnerability [2] [1] SQL Injection Vulnerability found in Dukascopy by zSecure Team. Dukascopy offers direct access to the Swiss Foreign Exchange Marketplace. This market provides the largest pool of ECN spot forex liquidity available for banks, hedge funds, other institutions and professional traders. To accommodate the existing banking relationships of its clients, Dukascopy offers full Prime Broker capability with give up facility, by utilizing an extensive network of banking partners. [5] [2] ZSecure team is back in news again, this time they have discovered a critical SQL injection vulnerability in HDFC Bank's Web Portal. Using this critical flaw HDFC Bank's various databases can be accessed and dumped as well. This critical flaw really affects the customer relations of HDFC Bank's and this really questions the existing security in place within bank.HDFC Bank is the leading bank in India but they lack behind the basic security that needs to be implemented. ZSecure team claimed in their blog post that even after sending they complete details about the vulnerability and even after conducting the vulnerability assessment from the third party service provider they were not able to discover this critical flaw which existed in their web portal. This really raises a big question on their existing security policy. [6] SQL Injection is a type of security exploit in which the attacker adds Structured Query Language (SQL) code to a Web form input box to gain access to an organization's resources or to make changes to data. Using this technique, hackers can determine the structure and location of key databases and can download the database or compromise the database server. "What makes this vulnerability so pervasive is that SQL Injection attacks can prey on all types of Web applications - even those as simple as a monthly loan payment calculator or a 'signup for our customer newsletter' form," . "SQL Injection is successful only when the web application is not sufficiently secured,". "Unfortunately, the majority of websites and web applications are not secure. Thus, we are advising all organizations to use 'input validation' for any form to ensure that only the type of input that is expected is accepted." [1] 1.1 How Hacker Done The hacker goes to coffee shop and connects to the same Wi-Fi network you are connected to. He runs a series of utilities to redirect other user‘s data through his machine. He runs a number of other utilities to sniff the data, act as an SSL Certificate Server and to be the Man-the-Middle. The following diagram shows a very simplified graphic of how your SSL Banking session should work under normal conditions, then how it would work during an attack: ISSN: 2278-7461 www.ijeijournal.com P a g e | 70
A STUDY OF SQL INJECTION IN BANKING… An important concept to grasp here is that a certificate is used to establish the secure SSL connection. This is a good thing, if you have a good certificate and are connecting directly to the website to which you intended to use. Then all your data is encrypted from your browser to the SSL website where the bank‘s website will use the information from the certificate it gave you to decrypt your data/credentials. If that is truly the case, then it is pretty darn hard for a hacker to decrypt the data/credentials being transmitted, even if he is able to sniff your data. This is a bad thing if you have a ―Fake‖ certificate being sent from the hacker, and you are actually connecting to his machine, not directly to the bank‘s website. In this case, your credentials are being transmitted between your browser and the hacker‘s machine. The hacker is able to grab that traffic, and, because he gave you the certificate to encrypt the data/credentials, he can use that same certificate to decrypt your data/credentials. 1.2 Approaching Methods 1. Input Validation 2. Static Query Statement 3. Least Privilege 4. Code Verification 5. Web Application Gateway 6. SQL Driver Proxy 7. MISC Method Some other method to prevent attack of SQL Injection: 1. Trust no-one 2. Don't use dynamic SQL when it can be avoided 3. Update and patch 4. Firewall 5. Reduce your attack surface 6. Use appropriate privileges 7. Keep your secrets secret 8. Don't divulge more information than you need to ISSN: 2278-7461 www.ijeijournal.com P a g e | 71
A STUDY OF SQL INJECTION IN BANKING… 9. Don't forget the basics 10. Buy better software 1.3 Preventing Techniques 1.3.1 X – Log Authentication Technique This approach addresses SQLIA‘s (Sql Injection Attack) with runtime monitoring. The key insights behind the approach are that (1) the sourcecode contains enough information to infer models of theexpected, legitimate SQL queries generated by theapplication, and (2) an SQLIA, by injecting additional SQLstatements into a query, would violate such a model.Proposed technique monitors the dynamically generatedqueries with the Data model which is generated by X- LogGenerator at runtime and checks them for compliance. Ifthe Data Comparison violates the model then it representpotential SQLIA‘ s and prevented from executing on thedatabase and reported. For each application, when the loginpage is redirected to our checking page, it was to detect andprevent attacks without stopping legitimate accesses.Moreover, our technique proved to be efficient, imposingonly a low overhead on the Web applications. This techniqueconsists of three filtration techniques to prevent SQLI‘S.We summarize the steps and then describe them in moreConclusions. Detail in subsequent sections. Vulnerability Guard: Vulnerability Guard detects theWildcard characters or Meta characters and prevents themalicious attacks. X – Log Authentication: X-Log valuator validate from-Log Generator where the Sensitive data‘s are Stored fromthe Database, The user input fields compare with the dataexisted in X-Log generator if it is identical then the queryis allowed to proceed. Stored Procedure: Testing the size and data type ofinput and enforce appropriate limit. Stored Procedures isused to validate user input and to perform server sidevalidation. The safety of stored procedures depends on theway in which they are coded and on the use of adequatedefensive coding practices. These Three input filtrations areused to improve the scalability, performance andoptimization. 1.3.2 AMNESIA AMNESIA (Analysis and Monitoring for Neutralizing SQL Injection Attacks) is the prototype tool that implements our techniqueto counter SQLIAs for Java-based web applications. AMNESIA is developed in Java and its implementation consists of three modules that leverage various existing technologies and libraries: Analysis module: This module implements Steps 1 and 2 of our technique. Its input is a Java web application and it outputs list of hotspots and a SQL-query models for each hotspot. For the implementation of this module, we leveraged JSA [5]. The analysis module is able to analyze Java Servletsas well as JSP pages. Instrumentation module: This module implements Step 3 of our technique. It inputs a Java web application and a list ofhotspots and instruments each hotspot with a call to the runtime monitor. We implemented this module using INSERT,a generic instrumentation and monitoring framework for Java developed at Georgia Tech [4]. Runtime-monitoring module:This module implements Step 4 ofour technique. It takes as input a query string and the IDof the hotspot that generated the query, retrieves the SQLquerymodel for that hotspot, and checks the query againstthe model. For this module, we also leveraged INSERT. Figure 6 shows a high-level overview of AMNESIA. In thestatic phase, the Instrumentation Module and the Analysis Moduletake as input a web application and produce (1) an instrumentedversion ISSN: 2278-7461 www.ijeijournal.com P a g e | 72
A STUDY OF SQL INJECTION IN BANKING… of the application, and (2) an SQL-query model for eachhotspot in the application. In the dynamic phase, the Runtime-Monitoring Module checks the dynamic queries while users interactwith the web application. If a query is identified as an attack, it is blocked and reported. [2] Another Step of Amnesia Tool Identify hotspots: Scan the application code to identifyhotspots—points in the application code that issue SQLqueries to the underlying database. Build SQL-query models: For each hotspot, build a modelthat represents all of the possible SQL queries thatmay be generated at that hotspot. An SQL-querymodel is a non-deterministic finite-state automaton inwhich the transition labels consist of SQL tokens, de-limiters, and placeholders for string values. Instrument Application:At each hotspot in the application, add calls to the runtime monitor. Runtime monitoring: At runtime, check the dynamically-generated queries against the SQL-query model andreject and report queries that violate the model. 1.4 SECURITY EXAMPLE OF SQL INJECTION Websites of many banks, credit unions, smaller online retailers, and many government agencies remain highly vulnerable to SQL injection attacks. 8th November 2010: (BBC News) The Royal Navy's website has been hacked by a suspected Romanian hacker known as TinKode. December 2009: (The New York Times) An attacker breached a Rock You plaintext database containing the unencrypted usernames and passwords of about 32 million users using an SQL injection attackWebsites of many banks, credit unions, smaller online retailers, and many government agencies remain highly vulnerable to SQL injection attacks. Some of the real world examples: Most of the application will have a login screen and we construct dynamic SQL statement with the screen input as follows: SELECT *FROM Users WHERE login = 'ravi' and password = 'dBa#1'; If the attacker modifies the user name supplied as ‗ravi' or 1=1; -- then the code will be as follows: SELECT *FROM UsersWHERE login = 'ravi' or 1=1;--and password = 'dBa#1'; If the above statement executes, the attacker can gain access to the database as 1=1 is always true. The attacker could log on as any user, given that they know the users name, using the following input: Username: admin'-- If the user specifies the following: Username: ‗drop table users-- Password: The 'users' table will be deleted, denying access to the application for all users. To illustrate how an SQLIA occurs, we introduce a simple example that we will use throughout the paper. The example is based on a Servlets, show.jsp, for which a possible implementation is shown in here: [4] 1.4.1 Example of Secure Login by Java Language public class Show extends HttpServlet { publicResultSetgetUserInfo(String login, String password) { ISSN: 2278-7461 www.ijeijournal.com P a g e | 73
A STUDY OF SQL INJECTION IN BANKING… Connection conn = DriverManager.getConnection("MyDB"); Statement stmt = conn.createStatement(); String queryString = ""; queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! password.equals(""))) { queryString += "login=‘" + login + AND pass=‘" + password + "‘"; } Else { queryString+="login=‘guest‘"; } ResultSettempSet = stmt.execute(queryString); returntempSet; }. } 1.4.2 Example of Secure Login by Php Language To prevent such an attack, a secure login technique is required. Here, in this article, we discuss the coding of a secure login script using PHP and Mysql. Step I:Create a database and a table 'members' in it: CREATE TABLE `members` (`username` varchar (20), `password` varchar (128)) Step II: Create a Login Form: <formaction="process_login.php" method="post"> Username: <input type="text" name="username" /> Password: <input type="password" name="password" /> <input type="submit" value="Login" /></form> Connect to Mysql Server: $host = 'local host'; // Host name Normally 'LocalHost' $user = 'root'; // MySQL login username $pass = ''; // MySQL login password $database = 'test'; // Database name $table = 'members'; // Members name mysql_connect ($host, $user, $pass); mysql_select_db($database); Step III: Now, you need to provide mechanism to avoid SQL Injection. For this, escape special characters like ", ', We can escape special characters (prepend backslash) using mysql_real_escape_string or add slashes functions. In most cases PHP will this do automatically for you? But PHP will do so only if the magic_quotes_gpc setting is set to on in the php.ini file. If the setting is off, we use mysql_real_escape_string function to escape special characters. If you are using PHP version less that 4.3.0, you can use the add slashes function instead. name = mysql_real_escape_string ($_POST['username']); $password = md5 ($_POST ['password']); $result = mysql_query ("SELECT * FROM $table WHERE username = '$username' AND password = '$password'"); Here, we use the MD5 (Message Digest 5) Algorithm, that generates the message digest for the password. So, while writing the script for registration page, care must be taken that the md5 of the password entered by the user must be stored in the database, instead of the actual text password. Validating the login: if(mysql_num_rows($result)) { session_start(); $_SESSION['username'] = htmlspecialchars($username); } else { // Invalid username/password echo '<p><strong>Error:</strong> Invalid username or password.</p>'; } // Redirect header('Location: http://www.example.com/loggedin.php'); exit; ISSN: 2278-7461 www.ijeijournal.com P a g e | 74
A STUDY OF SQL INJECTION IN BANKING… You are done!! This code will help prevent the SQL injection problem. However, it must be noted that no script is 100% secure. So, it is advisable to provide multilevel security process, which makes the login more secure. II. CONCLUSION In this paper we mention there are lot of mechanism and technique used to prevent the SQL Injection in Banking Transaction. We have presented a survey reports on various types of SQL Injection attacks in Bank, Methods, and Prevention Techniques. At Last Conclusion the best and suitable techniques are Amnesia and X-Log Authentication. In this technique we use different type‘s language such as Java and Php. REFERENCES 1. Research Book ―SQLInjectionWhitePaper‖. 2. AMNESIA: Analysis and Monitoring for Neutralizing SQLInjection Attacks William G.J. Halfond and Alessandro Orso, College of Computing, Georgia Institute of Technology, ASE’05, November 7–11, 2005. 3. ―Securing Web Application Code by Static Analysis and Runtime Protection‖, In Proceedings of the 12th International World Wide Web Conference (WWW 04), May 2004. 4. Steve Fried‘s Unixwiz.net Tech Tips ―SQL Injection Attacks by Example‖. 5. Report on ―Dukascopy: Forex Swiss Bank Vulnerable to SQL Injection‖. 6. Report on ―HDFC Bank Database Hacked by zSecure team using SQL injection vulnerability‖. 7. Research Book ―SQL Injection Attacks and Defense‖ author Justin Clarke. 8. ―Preventing SQL Injection Attacks Using AMNESIA‖ William G.J. Halfond and Alessandro OrsoCollege of Computing Georgia Institute of Technology , ICSE’06, May 20–28, 2006, Shanghai, China. 9. ―A Survey on SQL Injection: Vulnerabilities, Attacksand Prevent ion Techniques‖ Diallo Abdoulaye Kindy and Al-Sakib Khan PathanDepartment of Computer Science, International Islamic University Malaysia, Malaysia. 10. M. Ruse, T. Sarkar and S. Basu. Analysis & Detection of SQLInjection Vulnerabilities via Automatic Test Case Generation ofPrograms. 10th Annual International Symposium on Applicationsand the Internet pp. 31 – 37 (2010) 11. Preventing SQL Injection Attacks in Stored Procedures Wei, M. Muthuprasanna, SurajKothari Dept. of Electrical and Computer Engineering Iowa State University Ames, IA – 50011. ISSN: 2278-7461 www.ijeijournal.com P a g e | 75

Empfohlen

FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATIONFRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATIONijiert bestjournal
 
SQL injection
SQL injectionSQL injection
SQL injectionRaj Parmar
 
Lessons Learned From the Yahoo! Hack
Lessons Learned From the Yahoo! HackLessons Learned From the Yahoo! Hack
Lessons Learned From the Yahoo! HackImperva
 
Intrusion detection architecture for different network attacks
Intrusion detection architecture for different network attacksIntrusion detection architecture for different network attacks
Intrusion detection architecture for different network attackseSAT Journals
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 
Updated Mvc Web security updated presentation
Updated Mvc Web security updated presentationUpdated Mvc Web security updated presentation
Updated Mvc Web security updated presentationJohn Staveley
 
IRJET - SQL Injection: Attack & Mitigation
IRJET - SQL Injection: Attack & MitigationIRJET - SQL Injection: Attack & Mitigation
IRJET - SQL Injection: Attack & MitigationIRJET Journal
 
Op2423922398
Op2423922398Op2423922398
Op2423922398IJERA Editor
 

Empfohlen

FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATIONFRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATIONijiert bestjournal
 
SQL injection
SQL injectionSQL injection
SQL injectionRaj Parmar
 
Lessons Learned From the Yahoo! Hack
Lessons Learned From the Yahoo! HackLessons Learned From the Yahoo! Hack
Lessons Learned From the Yahoo! HackImperva
 
Intrusion detection architecture for different network attacks
Intrusion detection architecture for different network attacksIntrusion detection architecture for different network attacks
Intrusion detection architecture for different network attackseSAT Journals
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 
Updated Mvc Web security updated presentation
Updated Mvc Web security updated presentationUpdated Mvc Web security updated presentation
Updated Mvc Web security updated presentationJohn Staveley
 
IRJET - SQL Injection: Attack & Mitigation
IRJET - SQL Injection: Attack & MitigationIRJET - SQL Injection: Attack & Mitigation
IRJET - SQL Injection: Attack & MitigationIRJET Journal
 
Op2423922398
Op2423922398Op2423922398
Op2423922398IJERA Editor
 
I1804015458
I1804015458I1804015458
I1804015458IOSR Journals
 
M-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolM-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolIJERD Editor
 
1738 1742
1738 17421738 1742
1738 1742Editor IJARCET
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Yuji Kosuga
 
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)IJNSA Journal
 
Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...
Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...
Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...IOSR Journals
 
C01461422
C01461422C01461422
C01461422IOSR Journals
 
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...IRJET Journal
 
Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)Dr. Ramchandra Mangrulkar
 
Prevention of SQL Injection Attacks having XML Database
Prevention of SQL Injection Attacks having XML DatabasePrevention of SQL Injection Attacks having XML Database
Prevention of SQL Injection Attacks having XML DatabaseIOSR Journals
 
Image-Based Authentication from Confident Technologies
Image-Based Authentication from Confident TechnologiesImage-Based Authentication from Confident Technologies
Image-Based Authentication from Confident TechnologiesConfident Technologies
 
IRJET- Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure AuthenticationIRJET- Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure AuthenticationIRJET Journal
 
Connection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksConnection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksChema Alonso
 
Sql
SqlSql
SqlIJASCSE
 
T04505103106
T04505103106T04505103106
T04505103106IJERA Editor
 
Security Awareness
Security AwarenessSecurity Awareness
Security AwarenessLucas Hendrich
 
Web security leeds sharp dot netnotts
Web security leeds sharp dot netnottsWeb security leeds sharp dot netnotts
Web security leeds sharp dot netnottsJohn Staveley
 
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...Rana sing
 
Final review ppt
Final review pptFinal review ppt
Final review pptRana sing
 
A Hygienic, cost effective, hand free & water conservative sensor faucet
A Hygienic, cost effective, hand free & water conservative sensor faucetA Hygienic, cost effective, hand free & water conservative sensor faucet
A Hygienic, cost effective, hand free & water conservative sensor faucetInternational Journal of Engineering Inventions www.ijeijournal.com
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions www.ijeijournal.com
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions www.ijeijournal.com
 

Weitere ähnliche Inhalte

Was ist angesagt?

M-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolM-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolIJERD Editor
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Yuji Kosuga
 
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)IJNSA Journal
 
Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...
Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...
Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...IOSR Journals
 
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...IRJET Journal
 
Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)Dr. Ramchandra Mangrulkar
 
Prevention of SQL Injection Attacks having XML Database
Prevention of SQL Injection Attacks having XML DatabasePrevention of SQL Injection Attacks having XML Database
Prevention of SQL Injection Attacks having XML DatabaseIOSR Journals
 
Image-Based Authentication from Confident Technologies
Image-Based Authentication from Confident TechnologiesImage-Based Authentication from Confident Technologies
Image-Based Authentication from Confident TechnologiesConfident Technologies
 
IRJET- Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure AuthenticationIRJET- Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure AuthenticationIRJET Journal
 
Connection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksConnection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksChema Alonso
 
Web security leeds sharp dot netnotts
Web security leeds sharp dot netnottsWeb security leeds sharp dot netnotts
Web security leeds sharp dot netnottsJohn Staveley
 
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...Rana sing
 
Final review ppt
Final review pptFinal review ppt
Final review pptRana sing
 

Was ist angesagt? (19)

I1804015458
I1804015458I1804015458
I1804015458
 
M-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolM-Pass: Web Authentication Protocol
M-Pass: Web Authentication Protocol
 
1738 1742
1738 17421738 1742
1738 1742
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
 
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
 
Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...
Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...
Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...
 
C01461422
C01461422C01461422
C01461422
 
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...
 
Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)
 
Prevention of SQL Injection Attacks having XML Database
Prevention of SQL Injection Attacks having XML DatabasePrevention of SQL Injection Attacks having XML Database
Prevention of SQL Injection Attacks having XML Database
 
Image-Based Authentication from Confident Technologies
Image-Based Authentication from Confident TechnologiesImage-Based Authentication from Confident Technologies
Image-Based Authentication from Confident Technologies
 
IRJET- Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure AuthenticationIRJET- Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure Authentication
 
Connection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksConnection String Parameter Pollution Attacks
Connection String Parameter Pollution Attacks
 
Sql
SqlSql
Sql
 
T04505103106
T04505103106T04505103106
T04505103106
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
 
Web security leeds sharp dot netnotts
Web security leeds sharp dot netnottsWeb security leeds sharp dot netnotts
Web security leeds sharp dot netnotts
 
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
 
Final review ppt
Final review pptFinal review ppt
Final review ppt
 

Andere mochten auch

Andere mochten auch (7)

A Hygienic, cost effective, hand free & water conservative sensor faucet
A Hygienic, cost effective, hand free & water conservative sensor faucetA Hygienic, cost effective, hand free & water conservative sensor faucet
A Hygienic, cost effective, hand free & water conservative sensor faucet
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)
 
International Journal of Engineering Inventions (IJEI),
International Journal of Engineering Inventions (IJEI), International Journal of Engineering Inventions (IJEI),
International Journal of Engineering Inventions (IJEI),
 
Voltage Sag and Swell Compensation using UPQC-S Technique
Voltage Sag and Swell Compensation using UPQC-S TechniqueVoltage Sag and Swell Compensation using UPQC-S Technique
Voltage Sag and Swell Compensation using UPQC-S Technique
 
International Journal of Engineering Inventions (IJEI),
International Journal of Engineering Inventions (IJEI), International Journal of Engineering Inventions (IJEI),
International Journal of Engineering Inventions (IJEI),
 
H04124548
H04124548H04124548
H04124548
 

Ähnlich wie IJEI - Study of SQL injection in banking transactions

Prevention of SQL injection in E- Commerce
Prevention of SQL injection in E- CommercePrevention of SQL injection in E- Commerce
Prevention of SQL injection in E- Commerceijceronline
 
Banking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisBanking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisCSCJournals
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)theijes
 
SQL Injection: Unraveling the Threats
SQL Injection: Unraveling the ThreatsSQL Injection: Unraveling the Threats
SQL Injection: Unraveling the ThreatsInsecureLab
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseNoaman Aziz
 
INTRUSION DETECTION IN MULTITIER WEB APPLICATIONS USING DOUBLEGUARD
INTRUSION DETECTION IN MULTITIER WEB APPLICATIONS USING DOUBLEGUARDINTRUSION DETECTION IN MULTITIER WEB APPLICATIONS USING DOUBLEGUARD
INTRUSION DETECTION IN MULTITIER WEB APPLICATIONS USING DOUBLEGUARDIJCI JOURNAL
 
A Review paper on Securing PHP based websites From Web Application Vulnerabil...
A Review paper on Securing PHP based websites From Web Application Vulnerabil...A Review paper on Securing PHP based websites From Web Application Vulnerabil...
A Review paper on Securing PHP based websites From Web Application Vulnerabil...Editor IJMTER
 
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...Boston Institute of Analytics
 
Ijeee 51-57-preventing sql injection attacks in web application
Ijeee 51-57-preventing sql injection attacks in web applicationIjeee 51-57-preventing sql injection attacks in web application
Ijeee 51-57-preventing sql injection attacks in web applicationKumar Goud
 
SQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive AlgorithmSQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive AlgorithmIOSR Journals
 
GreenSQL Security
GreenSQL Security GreenSQL Security
GreenSQL Securityijsrd.com
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
IRJET- Detection of SQL Injection using Machine Learning : A Survey
IRJET- Detection of SQL Injection using Machine Learning : A SurveyIRJET- Detection of SQL Injection using Machine Learning : A Survey
IRJET- Detection of SQL Injection using Machine Learning : A SurveyIRJET Journal
 
Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Ravindra Singh Rathore
 
SQl Injection Protector for Authentication in Distributed Applications
SQl Injection Protector for Authentication in Distributed ApplicationsSQl Injection Protector for Authentication in Distributed Applications
SQl Injection Protector for Authentication in Distributed ApplicationsIOSR Journals
 

Ähnlich wie IJEI - Study of SQL injection in banking transactions (20)

Prevention of SQL injection in E- Commerce
Prevention of SQL injection in E- CommercePrevention of SQL injection in E- Commerce
Prevention of SQL injection in E- Commerce
 
Ld3420072014
Ld3420072014Ld3420072014
Ld3420072014
 
Banking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisBanking and Modern Payments System Security Analysis
Banking and Modern Payments System Security Analysis
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)
 
SQL Injection: Unraveling the Threats
SQL Injection: Unraveling the ThreatsSQL Injection: Unraveling the Threats
SQL Injection: Unraveling the Threats
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackrose
 
INTRUSION DETECTION IN MULTITIER WEB APPLICATIONS USING DOUBLEGUARD
INTRUSION DETECTION IN MULTITIER WEB APPLICATIONS USING DOUBLEGUARDINTRUSION DETECTION IN MULTITIER WEB APPLICATIONS USING DOUBLEGUARD
INTRUSION DETECTION IN MULTITIER WEB APPLICATIONS USING DOUBLEGUARD
 
A Review paper on Securing PHP based websites From Web Application Vulnerabil...
A Review paper on Securing PHP based websites From Web Application Vulnerabil...A Review paper on Securing PHP based websites From Web Application Vulnerabil...
A Review paper on Securing PHP based websites From Web Application Vulnerabil...
 
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
 
Ijeee 51-57-preventing sql injection attacks in web application
Ijeee 51-57-preventing sql injection attacks in web applicationIjeee 51-57-preventing sql injection attacks in web application
Ijeee 51-57-preventing sql injection attacks in web application
 
SQL INJECTION ATTACKS.pptx
SQL INJECTION ATTACKS.pptxSQL INJECTION ATTACKS.pptx
SQL INJECTION ATTACKS.pptx
 
E017131924
E017131924E017131924
E017131924
 
SQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive AlgorithmSQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive Algorithm
 
GreenSQL Security
GreenSQL Security GreenSQL Security
GreenSQL Security
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
IRJET- Detection of SQL Injection using Machine Learning : A Survey
IRJET- Detection of SQL Injection using Machine Learning : A SurveyIRJET- Detection of SQL Injection using Machine Learning : A Survey
IRJET- Detection of SQL Injection using Machine Learning : A Survey
 
Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)
 
SQl Injection Protector for Authentication in Distributed Applications
SQl Injection Protector for Authentication in Distributed ApplicationsSQl Injection Protector for Authentication in Distributed Applications
SQl Injection Protector for Authentication in Distributed Applications
 

Mehr von International Journal of Engineering Inventions www.ijeijournal.com

Mehr von International Journal of Engineering Inventions www.ijeijournal.com (20)

G04123844
G04123844G04123844
G04123844
 
F04123137
F04123137F04123137
F04123137
 
E04122330
E04122330E04122330
E04122330
 
C04121115
C04121115C04121115
C04121115
 
B04120610
B04120610B04120610
B04120610
 
A04120105
A04120105A04120105
A04120105
 
F04113640
F04113640F04113640
F04113640
 
E04112135
E04112135E04112135
E04112135
 
D04111520
D04111520D04111520
D04111520
 
C04111114
C04111114C04111114
C04111114
 
B04110710
B04110710B04110710
B04110710
 
A04110106
A04110106A04110106
A04110106
 
I04105358
I04105358I04105358
I04105358
 
H04104952
H04104952H04104952
H04104952
 
G04103948
G04103948G04103948
G04103948
 
F04103138
F04103138F04103138
F04103138
 
E04102330
E04102330E04102330
E04102330
 
D04101822
D04101822D04101822
D04101822
 
C04101217
C04101217C04101217
C04101217
 
B04100611
B04100611B04100611
B04100611
 

IJEI - Study of SQL injection in banking transactions

  • 1. International Journal of Engineering Inventions ISSN: 2278-7461, www.ijeijournal.com Volume 1, Issue 8 (October2012) PP: 70-75 A STUDY OF SQL INJECTION IN BANKING TRANSACTION Varun Tiwari1, Kimmi Makhija2, Jyoti Ratra3 1 Research Scholar NWMDI University South Africa. 2,3 Asst. Prof. KIRAS, (Affiliated GGSIP University) Abstract:––In these days the use of the World Wide Web (WWW) is increasingly rapidly, so there are lot of problems comes from hacking. One of the most important fields of Hacking is Banking Sector. In case of Banking System there are lots of transactions daily, soproviding the security from the attackers is necessary. Now these days the major issues of the security in the Banking Transaction are SQL Injections, which are creating a serious issues regarding the attacks of Banking applications and acquiring the secret information‘s such as id and Password and accessing the bank databases through the SQL injections. My main motive to presenting this paper is describing the sql injection method, techniques and how to prevent this situation? These methods we can protect transaction from the attack by using SQL injections.These methods are used to denote the parameters that are used to attack by the SQL injections and analyzed by the transactions which cause illegal access. By these methods we can totally protect the applications without any hacking of the database and completely condemned the attacks and it will not generate any wrong transactions as a correct one. In an SQL injection attack, an attacker might insert a malicious SQL query as input to perform an unauthorized database operation. Using SQL injection attacks, an attacker can retrieve or modify confidential and sensitive information from the database. Keywords:––SQLInjection, Security, Detection and Prevention. I. INTRODUCTION "An attack technique used to exploit web sites by altering backend SQL statements through manipulating application input." SQL injection is an attack in which malicious code is inserted In to strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker. List of some SQL Injection attacker bank are 1. Forex Swiss Bank Vulnerable to SQL Injection [1] 2. HDFC Bank Database Hacked by zSecure team using SQL injection vulnerability [2] [1] SQL Injection Vulnerability found in Dukascopy by zSecure Team. Dukascopy offers direct access to the Swiss Foreign Exchange Marketplace. This market provides the largest pool of ECN spot forex liquidity available for banks, hedge funds, other institutions and professional traders. To accommodate the existing banking relationships of its clients, Dukascopy offers full Prime Broker capability with give up facility, by utilizing an extensive network of banking partners. [5] [2] ZSecure team is back in news again, this time they have discovered a critical SQL injection vulnerability in HDFC Bank's Web Portal. Using this critical flaw HDFC Bank's various databases can be accessed and dumped as well. This critical flaw really affects the customer relations of HDFC Bank's and this really questions the existing security in place within bank.HDFC Bank is the leading bank in India but they lack behind the basic security that needs to be implemented. ZSecure team claimed in their blog post that even after sending they complete details about the vulnerability and even after conducting the vulnerability assessment from the third party service provider they were not able to discover this critical flaw which existed in their web portal. This really raises a big question on their existing security policy. [6] SQL Injection is a type of security exploit in which the attacker adds Structured Query Language (SQL) code to a Web form input box to gain access to an organization's resources or to make changes to data. Using this technique, hackers can determine the structure and location of key databases and can download the database or compromise the database server. "What makes this vulnerability so pervasive is that SQL Injection attacks can prey on all types of Web applications - even those as simple as a monthly loan payment calculator or a 'signup for our customer newsletter' form," . "SQL Injection is successful only when the web application is not sufficiently secured,". "Unfortunately, the majority of websites and web applications are not secure. Thus, we are advising all organizations to use 'input validation' for any form to ensure that only the type of input that is expected is accepted." [1] 1.1 How Hacker Done The hacker goes to coffee shop and connects to the same Wi-Fi network you are connected to. He runs a series of utilities to redirect other user‘s data through his machine. He runs a number of other utilities to sniff the data, act as an SSL Certificate Server and to be the Man-the-Middle. The following diagram shows a very simplified graphic of how your SSL Banking session should work under normal conditions, then how it would work during an attack: ISSN: 2278-7461 www.ijeijournal.com P a g e | 70
  • 2. A STUDY OF SQL INJECTION IN BANKING… An important concept to grasp here is that a certificate is used to establish the secure SSL connection. This is a good thing, if you have a good certificate and are connecting directly to the website to which you intended to use. Then all your data is encrypted from your browser to the SSL website where the bank‘s website will use the information from the certificate it gave you to decrypt your data/credentials. If that is truly the case, then it is pretty darn hard for a hacker to decrypt the data/credentials being transmitted, even if he is able to sniff your data. This is a bad thing if you have a ―Fake‖ certificate being sent from the hacker, and you are actually connecting to his machine, not directly to the bank‘s website. In this case, your credentials are being transmitted between your browser and the hacker‘s machine. The hacker is able to grab that traffic, and, because he gave you the certificate to encrypt the data/credentials, he can use that same certificate to decrypt your data/credentials. 1.2 Approaching Methods 1. Input Validation 2. Static Query Statement 3. Least Privilege 4. Code Verification 5. Web Application Gateway 6. SQL Driver Proxy 7. MISC Method Some other method to prevent attack of SQL Injection: 1. Trust no-one 2. Don't use dynamic SQL when it can be avoided 3. Update and patch 4. Firewall 5. Reduce your attack surface 6. Use appropriate privileges 7. Keep your secrets secret 8. Don't divulge more information than you need to ISSN: 2278-7461 www.ijeijournal.com P a g e | 71
  • 3. A STUDY OF SQL INJECTION IN BANKING… 9. Don't forget the basics 10. Buy better software 1.3 Preventing Techniques 1.3.1 X – Log Authentication Technique This approach addresses SQLIA‘s (Sql Injection Attack) with runtime monitoring. The key insights behind the approach are that (1) the sourcecode contains enough information to infer models of theexpected, legitimate SQL queries generated by theapplication, and (2) an SQLIA, by injecting additional SQLstatements into a query, would violate such a model.Proposed technique monitors the dynamically generatedqueries with the Data model which is generated by X- LogGenerator at runtime and checks them for compliance. Ifthe Data Comparison violates the model then it representpotential SQLIA‘ s and prevented from executing on thedatabase and reported. For each application, when the loginpage is redirected to our checking page, it was to detect andprevent attacks without stopping legitimate accesses.Moreover, our technique proved to be efficient, imposingonly a low overhead on the Web applications. This techniqueconsists of three filtration techniques to prevent SQLI‘S.We summarize the steps and then describe them in moreConclusions. Detail in subsequent sections. Vulnerability Guard: Vulnerability Guard detects theWildcard characters or Meta characters and prevents themalicious attacks. X – Log Authentication: X-Log valuator validate from-Log Generator where the Sensitive data‘s are Stored fromthe Database, The user input fields compare with the dataexisted in X-Log generator if it is identical then the queryis allowed to proceed. Stored Procedure: Testing the size and data type ofinput and enforce appropriate limit. Stored Procedures isused to validate user input and to perform server sidevalidation. The safety of stored procedures depends on theway in which they are coded and on the use of adequatedefensive coding practices. These Three input filtrations areused to improve the scalability, performance andoptimization. 1.3.2 AMNESIA AMNESIA (Analysis and Monitoring for Neutralizing SQL Injection Attacks) is the prototype tool that implements our techniqueto counter SQLIAs for Java-based web applications. AMNESIA is developed in Java and its implementation consists of three modules that leverage various existing technologies and libraries: Analysis module: This module implements Steps 1 and 2 of our technique. Its input is a Java web application and it outputs list of hotspots and a SQL-query models for each hotspot. For the implementation of this module, we leveraged JSA [5]. The analysis module is able to analyze Java Servletsas well as JSP pages. Instrumentation module: This module implements Step 3 of our technique. It inputs a Java web application and a list ofhotspots and instruments each hotspot with a call to the runtime monitor. We implemented this module using INSERT,a generic instrumentation and monitoring framework for Java developed at Georgia Tech [4]. Runtime-monitoring module:This module implements Step 4 ofour technique. It takes as input a query string and the IDof the hotspot that generated the query, retrieves the SQLquerymodel for that hotspot, and checks the query againstthe model. For this module, we also leveraged INSERT. Figure 6 shows a high-level overview of AMNESIA. In thestatic phase, the Instrumentation Module and the Analysis Moduletake as input a web application and produce (1) an instrumentedversion ISSN: 2278-7461 www.ijeijournal.com P a g e | 72
  • 4. A STUDY OF SQL INJECTION IN BANKING… of the application, and (2) an SQL-query model for eachhotspot in the application. In the dynamic phase, the Runtime-Monitoring Module checks the dynamic queries while users interactwith the web application. If a query is identified as an attack, it is blocked and reported. [2] Another Step of Amnesia Tool Identify hotspots: Scan the application code to identifyhotspots—points in the application code that issue SQLqueries to the underlying database. Build SQL-query models: For each hotspot, build a modelthat represents all of the possible SQL queries thatmay be generated at that hotspot. An SQL-querymodel is a non-deterministic finite-state automaton inwhich the transition labels consist of SQL tokens, de-limiters, and placeholders for string values. Instrument Application:At each hotspot in the application, add calls to the runtime monitor. Runtime monitoring: At runtime, check the dynamically-generated queries against the SQL-query model andreject and report queries that violate the model. 1.4 SECURITY EXAMPLE OF SQL INJECTION Websites of many banks, credit unions, smaller online retailers, and many government agencies remain highly vulnerable to SQL injection attacks. 8th November 2010: (BBC News) The Royal Navy's website has been hacked by a suspected Romanian hacker known as TinKode. December 2009: (The New York Times) An attacker breached a Rock You plaintext database containing the unencrypted usernames and passwords of about 32 million users using an SQL injection attackWebsites of many banks, credit unions, smaller online retailers, and many government agencies remain highly vulnerable to SQL injection attacks. Some of the real world examples: Most of the application will have a login screen and we construct dynamic SQL statement with the screen input as follows: SELECT *FROM Users WHERE login = 'ravi' and password = 'dBa#1'; If the attacker modifies the user name supplied as ‗ravi' or 1=1; -- then the code will be as follows: SELECT *FROM UsersWHERE login = 'ravi' or 1=1;--and password = 'dBa#1'; If the above statement executes, the attacker can gain access to the database as 1=1 is always true. The attacker could log on as any user, given that they know the users name, using the following input: Username: admin'-- If the user specifies the following: Username: ‗drop table users-- Password: The 'users' table will be deleted, denying access to the application for all users. To illustrate how an SQLIA occurs, we introduce a simple example that we will use throughout the paper. The example is based on a Servlets, show.jsp, for which a possible implementation is shown in here: [4] 1.4.1 Example of Secure Login by Java Language public class Show extends HttpServlet { publicResultSetgetUserInfo(String login, String password) { ISSN: 2278-7461 www.ijeijournal.com P a g e | 73
  • 5. A STUDY OF SQL INJECTION IN BANKING… Connection conn = DriverManager.getConnection("MyDB"); Statement stmt = conn.createStatement(); String queryString = ""; queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! password.equals(""))) { queryString += "login=‘" + login + AND pass=‘" + password + "‘"; } Else { queryString+="login=‘guest‘"; } ResultSettempSet = stmt.execute(queryString); returntempSet; }. } 1.4.2 Example of Secure Login by Php Language To prevent such an attack, a secure login technique is required. Here, in this article, we discuss the coding of a secure login script using PHP and Mysql. Step I:Create a database and a table 'members' in it: CREATE TABLE `members` (`username` varchar (20), `password` varchar (128)) Step II: Create a Login Form: <formaction="process_login.php" method="post"> Username: <input type="text" name="username" /> Password: <input type="password" name="password" /> <input type="submit" value="Login" /></form> Connect to Mysql Server: $host = 'local host'; // Host name Normally 'LocalHost' $user = 'root'; // MySQL login username $pass = ''; // MySQL login password $database = 'test'; // Database name $table = 'members'; // Members name mysql_connect ($host, $user, $pass); mysql_select_db($database); Step III: Now, you need to provide mechanism to avoid SQL Injection. For this, escape special characters like ", ', We can escape special characters (prepend backslash) using mysql_real_escape_string or add slashes functions. In most cases PHP will this do automatically for you? But PHP will do so only if the magic_quotes_gpc setting is set to on in the php.ini file. If the setting is off, we use mysql_real_escape_string function to escape special characters. If you are using PHP version less that 4.3.0, you can use the add slashes function instead. name = mysql_real_escape_string ($_POST['username']); $password = md5 ($_POST ['password']); $result = mysql_query ("SELECT * FROM $table WHERE username = '$username' AND password = '$password'"); Here, we use the MD5 (Message Digest 5) Algorithm, that generates the message digest for the password. So, while writing the script for registration page, care must be taken that the md5 of the password entered by the user must be stored in the database, instead of the actual text password. Validating the login: if(mysql_num_rows($result)) { session_start(); $_SESSION['username'] = htmlspecialchars($username); } else { // Invalid username/password echo '<p><strong>Error:</strong> Invalid username or password.</p>'; } // Redirect header('Location: http://www.example.com/loggedin.php'); exit; ISSN: 2278-7461 www.ijeijournal.com P a g e | 74
  • 6. A STUDY OF SQL INJECTION IN BANKING… You are done!! This code will help prevent the SQL injection problem. However, it must be noted that no script is 100% secure. So, it is advisable to provide multilevel security process, which makes the login more secure. II. CONCLUSION In this paper we mention there are lot of mechanism and technique used to prevent the SQL Injection in Banking Transaction. We have presented a survey reports on various types of SQL Injection attacks in Bank, Methods, and Prevention Techniques. At Last Conclusion the best and suitable techniques are Amnesia and X-Log Authentication. In this technique we use different type‘s language such as Java and Php. REFERENCES 1. Research Book ―SQLInjectionWhitePaper‖. 2. AMNESIA: Analysis and Monitoring for Neutralizing SQLInjection Attacks William G.J. Halfond and Alessandro Orso, College of Computing, Georgia Institute of Technology, ASE’05, November 7–11, 2005. 3. ―Securing Web Application Code by Static Analysis and Runtime Protection‖, In Proceedings of the 12th International World Wide Web Conference (WWW 04), May 2004. 4. Steve Fried‘s Unixwiz.net Tech Tips ―SQL Injection Attacks by Example‖. 5. Report on ―Dukascopy: Forex Swiss Bank Vulnerable to SQL Injection‖. 6. Report on ―HDFC Bank Database Hacked by zSecure team using SQL injection vulnerability‖. 7. Research Book ―SQL Injection Attacks and Defense‖ author Justin Clarke. 8. ―Preventing SQL Injection Attacks Using AMNESIA‖ William G.J. Halfond and Alessandro OrsoCollege of Computing Georgia Institute of Technology , ICSE’06, May 20–28, 2006, Shanghai, China. 9. ―A Survey on SQL Injection: Vulnerabilities, Attacksand Prevent ion Techniques‖ Diallo Abdoulaye Kindy and Al-Sakib Khan PathanDepartment of Computer Science, International Islamic University Malaysia, Malaysia. 10. M. Ruse, T. Sarkar and S. Basu. Analysis & Detection of SQLInjection Vulnerabilities via Automatic Test Case Generation ofPrograms. 10th Annual International Symposium on Applicationsand the Internet pp. 31 – 37 (2010) 11. Preventing SQL Injection Attacks in Stored Procedures Wei, M. Muthuprasanna, SurajKothari Dept. of Electrical and Computer Engineering Iowa State University Ames, IA – 50011. ISSN: 2278-7461 www.ijeijournal.com P a g e | 75