sql
1
Scholarly Journal 2: The Adam and Eve Paradox:
Kraft, Michael; Rohret, David; Vella, Michael; Holston, Jonathan.International Conference on Information Warfare and Security; Reading : 275-VIII. Reading: Academic Conferences International Limited. (2013)
Abstract: Individuals working in the Information Technology (IT) industry are familiar with Moore’s Law and its guiding principle: exponential improvement every 18-24 months where computer technology is concerned (Brock, 2006). This principle has been proven generally accurate and is routinely used for long term planning by the computer industry, which has led to an explosion in computing power and technologies that have catapulted computing into every aspect of human’s lives in the 21st century. However, while new technologies increase the quality of life for the current generation, they also provide avenues for nefarious individuals to take advantage of others using the same new technologies. To help counter this, the IT industry has made great strides in its efforts to protect users by developing security appliances to include firewalls, intrusion detection systems, encryption, passwords, two-factor authentication methods, and a layered approach to security; to name just a few. It is because of this effort by the IT industry to help protect users, the authors have identified unique cyber attack trends, that could be referred to as a new “Moore’s Law” (as it pertains to cyber security). As computer technologies become more sophisticated and robust, malicious actions have become less sophisticated, and in many instances, cyber exploitation and attacks occur without the use of technology. The authors have penned this concept as the “Adam & Eve Paradox”. The paradox construct being, as technologies improve and network perimeters are hardened preventing direct attacks against systems, users and systems are being exploited at an exponentially increased rate by methods contrary to the technological improvements. Cyber criminals and hackers will always first attempt attacks against the easiest targets, known as the low-hanging forbidden fruit described in the biblical Adam & Eve story. While the IT industry continues to spend billions of dollars (US) annually to create appliances and develop software to protect its resources, data, and users; attackers are increasingly focusing their attention on the lowest hanging fruit, whether it be an unsuspecting user who clicks a link in an email, to a helpful administrator who provides information to a false authority. As the IT industry moves in the direction of complex defensive tactics, attackers are moving towards less complex – softer targets that are more difficult to detect, block, and mitigate. It is the authors’ intention to define and substantiate the “Adam & Eve Paradox”.
Security Professionals: As hackers increase their capability through automated tools and technologies network security personnel have become more sophisticated. In the early days of information technology (IT), the system administrator was usually responsible for maintaining computers, network resources, and to also ensure the security of each device. In today’s IT realm, companies hire security experts who are solely responsible for the security of computers and networking devices. Network compartmentalization has become a necessity to combat a hacking community comprised of novice to expert practitioners.
The lowest hanging fruit as it pertains to web servers is SQL injection. SQL injection defined: “It is the vulnerability that results when you give an attacker the ability to influence the Structured Query Language (SQL) gueries that an application passes to a back-end database. By being able to influence what is passed to the database, the attacker can leverage the syntax and capabilities of SQL itself, as well as the power and flexibility of supporting database functionality and operating system functionality available to the database. SQL injection is not a vulnerability that exclusively affects Web applications; any code that accepts input from an untrusted source and then uses that input to form dynamic SQL statements could be vulnerable (Clarke, et ai., 2012).
As reported by the Web Hacking Incident Database 2007 annual report (Shezaf & Teams, 2007), SQL injection accounts for 20% of all attacks against web servers. Figure 5 below shows the top 10% attacks recorded on this report.
According to this same annual report done in 2008 (Barnett, 2008), SQL jumped to 30% as depicted in figure 6 below.
This is significant because most web sites that offer services usually have some kind of input field linking the front end user interface to a backend database server. The backend database server is more secure and often unreachable from external communications, however, there is a trusted relationship that allows for communications to occur between the front end web site input fields and the database. This is also significant because if organizations are to make a profit or provide some sort of service to the public, they will need to have these resources available on the internet. Attackers know this and will always target these resources versus trying to get inside the perimeter, as discussed earlier.
To further demonstrate the widespread use of SQL injection, an InformationWeek report breakdowns web site attacks and also highlights SQL injection as the most used attack type. Figure 7 from this report demonstrates this fact (Prince, 2012).
5. Why attackers choose the low hanging fruit:
The low hanging fruit identified in this paper will always be the path of least resistance. Attackers will not often waste time, energy, or resources taking on the expensive, highly technical appliances being put in place by organizations. It is human nature to find the path of least resistance in order for one to reach their goals. Advanced security appliances are being used to deter and reject direct attacks against an organizations critical infrastructure, but the attackers do not face these appliances when less secure-focused employees are freely opening malware filled e-mails, clicking on malicious links on random web pages, and downloading third party software without approval.
6. Summary:
As organizations fight to protect their cyber assets, they continue to spend a large portion of their IT budget on security appliances, out-sourced security professionals, and liabilities. The process of defending network assets and the data they contain has led the IT market to produce highly specialized and capable appliances that have made it difficult for attackers to remotely exploit and compromise networks. These appliances and the resources required to maintain an experienced IT security work force are a necessary component of the layered security approach. Organizations must continue to invest in emerging security technologies to remain protected against future waves of innovative attacks by cyber criminals and hackers.
One result of this aggressive defense is that cyber criminals and hackers are resorting to less technical avenues and using the human factor or low-risk web-based attacks (lowest hanging fruit), in order to accomplish their goals. These vectors of attack include social engineering, social network manipulation, phishing/spear phishing, self-propagating malware, and web server SQL attacks. As computer technologies become more sophisticated, malicious actions become less technical, and in many instances, cyber exploitation occurs using only social engineering methods. Therefore, as network security expenditures on security appliances and out-sourced consulting requirements increase, the cost of a network attack has decreased, creating what the authors have coined as, “the Adam and Eve Paradox”.
References:
Barnett, R., 2008. The Web Application Security Consortium / Web Hacking Incident Database 2008 Annual Report. [Online] Available at: http://proiects.webappsec.org/w/page/27087349/Web%20Hacking%20lncident%20Database%202008%20Annual%2 OReport [Accessed 30 September 2012].
Brock, D., 2006. Understanding Moore’s Law: Four Decades of Innovation. 1st ed. Philadelphia: Chemical Heritage Foundation.
Clarke, J. et al., 2012. SQL Injection Attacks and Defense, Second Edition. 2nd ed. Waltham: Syngress Publishing.
Cross, T., 2012. IBM X-Force Trend & Risk Report Shows Progress Against Security Threats But Attackers Adapt. [Online] Available at: http://asmarterplanet.eom/blog/2012/03/ibm-x-force-trend-risk-report-shows-progress-againstsecuritv-threats-but-attackers-adapt.html [Accessed 26 October 2012],
Dinan, M., 14 April 2009. Taxpayers Beware: Cyber-Criminals Seek to Intercept 1RS Filings. [Online] Available at: http://siptrunking.tmcnet.com/topics/securitv/articles/54168-taxpayers-beware-cvber-criminals-seek-intercept-irs-filings.htm [Accessed 15 November 2012],
Hadnagy, C., 2011. Social Engineering: The Art of Human Hacking. 1st ed. Indianapolis: Wiley Publishing Inc..
Harper, A. et al., 2011. Gray Hat Hacking: The Ethical Hacker’s Handbook, Third Edition. 3rd ed. s.l.:McGraw-Hill Companies. Howard, D. & Prince, K., 2011. Security 2020-Reduce Security Risks This Decade. Indianapolis: Wiley Publishing, Inc..
Krasnow, M. J. & Dorsey & Whitney LLP, 2012. IRMI.com: Cyber Threats Contributing to Breaches. [Online] Available at: http://www.irmi.com/expert/articles/2012/krasnow01-cvber-privacv-risk-insurance.aspx [Accessed 30 September 2012],
Lindberg, C. A., 2010. New Oxford American Dictionary. 3rd ed. USA: Oxford University Press.
Osisecurity.com.au, 2012. Web Application Security Testing / OSI Security. [Online] Available at: http://www.osisecuritv.com.au/solutions/web-app-securitv-testing [Accessed November 2012].
Prince, B., 2012. InformationWeek Reports -.-.Strategy: How Attackers Find and Exploit Database Vulnerabilities. [Online] Available at: http://reports.informationweek.com/abstract/21/8851/Securitv/strategv-how-attackers-find-and-exploit-database-vulnerabilities.html [Accessed 30 September 2012],
Research, D., 2011. Social Engineering Survey. [Online]Available at: http://www.checkpoint.com/press/downloads/social-engineering-survev [Accessed 2012 September 2012].
Sadeh, N. M. a. P., 2012. Why Phish Should Not Be Treated as Spam / Dr Dobb’s. [Online] Available at: http://www.drdobbs.com/securitv/why-phish-should-not-be-treated-as-spam/240001777 [Accessed 30 September 2012],
Schneier, B., 2008. Schneier on Security. Indianapolis: Wiley Publishing Inc..
Shezaf, 0. & Teams, B. S. L, 2007. The Web Hacking Incidents Database Annual Report 2007. [Online] Available at: http://proiects.webappsec.org/w/page/13246990/Web%20Hacking%20lncident%20Database%202007%20Annual%2 OReport [Accessed 30 September 2012].
AuthorAffiliation:
Michael Kraft, David Rohret, Michael Vella and Jonathan Holston
Computer Sciences Corporation, Inc., San Antonio, USA
mkraft5@csc.com
drohret@ieee.org
mvella3@csc.com
iholston@csc.com
AuthorAffiliation:
Jonathan L. Holston, CSC, Inc. Joint Information Operations Warfare Center (JIOWC). Mr. Holston served in the US Air Force as a vulnerability analyst assigned to the National Security Agency. His research interests include identifying third-world adversarial attack methodologies on communication networks and satellite communications and their associated vulnerabilities.
Michael E. Kraft, CSC, Inc. Joint Information Operations Warfare Center (JIOWC) For more than ten years Mr. Kraft has been deeply involved with Information Assurance and network security. He holds a Master of Science in Information Assurance degree from Capitol College of Maryland. Mr. Kraft is a Certified Information Systems Security Professional (CISSP).
Word count: 4530
Copyright Academic Conferences International Limited 2013
1
Scholarly Journal 1: Design and Implementation of SFCI: A Tool for Security Focused Continuous Integration.
Lescisin, Michael; Mahmoud, Qusay H; Cioraca, Anca.Computers; Basel Vol. 8, Iss. 4, (2019): 80. DOI:10.3390/computers8040080.
5. Existing Software Packages:
Our tool employs several pre-existing software packages for vulnerability detection, version control, and report generation. The tools AddressSanitizer, Valgrind, Sqlmap, Commix, XSS Me, and DotDotPwn were used for detecting vulnerabilities in the software being tested. These tools were selected as they cover the nine types of vulnerabilities reported on by our tool. MITRE listed the top four software vulnerabilities as: SQL injection, OS command injection, buffer overflow, and cross-site scripting. Path traversal vulnerabilities were ranked at number 13. These vulnerabilities can be divided into two broad categories: memory safety vulnerabilities and code injection vulnerabilities. Memory safety vulnerabilities are concerned with illegal accesses to memory (such as buffer overflows or use-after-free), while code injection vulnerabilities are concerned with tricking a victim program to treat untrusted data as code (SQL injection, cross-site-scripting, etc.) [21]. For the memory safety vulnerabilities, two popular testing programs are Valgrind Memcheck and AddressSanitizer. AddressSanitizer is routinely used by Google for testing for memory safety bugs in their Chrome browser and has found over 300 previously-undetected vulnerabilities [22]. Although slower than AddressSanitizer, Valgrind has also been used for bug detection in a wide variety of popular software [23]. Commix, SQLmap, and DotDotPwn were chosen for SQL injection, OS command injection, and path traversal, respectively, as they are found as included packages in the popular penetration testing Linux distribution, Kali Linux [24], and are thus well established tools in the computer security community. Wanting to make our tool capable of automated testing of web pages, we modified the XUL code of Iceweasel (Debian’s Firefox) to accept remote privileged JavaScript commands from a testing process. This also gave us the possibility of automating a Firefox plugin of which there are many with the purpose of penetration testing [25]. From these plugins, we chose XSS Me as the default XSS penetration testing tool for our tool. Finally, all our chosen penetration testing tools were free and open-source, which reduced the cost of building our tool and gave us, and the end-user, more freedom to modify any of the programs as needed. Version control was done with Git, and report generation was done with Jinja2. A sandboxed, snapshot (stateless) testing environment was provided by QEMU-KVM. The following discusses these software packages in detail.
5.6. Sqlmap:
Sqlmap is a penetration testing tool for detecting and exploiting SQL injection security flaws [32]. It has been used to successfully detect SQL injection flaws in production software [33,34].
7.1. Developing the Test Cases:
Testing for command injection vulnerabilities was straightforward as Commix was able to detect the command injection vulnerability in the value_x parameter and exploit it. The same command injection test case template that was used when developing this tool was used, and only the URL and parameter tested by Commix needed to be changed. Testing for path traversal vulnerabilities was also straightforward as DotDotPwn was able to detect the path traversal vulnerability. The standard path traversal test case template was used, and only the base URL supplied to DotDotPwn needed to be changed. Testing for the use-after-free vulnerability was also straightforward as AddressSanitizer was able to identify the use-after-free whenever it occurred. The standard use-after-free template was used, and only the arguments passed to the program needed to be changed. Testing for HTML injection (XSS) vulnerabilities was more difficult as our original test case only used XSS Me’s “Test all forms with all attacks” feature. This however, did not catch the XSS vulnerability present in our application as the vulnerability could only be triggered by an authenticated user. Our XSS test case needed to be modified so that it would only attempt to post XSS attack strings as an authenticated user. After this modification, our test case was able to detect the XSS vulnerability and properly report on it. Testing for SQL injection vulnerabilities was also difficult as sqlmap was unable to detect any vulnerabilities in our application. Instead, a test case was written to test an SQL injection vulnerability manually. Although the SQL injection vulnerability could not be automatically detected, this test case can still prove useful for detecting code regressions. If the bug is fixed, but then re-introduced, our tool will immediately alert the developers of this problem.
Author Contributions:
Project administration, A.C.; Software, M.L.; Supervision, Q.H.M.; Writing—original draft, M.L.; Writing—review & editing, Q.H.M. and A.C.
Funding:
This research was funded by Natural Sciences and Engineering Research Council of Canada grant number EGP 490684-15.
© 2019 by the authors.
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
