Improving Database Security in Web-based Environments

Francesco Di Tria, Ezio Lefons, Filippo Tangorra

Abstract

In web applications, databases are generally used as data repositories, where a server-side program interacts with a Database Management System (DBMS), retrieves content, and dynamically generates web pages. This is known as a three-layer architecture, that is widely exposed to database threats. The attacks are usually performed through the injection of SQL code in the forms of the web applications, exploiting the dynamic construction of SQL statements. So, the database security relies on the quality of the code and the controls done by the web developer in the application level. In this paper, we present a solution for the improvement of security of databases accessed by web applications. The security is based on a user modelling approach that completely relies on the authorization mechanism of DBMSs.

References

  1. Ben Natan, R., 2005. Implementing Database Security and Auditing. Elsevier Digital Press.
  2. Bertino, E., and Sandhu, R., 2005. Database security - Concepts, Approaches, and Challenges, IEEE Transactions on Dependable and Secure Computing, vol. 2, issue 1, pp. 2-19.
  3. Boyd, S. W., and Keromytis, A. D., 2004. SQLrand: Preventing SQL Injection Attacks, Applied Cryptography and Network Security, Lecture Notes in Computer Science, vol. 3089, pp. 292-302.
  4. Gertz, M., and Jajodia, S., 2007. Handbook of Database Security: Applications and Trends, Springer, 1 edition.
  5. Halfond, W. G. J., Viegas, J., and Orso, A., 2006. A Classification of SQL Injection Attacks and Countermeasures, Proceedings of the IEEE International Symposium on Secure Software Engineering, Arlington, VA, USA.
  6. Huang, Y-W, Huang, S-K., Lin, T-P., and Tsai, C-H., 2003. Web Application Security Assessment by Fault Injection and Behavior Monitoring, Proceedings of the 12th International Conference on World Wide Web, Budapest, Hungary, pp. 148-159.
  7. Jiangtao Li, Ninghui Li, XiaoFeng Wang, Ting Yu, 2009. Denial of Service Attacks and Defenses in Decentralized Trust Management, International Journal of Information Security vol. 8, issue 2, pp.89- 101.
  8. Pinzón, C., De Paz, J. F., Bajo, J., Herrero, A., and Corchado, E., 2010. AIIDA-SQL: An Adaptive Intelligent Intrusion Detector Agent for Detecting SQL Injection Attacks, 10th International Conference on Hybrid Intelligent Systems (HIS), pp. 73-78.
  9. Rietta, F. S., 2006. Application Layer Intrusion Detection for SQL Injection, Proceedings of the 44th Annual Southeast Regional Conference, Melbourne, Florida, pp. 531-536.
  10. Roy, S., Kumar Singh, A., and Singh Sairam, A., 2011. Analyzing SQL Meta Characters and Preventing SQL Injection Attacks Using Meta Filter, 2011 International Conference on Information and Electronics Engineering, IPCSIT vol. 6, pp. 167-170.
  11. Vasserman, E. Y., Hopper, N., and Tyra, J., 2009. SilentKnock: Practical, Provably Undetectable Authentication, International Journal of Information Security, vol. 8, pp. 121-135.
  12. Xiang Fu, Xin Lu, Peltsverger, B., Shijun Chen, Kai Qian, Lixin Tao, 2007. A Static Analysis Framework for Detecting SQL Injection Vulnerabilities, 31st Annual International Computer Software and Applications Conference, Beijing, pp. 87-96.
Download


Paper Citation


in Harvard Style

Di Tria F., Lefons E. and Tangorra F. (2016). Improving Database Security in Web-based Environments . In Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-167-0, pages 193-200. DOI: 10.5220/0005646901930200


in Bibtex Style

@conference{icissp16,
author={Francesco Di Tria and Ezio Lefons and Filippo Tangorra},
title={Improving Database Security in Web-based Environments},
booktitle={Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2016},
pages={193-200},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005646901930200},
isbn={978-989-758-167-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Improving Database Security in Web-based Environments
SN - 978-989-758-167-0
AU - Di Tria F.
AU - Lefons E.
AU - Tangorra F.
PY - 2016
SP - 193
EP - 200
DO - 10.5220/0005646901930200