Detecting Data Leaks via SQL Injection Prevention on an E-Commerce
ABSTRACT: –
All of us are surrounded by technology. So much information and millions of files are being shared all across the Internet over web applications. Online payments and Internet banking have also become so common recently. Web-based applications store crucial information from users in databases. The database in the backend is integrated with web frontends, which allows injection attacks to be performed. SQL injection means placing harmful code in the original code by inputting malicious SQL statements. Therefore, testing SQL vulnerabilities is important, but at the same time, it is practically impossible to check everything without using a proper algorithm. This paper attempts to detect SQL attacks using basic Machine Learning algorithms and to improve the performance stacking technique was used in which one model was chosen as meta model – Logistic Regression and different combination of basic algorithms (Logistic regression, k-nearest-neighbor, formed the base models. The reason for using these basic models is to highlight that to improve the performance matrix we don’t necessarily need deep learning models which require large datasets and high computational power.
In our day-to-day, the usage of web applications has become the most common thing as a part of daily activities. Now-a-days people are much interested in online shopping, social networking, financial transactions, etc…in which they prefer online services rather than in-person services. Making the web application available to everyone makes it more vulnerable. These vulnerabilities enable hackers to steal confidential information from the web applications. Out of those vulnerabilities one of them is SQL Injection(Structured Query Language).So with this type of attack, the hackers can obtain or change the data present in the database by injecting malicious code. This paper mainly focuses on the types of attacks that can be done and the prevention of SQL using Message Digest 5 (MD5) cryptographic hash algorithm. The user’s passwords have to be stored in hashed format in the database.
SYSTEM:-
- Input validation module: This module checks for the validity of user inputs, including the type, length, and format of input data. It can also check for suspicious characters or patterns that may indicate an attempted SQL injection attack.
- SQL injection prevention module: This module uses parameterized queries to prevent SQL injection attacks. It replaces user inputs with placeholders that are later replaced with sanitized input data, making it difficult for attackers to inject malicious SQL code.
- Logging module: This module records all user activities and errors in a log file. It can track user IP addresses, timestamps, and executed SQL queries.
- Data leak detection module: This module periodically scans the database for unauthorized access or modifications. It compares the current state of the database with previous snapshots to detect any discrepancies or unauthorized changes.
- Notification module: This module sends alerts to system administrators and stakeholders when suspicious activities or anomalies are detected. It can also trigger automated responses, such as database backups or disabling user accounts.
By integrating these modules into the e-commerce project, the system can detect and prevent SQL injection attacks, as well as detect and alert administrators about potential data leaks. The system can also provide valuable insights into user behavior, such as identifying common attack patterns or detecting user errors that may indicate a need for additional training or user support. Ultimately, the system can help safeguard customer data, protect the reputation of the e-commerce project, and increase customer trust and loyalty.
PROPOSED SYSTEM:-
This technique is used to detect and prevent SQLA’s with runtime monitoring. The solution insights behind the technique are that for each application, when the login page is redirected to our checking page, it was to detect and prevent SQL Injection attacks without stopping legitimate accesses. It is a hacking technique in which the attacker adds SQL statements through a web application’s input fields or hidden parameters to gain access to resources or make changes to data. The fear of SQL injection attacks has become increasingly frequent and serious. This proposed technique is Random4 and the Hirschberg Algorithm is used.
Generally the program developers show keen interest in developing the application with usability rather than incorporating security policy rules. Input validation issue is a security issue if an attacker finds that an application makes unfounded assumptions about the type, length, format, or range of input data. The attacker can then supply a malicious input that compromises the application. When a network and host level entry points are fully secured; the public interfaces exposed by an application become the only source of attack the cross site scripting attacks, SQL Injections attacks and Buffer Overflow are the major threat in the web application Security through this input validation security issues.Today’s modern web era expects the organization to concentrate more on web application security. This is the major challenge faced by all the organizations to protect their precious data against malicious access or corruptions.
Our main aim is to provide increased security by developing a tool which prevents illegal access to the database. project aims to prevent SQL injection while performing a query. It does so by implementing a secure and online method to store and protect all the sensitive data stored in the database. The purpose of this project is to provide a safe transaction for the users. Both the transaction and the user data can be encrypted using the AES encryption technique. This system encrypts the user’s login details to preserve the privacy of the website’s clients. identifying trusted data sources and marking data coming from these sources as trusted, using dynamic tainting to track trusted data at runtime, and allowing only trusted data to form the relevant parts of queries such as SQL keywords and operators.
MODULES:-
- Input validation module: This module checks the validity of user inputs, such as login credentials, registration information, and search queries. It uses techniques such as regular expression matching and string manipulation to detect suspicious patterns or characters that may indicate a SQL injection attack.
- SQL injection prevention module: This module uses techniques such as parameterized queries, prepared statements, and stored procedures to prevent SQL injection attacks. It replaces user inputs with placeholders that are later replaced with sanitized input data, making it difficult for attackers to inject malicious SQL code.
- Database monitoring module: This module monitors the database for unauthorized access or modifications. It checks for suspicious activities such as failed login attempts, unusual data queries, and changes to sensitive data. It can also log user activities, such as login times, IP addresses, and executed SQL queries.
- Data leak detection module: This module periodically scans the database for unauthorized access or modifications. It compares the current state of the database with previous snapshots to detect any discrepancies or unauthorized changes. It can also monitor the file system for changes to files or directories containing sensitive data.
- Notification module: This module sends alerts to system administrators and stakeholders when suspicious activities or anomalies are detected. It can trigger automated responses, such as database backups or disabling user accounts. It can also generate reports and dashboards that provide insights into user behavior and system performance.
By integrating these modules into the e-commerce project, the system can detect and prevent SQL injection attacks, as well as detect and alert administrators about potential data leaks. The system can also provide valuable insights into user behavior, such as identifying common attack patterns or detecting user errors that may indicate a need for additional training or user support.
APPLICATION:-
- Login screen: The application starts with a login screen that prompts the user to enter their credentials. The login credentials are validated using the input validation module, which checks for suspicious patterns or characters that may indicate a SQL injection attack.
- User dashboard: Once logged in, the user is presented with a dashboard that displays their recent activity, such as purchases or search queries. The dashboard is monitored by the database monitoring module, which checks for suspicious activities such as unusual data queries or changes to sensitive data.
- Product search: The user can search for products using the search bar, which is also validated using the input validation module. The search query is processed by the SQL injection prevention module, which uses parameterized queries to prevent SQL injection attacks.
- Purchase history: The user can view their purchase history, which is monitored by the data leak detection module. The module periodically scans the database for unauthorized access or modifications and compares the current state of the database with previous snapshots to detect any discrepancies or unauthorized changes.
- Administrator dashboard: The system administrator can log in to a separate dashboard that provides more advanced monitoring and reporting features. The administrator dashboard is monitored by the database monitoring module and the data leak detection module. The notification module sends alerts to the administrator when suspicious activities or anomalies are detected, and the dashboard provides reports and insights into user behavior and system performance.
By using this application, the e-commerce project can detect and prevent SQL injection attacks, as well as detect and alert administrators about potential data leaks. The application can also provide valuable insights into user behavior and system performance, allowing the project team to optimize the system and improve customer experience.
HARDWARE AND SOFTWARE REQUIREMENTS:-
HARDWARE:-
- Windows 7 or above
- SQL Server 2008 or above
- Anaconda 3
- MYSQL
- SQLYOG
SOFTWARE:-
- Processor – Core i3
- Hard Disk – 160 GB minimum
- Memory – 2GB minimum
- Internet Connection.
- Ganache