Integrated approach to prevent SQL injection attack and reflected cross site scripting attack

Abstract

The Internet and web applications are playing very important role in our today’s modern day life. Several activities of our daily life like browsing, online shopping and booking of travel tickets are becoming easier by the use of web applications. As the volumes of the web applications are increasing the security of web applications becomes a major concern. Most of the web applications use the database as a back end to store critical information such as user credentials, financial and payment information, company statistics etc. These websites are continuously targeted by highly motivated malicious users to acquire monetary gain. Multiple client side and server side vulnerabilities like SQL injection and cross site scripting are discovered and exploited by malicious users. SQL injection attacks and cross site scripting vulnerabilities are top ranked in the open web application security project top ten vulnerabilities list. A number of security approaches are proposed and used like secure coding practices, encryption, static and dynamic analysis of code to secure the web applications but statistics shows that these vulnerabilities are still transpiring at the top. In this paper, we present an integrated model to prevent SQL injection attacks and reflected cross site scripting attack in PHP based implementation. This model is more effective to prevent SQL injection attack and reflected cross site scripting attack in production web environment. Our mechanism is divided into two modes, a safe mode and a production mode environment. In the safe mode we construct a security query model for SQL injection and sanitizer model for reflected cross site scripting attack for each identified SQL queries for SQL injection attacks and input entry points for reflected cross site scripting attacks. In the production environment, input entries which create dynamic SQL queries are validated against security query model generated in safe mode and normal input text entered by the user is validated by sanitizer model instrumented in the code at safe mode. The results and analysis shows that the proposed approach is simple and effective to prevent common SQL injection vulnerabilities and reflected cross site scripting vulnerabilities.