Study on Authentication PRocess in Web Applications and SQL Injection Attack Techniques

Fakhir, Salem Aldrder Fakhir (2018) Study on Authentication PRocess in Web Applications and SQL Injection Attack Techniques. Magister thesis, Universitas Brawijaya.


Currently, web applications are very important to facilitate humans' life for providing better service in education, commerce, culture, online banking and so on. Certainly, the back- end database is the heart of most web applications. Issues of attacking web applications' database are the main concerns of security specialists. Among all database vulnerabilities, SQL injection attack is the most severity attack that has been recently reported and used to threaten the confidentiality, integrity, functionality and availability of back end databases of the applications as reported by security expertise and by Open Web Application Security Project regardless the size or the structure of the web application. In addition, SQL injection attack can bypass authentication process and a countless of traditional or modern defenses layers including firewall and intrusion detection systems. Lack of users' authentication mechanism during, login pales in web applications usually exploited by hackers to inject well-crafted code for bypassing authentications process. In addition., insufficient validation of inputted data in other web application's pages is the root cause of second order SQL injection attack. Even though. researchers and developers have provided a various techniques for preventing and detecting different SQL injection mechanism using different analysis approaches in order to protect web applications' database. None of them has provided a complete or an accurate enough technique for combatting all SQL injection attack mechanisms. Certainly, login page is the first page in most web applications, which is responsible for providing users with appropriate way to enter their user name and password in a single form through the input boxes accepting alphanumeric variables in most cases. ). In addition, this page is holding important identity variables; user name and password to be passed to additional layer for authentication purpose. At whatever time a user wants to login into the web applications he/she must enter a correct username and password for authentication. On other hand, there are malicious users, which may inject code through web application tier to deceive the database server by exploit the variables that used to hold values of (username and password) in order to make the returned result of query always true for the purpose of bypass authentication process. In the research, the first phase is the literature review that the researcher studied, investigated, reviewed, and analyzed the related works in order to formulate the problem statement. In addition, the approach that used and followed for performing this phase was a Systematic Literature Review (SLR) approach. For 'performing the SLR three activities have been performed; appropriate source selection and search strateay. primary articles identification and evaluation and information extraction and synthesized. The second phase is the design and implementation phase. Furthermore, a comparative study between two common SQL injection prevention and detection techniques (SQLIPA (Ali et al.. '009): and an authentication scheme based on AL-;S (Balasundaram and Ramaraj, 201 1 )) is performed in order to study the difference in term of time needed to detect and prevent the attacks as well as to compare the functionality and the performance of the two techniques. In addition, propose method is enhanced user authentication to prevent SQLIA by hashing and salting the user name and password. The third phase is conducted to compare the functionality and the performance of the two techniques. The evaluation is based on three parameters namely; key sizes (128. 256. and 512), the processing, overhead (time needed for encryption of user name and password) and processing overhead of the proposed scheme by using different number of users (10. 20. MI. 40, and 50). The obtained results of both techniques will be compared based on those three parameters. In addition, a comparative study, the results of the simulating the techniques will be compared based on the evaluation parameters.

Item Type: Thesis (Magister)
Identification Number: TES/005.8/FAK/s/2018/041802284
Subjects: 000 Computer science, information and general works > 005 Computer programming, programs, data > 005.8 Data security
Divisions: S2/S3 > Magister Teknik Elektro, Fakultas Teknik
Depositing User: Yusuf Dwi N.
Date Deposited: 09 Aug 2019 02:18
Last Modified: 09 Aug 2019 02:18
Full text not available from this repository.

Actions (login required)

View Item View Item