SYNOPSIS Project Title: SQL Injection Attack Prevention by Hashing & Encryption Technologies Year: 2013-14 Group Id: 28

Project Description:
The project describes SQL injection prevention by using Hashing and Encryption technologies. It is very suitable for web applications which require high level of security such as Banking, Government sites, university, colleges and department of defense etc. The idea is provision of dual side security that is both at client and server side. Basically at client side SQL injection refers Before Login attack. This attack we are going to prevent by using Hashing technique applied to username and password. Server side SQL injection refers After Login attack to access illegal database of other users by legal users. So Encryption is used to secure database from After Login attack.

Project Scope:
Information is the most important business asset in todays environment and achieving an appropriate level of Information Security. SQL-Injection Attacks (SQLIAs) are one of the topmost threats for web application security. For example financial fraud, theft confidential data, deface website, sabotage, espionage and cyber terrorism. To implement security guidelines inside or outside the database it is recommended to access the sensitive databases should be monitored. In this project, two techniques HASHING and ENCRYPTION are proposed for SQL injection prevention. Initially hashing of username and password is to be done then we perform Ex-OR function on them for Before Login security. After that we apply ENCRYPTION to Database for providing security to backend and prevent After Login attack at server side. However proposed technique is completely new to user but it can be applied to Databases like ORACLE, MSSQL, and MYSQL etc.

Objectives:
The main Objectives of system are: The objective of detection and prevention of SQL Injection Attack using Hashing and Encryption techniques is to Secure Login section from hackers. Whenever user wants to login to database his/her identity is checked using user name and password and its hash values. These hash values are calculated at runtime using store procedure when user wants to login into the database. Main objective is during the authentication of user, the SQL query with hash parameters is used. Hence, if a user tries the injection to the query, and our proposed methodology is working with SQL query, it will automatically detect the injections as the potentially harmful content and rejects the values.

Relevant Theory:
The most common method for. SQL Injection is to be done at client side only The user enters his/her username along with some special characters like single quote() etc. The existing system prevents the sql injection if it has defensive coding scheme. But the major problem is that once legal user enters into the system He/she able to access databases of other users which is illegal. The SQLi attacks include: Error Based SQLi: This attack lets attacker gather important information about the type and structure of the back-end database of a Web application. Inference: Inference-based attacks let attackers discover information about a database schema. Union Query: By this technique, attackers join injected query to the safe query by the word UNION and then can get data about other tables from the application. Tautology: The general goal of a tautology-based attack is to inject code in one or more conditional statements so that they always evaluate to true. Stored Procedure: SQL Injection Attacks of this type try to execute stored procedures present in the database. An attacker determines which backend database is in use. Hashing: Used to avoid and prevent Before login attack mentioned above.

Encryption: Used to avoid and prevent After login attack to databases like Oracle, Mssql, and Mysql etc.

Implementation Detail:
1) Login Module: The application was designed for Online Banking having Account Holders. An Account Holder enters into system through Login and performs transaction like Withdrawal, and deposit amount. 2) SQLi Detection: Identification of malicious characters like single quote (), comment (--) etc is to be detected through defensive coding scheme. 3) SQLi Prevention: Hashing of username and password is to be done by MD5 hash function and then we done EX-OR operation to prevent Before Login Attack. 4) Database Encryption: AES (Advanced Encryption Standard) Algorithm is used to encrypt the database to Secure Backend Database and prevent After Login Attack.

Hash Function Algorithm:

MD5 is an algorithm that is used to verify data integrity through the creation of a 128-bit message digest from data input (which may be a message of any length) that is claimed to be as unique to that specific data as a fingerprint is to the specific individual.

AES Algorithm:
Using AES Algorithm we can prevent the SQL Injection Attack by encrypting backend database. It has many iteration to encrypt the data so that normally hackers are not able to hack or making decryption to get original data easily. AES has been adopted by the U.S. government and is now used worldwide. This application is using same technique to prevent the SQL

injection hacking technique, the actual idea behind this technique is when user login first time or make registration first time. Important data will encrypt with AES algorithm and store encrypted data into database and when any hacker hack data he will not able to retrieve data. The algorithm described by AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data. The algorithm starts with a random number, in which the key and data encrypted with it are scrambled though four rounds of mathematical processes. The key that is used to encrypt the MixColumns, and AddRoundKey. . AES-encrypted data is unbreakable in the sense that no known cryptanalysis attack can decrypt the AES cipher text. HAVIJ TOOL: Powerful SQL injection hacking tool by which one can access the whole database contents which includes database tables and even usernames and passwords of the users and admin. THE MOLE: It is able to detect and exploit injections using only a vulnerable URL and a valid string on the site using union or Boolean query techniques. The command line tool offers support for attacks against MySQL, SQL Server, Postgres and Oracle databases. SQLMAP: It is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. Exploit MyUnion: By using this tool database is damaged by union query in After Login phase. As query is hashed form in our system then union attack is fully prevented.

Toolza 1.0 : SQL injection tool by which we can damage the databases of Mysql, Mssql, Sybase, Postgresql, Access, Oracle.

SQLID: SQL injection Digger (SQLID) is a command line program that looks for SQL injection and common errors in websites. It can perform the following operations look for SQLi in a web pages and test submit forms for possible SQL injection vulnerabilities, which is completely blocked by our system as query with hash parameter is to be used. PANGOLIN:

Pangolin is a SQL Injection test tool on database security. It finds SQL Injection vulnerabitlities. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. APPLYING THE SYSTEM: After applying our system one will not be able to access the contents of the database because Firstly the query which is to be fired by hacker contains the hash parameters. The database is in encrypted form. Thus, AES is an important advance technology, so using and understanding it will greatly increase the reliability and safety of your software systems.

Block Diagram: Hashing of username and password:

Encryption of Database:

System Features:
1) Resistant to Before Login Attack. 2) Resistant to After Login Attack. 3) Hash values of username and password calculated at runtime.

4) As SQL query with hash parameters are used hence highly defensive against SQL injection. 5) Legal Users are restricted to access database of other users After Login

System Specification:
Hardware Requirement: Hard Disk 40GB and above Ram 512MB and above Processor P4 and above Software Requirement: GWT 2.5 frame work Language: java Database: MySql 5.1/Apache Derby , JPA (JPQL). OS : XP and above

Reference:
1) Mayank Namdev, Fehreen Hasan, Gaurav Shrivastav A Novel Approach for SQL Injection Prevention Using Hashing & Encryption (SQL-ENCP) (IJCSIT) International Journal of Computer Science and Information Technologies, Vol. 3 (5), 4981 4987, 2012. 2) Dr. E. Ramaraj, IndraniBalasundaram An Approach to Detect and Prevent SQL Injection Attacks in Database Using Web Service IJCSNS International Journal of Computer Science and Network Security, VOL.11 No.1, January 2011.

Conclusion:
Proposed strategy requires the alterations in the design of existing schema database and a

new guideline for the database user before writing any new database. Through these guidelines, we found the effective outcomes in SQL injections Preventions.

Group Members:
Sr. No. 1 2 3 4 Name Mohd.Ehtesham Khan Yewale Aniket Madaan Vaibhav Thole Pritesh Roll No. 86 148 82 133 Signature

Dr.Kalyankumar Project Guide

Prof. B. J. Dange Project Coordinator

Prof. D. B. Kshirsagar HOD