Etay Maor is the Sr. Director Security Strategy at Cato Networks and an industry recognized cyber security researcher and key note speaker. Previously, Etay was the Chief Security Officer for IntSights where he lead strategic cybersecurity research and security services . Before that Etay held numerous leadership and research positions as an Executive Security Advisor at IBM where he created and led breach response training and security research and as Head of RSA Security’s Cyber Threats Research Labs where he managed malware research and intelligence teams and was part of cutting edge security research and operations. Etay is an adjunct professor at Boston College and holds a BA in Computer Science and a MA in Counter Terrorism and Cyber Terrorism. Etay is a frequent featured speaker at major industry conferences and is part of RSA Conference and QuBits conference committees. Deanna Mulvihill has her expertise in evaluation and passion in improving the health and wellbeing. Her open and contextual evaluation model based on responsive constructivists creates new pathways for improving healthcare. She has built this model after years of experience in research, evaluation, teaching and administration both in hospital and education institutions. The foundation is based on fourth generation evaluation (Guba& Lincoln, 1989) which is a methodology that utilizes the previous generations of evaluation: measurement, description and judgment. It allows for value-pluralism. This approach is responsive to all stakeholders and has a different way of focusing.
Network based threat hunting - a critical component for securing the cloud!
Etay Maor, Sr Director Security Strategy, Cato Networks & Cybersecurity Professor at Boston College
Using legacy, "on-prem" security strategies to combat today's threats is like bringing a knife to a gun fight. Threat actors have been perfecting the art of evading security controls for years and we see the results in headlines all the time. In this session we will dive into network based threat hunting and how it can be implemented within an organization's security strategy. A cloud environment requires a cloud security strategy!
Most organizations are going through a digital transformation journey, be it a planned one ore one that was forced upon them due to circumstances. But how many organizations are making sure that this journey also includes security transformation? Most organizations use the same security tools and techniques as the ones we have been using for over a decade, but our infrastructure as well as the threats targeting them have changed and evolved. They are bringing a knife to a gun fight! End point AV? Sandboxes? Siloed threat intel feeds? Threat actors today have proven over and over they can bypass these strategies.
In this session we will review how today’s threats evade security detection and how they evolved over time. We will see how a network based threat hunting program does not necessarily mean changing and buying new products but rather how to better utilize current capabilities to fit today's threats. It's not all about new features but rather how to deploy and use them! We will show use cases as well several of the tactical, practical techniques to help detect and mitigate today’s threats. A cloud environment cannot be protected with the tools and techniques of the “on-prem” days, a cloud environment requires a cloud security strategy!
Yask holds a Doctorate(PhD.) in Information Technology with specialisation in OT Cyber Security. He also holds a masters degree in Cyber Law and a Bachelors in Computer Science Engineering.
Currently he holds the position of CISO, IOCL and is responsible for the maintenance of Cyber-Security operations, infrastructure and governance at his organisation. He has over 2 decades of experience in steering the IT function successfully in his organisation in various capacities, with the successful execution of several IT & OT projects under his belt.
His special areas of interest include - applications of OT Security, specific to O&G industry, automation models in Cyber Security and use of Machine learning to provide predictive security.
Security Operations Center for OT environment – A framework
Yask, PhD, CISO, IndianOil, India
Abstract :
Statement of the Problem: Operational technology or OT is a category of computing and communication systems to manage, monitor and control industrial operations with a focus on the physical devices (also known as Cyber Physical Devices) and processes being used by these Cyber Physical Devices (or Systems). OT often control essential services which affect people at large, such as water and power supply, oil & gas extraction to supply, mostly all large manufacturing units etc. Additionally, operational technology is also used to monitor these critical services to prevent hazardous conditions. Manipulation of these systems and processes could have extreme impacts on the end users of these services as well as workers within operational environments.
Cyberattacks on critical infrastructure and strategic industrial assets are on the rise for some years now and is now believed to be among the top five global cyber risks. The cyberattacks have cost companies millions of dollars through the disruption of services and critical operations. To keep critical systems running and protect the financial results and reputation of any organization that includes industrial processes, it’s essential to improve industrial cyber security. However, securing OT environments, assessing them to determine remediation plans and strategies, and gaining visibility into them is challenging and requires different approaches than traditional IT environments.
The IT environment is fairly protected and well-guarded by a Security Operations Center which keeps a constant vigil on the activities of the IT ecosystem under watch. The SOCs across the world have evolved and have reached a certain maturity in operations. However, for an OT environment, the SOC is still a new concept – primarily because the objectives of SOC of OT are different from those of IT. The mission and objectives of newer SOCs of today is about having an integrated security information and event management (SIEM) with a big data platform — complemented by workflow, automation and analytical tool. To create a SOC for OT would require re-engineering some of the OT processes, which because of being heavily dependent on the OT vendors result in a major task.
Hence, there is a need to create a framework for OT SOC which helps organizations define a clear mission and objective statement for a fully operational OT SOC. The framework needs to define the roles (give directions) of the SOC team, the MSSP (if any), the OT vendors and the customer.
Mishu is an avid learner and a cyber-security enthusiast with learning technical and management skills relevant to security domain. Currently pursuing Masters degree in Information security from Royal Holloway, University of London where skills are being gained from various modules such as Legal and Regulatory Aspects of Information Security, Introduction to Cryptography and Secure Systems, Security Management and being implemented into various coursework assignments and virtual programs such as Global Cyber Security Virtual Internship from Clifford Chance. Alongside, he’s enrolled in remote certified internship where he’s using security tools like OpenVAS, Harvester.py, Metasploit to find and exploit vulnerabilities, escalate privileges, completing assignments on Red teaming and Threat Hunting arenas. Currently, he’s working on his MSc project on Improved torsion-point attacks on Isogeny based cryptosystems. Being industrial placement as an integral part of MSc Information Security with a year in industry, Mishu is open to placement opportunities relevant to cyber-security domain.
Mishu Sikka, MSc Information Security at Royal Holloway, University of London, UK.
Abstract (300 word limit)
Statement of the Problem: Nearby future holds the unfolding of quantum computers, making classical computers obsolete. To highlight this breakthrough, a classical computer takes around 300 trillion years to break RSA-2048-bit encryption, whereas quantum computers will require just 8 hours (Ekera M. & Gidney C., 2019), as per ongoing advancements in quantum computing. Preparing for such shift, researchers within cyber security domain have been working on post-quantum cryptographic techniques that could resist classical and quantum attacks. This new focused research on Post-Quantum Cryptography (PQC) has gained widespread recognition. The purpose of this study is to identify future cryptographic techniques for standardization process in quantum-crypto world. Methodology & Theoretical Orientation: The National Institute of Standards and Technology (NIST) has been regulating a project to assess quantum cryptographic algorithms for quantum-future standardization. Alongside, companies such as Google and Microsoft have already started experimenting with PQC’s deployment. At this moment, Isogeny-based cryptography has established itself as a promising PQC scheme candidate, that has small signature and key sizes amongst all. Findings: Best known protocol backing this isogeny-based quantum secure approach is Supersingular Isogeny Diffie-Hellman (SIDH) key exchange protocol. The quantum secure scheme is based on presumed difficulties in finding isogenies between super singular elliptical curves. Although considered as the most promising scheme, SIDH algorithm reveals additional information, that holds potential to be exploited and SIDH be broken in polynomial time by quantum computers. Conclusion & Significance: Due to current technological limitations, the above-mentioned findings are theoretical and couldn’t be confirmed in practice. Rise of quantum computing will result into present cryptographic techniques being broken, thus exposing the security of our digitized world to malicious actors around the globe. It is imperative to identify and establish post-quantum cryptographic techniques for standardization process that could hold down attacks from advanced computers, aka quantum computers.
Sami fakhfakh was a black hat hacker when he was young, his passion for security and IT pushed him to devote his studies to IT and to continue his training to become a white hat hacker, now he is a computer engineer who works in Paris in the field of blockhain and who does freelance cybersecurity consulting .He had his license in fundamental sciences in computer science at the faculty of sciences of sfax (Tunisia) in 2017, to then go to an engineering cycle at ISTY (France) where he obtains his diploma in 2020 .Sami Fakhfakh was known as s-man hacker at the time.
Sami Fakhfakh, Engineer/Ethical Hacker, Tunisia
Abstract
Ransomware is a type of malware. It restricts access to the computer system that it infects or the data that it stores (often using encryption techniques), and demands a ransom be paid to the creator(s) of the malware. This is in order for the restriction to be removed. Some forms of ransomware encrypt files on the system's hard disk. Others may simply lock the system and display messages intended to persuade the user to pay.
Ransomware first became popular in Russia. Now the use of ransomware scams has grown internationally. In June 2013, McAfee said it had collected over 250,000 unique samples of ransomware in the first three months of 2013. This is more than double the number of the previous year. CryptoLocker, a ransomware worm that surfaced in late-2013, had collected an estimated $3 million USD before it was taken down by authorities.
In May 2017, a piece of ransomware called WannaCry spread around the world. It lasted four days and affected over 200,000 computers in 150 countries.[4] Only about $130,000 (USD) was ever paid in ransom, but the attack affected a lot of large companies and organizations. The United Kingdom's National Health Service (NHS) was hit hard by WannaCry. Hospitals could not access their files, and so many surgeries were cancelled and patients had to be turned away.[5] The NHS was especially at risk because it was using a version of the Windows operating system called Windows XP that Microsoft no longer supported.[6] This meant that Microsoft had not been sending out security updates for this version of Windows, leaving it open to the WannaCry virus. Other systems were affected even though they were running newer versions of Windows, because their users had not yet installed the most recent security updates. Even though it was not designed to actually damage computers or their files, WannaCry led to a lot of wasted time and money, showing how vulnerable the world still is to ransomware attacks.
nowadays, several companies, organizations or individuals are affected by a ransomware attack. in the philosophy of learning defense by attack. we will explain how this malware works, do a live code review example, test it on live and teach you how to protect yourself from it.
Yousuf Mahbobi
Software Developer
Dubai
WORK EXPERIENCE
Senior Software Developer
Edge core Electronics FZCO
01/2020 - Present, Dubai
Designed & implemented Rest web services in PHP Laravel framework with single page application using Vuejs, Vuex, and Axios for whole importing and exporting system.In application security protection using SPWEPTLU technique to ensure application safety. Using google charts, barcode system and digital signature in the development of the management system helped the company analyze the sales volume and increased profit 22%.. Server maintenance, backup and recovery Integrated payment system using strip payment gateway. Database & Web Developer Kardan University 04/2017 - 12/2019, Kabul, Afghanistan Enhanced the web applications of the university in term of design and functionality made it more standout organization among competitors. Using SQL SERVER, ASP.NET VB.NET, SOAP, Web API as an implementing tool. Collaborating with different departments in term of requirement gathering and training new features. Fixed student online portal bugs that helped students engage with the university virtually. Designed and developed mobile application using React Native, JSON , Material Design, Native Base, MySQL. Database & Mobile App Developer Selab Nadiry travel & Tour 05/2015 - 03/2017, Kabul, Afghanistan Designed and developed a complete management information system and portals for various stakeholders using PHP, Jquery, HTML, CSS, JAVASCRIPT, JSON and Bootstrap. Server maintainence, backup and recovery.Implemented procedures to exploit user engagement by leveraging page response time and web cache usage. Designed and developed mobile application using ReactNative, material design, native base and MYSQL.
EDUCATION
Bachelor in computer Science
Kardan University 01/2015 - 01/2019,
SKILLS
Application Security Provider
Python(django)
Javascipt(React.js, Vue.js, Jquery)
PHP(laravel)
ASP.NET
Relational Databases(MYSQL, SQL SERVER)
ReactNative HTML,CSS,Bootstrap Saas/Less
PERSONAL PROJECTS
School Management System with prevention from SQL & XSS attacks (01/2018 - 01/2019)A complete database with web application for managing the school with a strong security infrastructure. Restaurant Management System For BurgerPlus(01/2020 - 04/2020)A complete restaurant management system for bugerplus which exists in London with four branches. Kabul Technology website (01/2016 - 04/2016) web solution company that offers bench of ICT support for clients SamadSign Stock Management System(01/2019 - 07/2019) A complete stock management system for samadSign Company
ACHIEVEMENTS
International Certificate & Award from (International Journal of Scientific and Enginnering Resarch) (01/2021) For publishing research paper regarding cyber security in web applications Best employee award (05/2018) Academic Excellence award (01/2015 - 01/2019)
LANGUAGES
English
International Journal of Scientific & Engineering Research, Volume 12, Issue 1, January-2021 ISSN 2229-5518 IJSER © 2021 http://www.ijser.org Detection & prevention of SQL injection & Cross - site scripting attacks using SPWEPTLU technique Sayed Yousuf Mahbobi, Amjad Khan, Mattiullah Nadiry,Ahmad Shekib Ghawsi Abstract— SQL (Structured Query Language) injection is the most common and potentially hazardous attack that allows the attackers to fully manage the database by injecting or passing different malicious statements to the database engine in order to manipulate the data irresponsibly. This penetration to the system can cause serious damages such as stealing sensitive information, causing corruption in an organization or dismantling organization’s operations. On the other hand XSS (Cross Site Scripting) is another type of security vulnerability that empowers the attackers to place client side scripts into a web pages visited by the users. In this paper we present optimal solution for detecting and preventing SQL and XSS injection attacks by restricting stored procedures with execute permission only to legitimate users. The paper is organized as: Part-I is dedicated to the brief introduction of SQL & XSS attacks. In Part-II & Part-III a complete introduction of SQLIA along with different types of SQL attacks are explained. In Part-IV XSS is described briefly while, in Part-V relevant literature has been explored. In Part-VI the solution along with implementation are explained in the form of algorithms and flow charts whilst, in the last part conclusion and future work are illustrated. Index Terms— SQL, Structured Query Language, XSS, Cross Site Scripting, SQLIA, Structured Query Language Attack. —————————— ïµ —————————— 1 INTRODUCTION n Modern Times, World Wide Web has shaped the organization‘s infrastructure and becoming the essential part of each organization. Therefore, with the advancement and wide-spread usage of internet and World Wide Web, dataprotection has become a challenging task. Since malicious users also known as cyber criminals are risen significantly and performing sophisticated logical attacks to harm the organizations by exploiting or auditing required information. The most popular and perilous attacks that are still lurking over the millions of websites or web applications are SQL & XSS attacks. In SQL attack, attackers usually distort the parameters of the SQL statements that are delivered to the backend database in order to perform the desired or intended malicious operations such as deleting, auditing and retrieving sensitive information through injections. XSS is another form of security vulnerability that targets the users by enabling them to view the pages that are affected awkwardly by client side scripts injections. XSS attacks are utilized for stealing cookies and hijacking sessions in a web application that grant the attackers to bypass the application rules and take the full control of it. As a result, SQL injection and XSS attacks target all the applications connected to the databases and compromise the data security hence, it can completely damage the organizations assets and resources. 2 DEFINATION OF SQLI SQL Injection is the interpolation of the SQL statements injected to the application‘s input boxes which causes severe harms to the data stored in the database and a major threat to the application security. Lack of supplying sufficient security in applications and lack of sufficient programming knowledge causes attackers to be successful in penetrating to the application and performing SQL attacks. In SQL Injection attack, the attackers append a harmful string input through the application‘s entry point or input boxes, which transforms or manipulate the original SQL statement to the SQL statement exploitable by the attackers. SQL injection can sabotage the database in peculiar manners such as unauthorized data manipulation or even in most severe cases execution of system level commands that causes denial of services to the application thus, it loses the system confidentiality and trustworthiness. 3 TYPES OF SQLI 3.1 Tautologies In tautology-based attacks, attackers append one or more conditional SQL statements into the query in order to make SQL command assess to true condition such as (2=2) or (‗‘=‘‘). The most frequent usage of this approach is to bypass authentication on web pages concluding in access to the database. The SQL query demonstrated in Fig. 1 shows the tautology SQLIA. I ———————————————— ï‚· Sayed Yousuf Mahbobi graduated from bachelor of computer science department of Kardan Univeristy, Afghanistan, PH-0093704076468. E-mail: y.mahbobi@outlook.com ï‚· Amjad Khan is PHD scholar at Abdul Wali Khan University, Pakistan PH00923219033960. E-mail: amjad@aup.edu.pk ï‚· Mattiullah Nadiry graduated from bachelor of computer science department of Kardan Univeristy, Afghanistan, PH-0093766040566. E-mail: mattiullah.nadiry@gmail.com 32 IJSER International Journal of Scientific & Engineering Research, Volume 12, Issue 1, January-2021 ISSN 2229-5518 IJSER © 2021 http://www.ijser.org Fig1: Tautology attack 3.2 Piggy-backend query In Piggy-backend query, attackers terminate the original query statements by using query delimiter, such as ";" and inject additional query statements to the end of original query. In this technique the first query is original whereas the subsequent queries are injected. Piggy backend query attacks are very disastrous because attackers can append any sort of harmful statements. The SQL query in the below figure demonstrate the piggy backend query attack. Fig2: Piggy-backend attack 3.3 Logically incorrect Logically Incorrect attack arise by exploitation of handy information like error messages that comes from the database for unauthentic query. This erroneous information helps the attackers to find hole in the system and perform attack. SQL query mentioned in the below figure describes Logically Incorrect attack. Fig3: Logically incorrect attack 3.4 Union query Union query injection or in other word statement injection attack. In which, attackers embed supplementary statements into the original SQL query. Union query attack occurs by embedding UNION keyword into unprotected parameter, as shown in Fig 4. Resulting the database to return dataset which is the union of result of original query with the result malicious query. Fig4: Union query attack 3.5 Stored procedure In stored procedure attack, attackers concentrate on the stored procedures which exists in the database system. Stored procedures are near to the database engine thus it runs directly by the database engine. It is an exploitable piece of code that returns either true or false for the authorized or unauthorized users. For SQLIA, attackers call the stored procedure and append the command for instance the ―; SHUTDOWN; --" command to stop the database from functioning. The SQLI query in the below figure, shows the stored procedure attack. Fig5: Stored procedure attack 3.6 Inference Inference attack allows the attackers to turn the nature of a database or application. There are basically two types of inference attack. 3.6.1 Blind injection SQLIA happens when programmers fail to remember to conceal an error messages which cause data insecurity, this error message aids SQLIA to harm the database by querying series of logical inquiry through SQL statements. The below figure demonstrates the blind injection attack. Fig6: Blind injection attack SELECT employee_password FROM tblEmployee WHERE Employee_ID = '2' OR '2'='2' -- ' AND employee_password ='he@sa'; SELECT Employee_ID FROM tblEmployee WHERE Employee_ID = 8 AND Employee_Password = 'abc'; DROP TABLE tblEmployee SELECT * FROM tblEmployee WHERE Employee_ID = '111' AND Employee_Password = 'abc' AND CONVERT (int, ‘a’) SELECT Student ID FROM tblStudent UNION SELECT Teacher ID FROM tblTeacher SELECT employee_password EXEC PROC Test; SHUTDOWN; SELECT password FROM empTable WHERE username = 'user1' AND 2=1 -- AND password = AND pin = 2 SELECT info FROM empTable WHERE username ='user1' AND = 2 -- AND password =3 33 IJSER International Journal of Scientific & Engineering Research, Volume 12, Issue 1, January-2021 ISSN 2229-5518 IJSER © 2021 http://www.ijser.org 3.6.2 Timing attack Timing attack enables attackers to accumulate information from a database by observing timing procrastination in the database's responses. This type of attack utilize if condition statement to gain a time procrastination purpose such as WAITFOR, which causes the database to postpone its response by a specified time. The below figure displays timing attack. Fig7: Timing injection attack 3.7 Alternate encoding In alternate encoding, attackers customize the injection query using alternate encoding, such as hexadecimal, ASCII, and Unicode. This approach permits attackers to escape from developer‘s filter and perform any sort of SQLIA. When this type of attack couples with other attack techniques it could be powerful, because it can target various layers in the application so developers need to be familiar to all of them to supply an effective defensive measure to avoid the alternate encoding attacks. The SQL query, which is shown in Fig 8, describes the alternate encoding attack. Fig8: Alternate encoding attack 4 DEFINATION OF XSS Cross Site Scripting is a client-site script injection attack which attempts to run malicious code in the browser of the victim by passing legal code in a web page or web application that can be run later when the user actually lands on the web page or web application infected by the malicious code. The web page or web application acts like a vehicle to carry the malicious script to the user‘s browser. These vehicles can be forums, message boards, and web pages that allow comments. XSS attacks are most common in JavaScript, primarily because JavaScript is recognized language for most browsers. What can the attackers do with JavaScript? 1. Malicious JavaScript has access to all the contents of the web page like access to the user‘s cookies. Cookies are often utilized to save session tokens. If the attacker succeed to attain the user‘s session cookie then they can impersonate that user, perform actions on behalf of the user, and gain access to the user‘s sensitive data. 2. JavaScript can read the browser‘s DOM and make the desired customizations to it. 3. JavaScript utilizes the XMLHttpRequest object to forward HTTP requests with arbitrary content to arbitrary destinations. 4. JavaScript in modern browsers utilizes HTML5 APIs. For instance, it can access the user‘s webcam, location, microphone, and even particular files from the user‘s file system. 5 LITERATURE REVIEW AMNESIA (Analysis and Monitoring for Neutralizing SQLIA) technique was developed by W. G. J. Halfond et al [1] that detects and prevents SQLIA at runtime based on two analysis phases namely dynamic and static. In the static analysis it generates types of query statements as a model and in dynamic analysis phase it interprets all the queries against static model before they are sent to the database. SQL syntax-aware at web application layer to evaluate query strings in web application server and negative impact at the database layer to catch the untrusted data technique was developed by A. Alazab et al [2] but proved having network overhead. SAFELI is a tool presented by X.Fu et al [3], which identified the SQL Injection attacks at compile time from the source code. The drawback of this tool was it could not prevent tautologies attack. WASP (Web Application SQL Injection Protector) tool was developed by W. G. J. Halfond et al [4] which was potent in ceasing more than 12,000 attacks without generating any issues in database layer. The limitation of this tool can be founded by deploying web applications. R-WASP (Real Time-Web Application SQL Injection Detector and Preventer) tool was developed by M. H. A. S. P. Medhane [5], which could cease all attacks potentially and detects SQLIAs in real-time environment. The limitation of this tool is required more practice to work efficiently. Suitable Real Time Web Application SQL Injection Protector (RT-WASP) tool was developed by N.S. Ali et al [6] to detect SQL injection attacks in stored procedures. The drawbacks of RT-WASP tool was that it did not detect the XSS attacks. DECLARE @name VARCHAR (500); SELECT @name = empName FROM tblemployee IF(substring(@name,0,2)) > 0 Waitfor delay '0:0:8' SELECT * FROM Accounts WHERE acc_id ="AND pin=1; exec (char(0x23571324f2134124 wwa33)) 34 IJSER International Journal of Scientific & Engineering Research, Volume 12, Issue 1, January-2021 ISSN 2229-5518 IJSER © 2021 http://www.ijser.org Principle of dynamic query structure validation which was done through analyzing query‘s semantics was proposed by S. Manmadhan et al [7]. The main aim of this technique spotlighted on the particular type of attacks which was proved vain later. SecuriFly is a prevention tool for java developed by M. Martin et al [8]. This tool is utilized to check string for malicious information and tried to fix it before passing to the database. The limitation of this tool was complication in finding all the sources of user input. JDBC-Checker proposed by C. Gould et al [9], which is technique for statically analyzing the validity of dynamically generated SQL queries. The drawbacks of this technique was that it could not identify general types of SQLIA because the attackers usually writes queries accurately. Dynamic Candidate Evaluations method was presented by P. Bisht et al [10]. This technique separated out the query structures from each SQL query locations at the run-time. The drawback of this technique was partially cease SQLIAs due to the constraints on the fundamental method. Swaddler method that analyzed the inner state of a web application was proposed by Macro Cova et al [11]. Firstly, the method interpreted the normal values for the application‘s state variables. At the detection phase, the method control the application execution to find abnormal states. The disadvantage of this method was that it partially identified SQLIAs. DIWeDa, which was a mock-up that acted at the session level to find malicious input in Web applications presented by A. Roichman et al [12]. The drawback of this technique was that it couldn‘t detect all types of SQLIA. Positive Tainting and Syntax Aware Evaluation technique was proposed by William G. Halfond et al [13]. In this technique it basically differentiated the strings generated by the java and the strings originated from external sources to identify the trusted and untrusted data. If untrusted found then by syntaxaware it prevented the data from being passed to the server. The main drawback of this approach was initialization of trusted strings by developers. SQL Prevent, which was consist of a HTTP request interceptor proposed by P.Grazie [14] The HTTP requests were stored into the local storage. Then, SQL interceptor intervened the SQL statements and moved them to the SQLIA detector. The main problem of this approach was extra storage and processing that effect performance state. Automated approaches that were based on defensive programming in which the inputs were filtered to avoid user from inserting harmful keywords or characters proposed by Mei Junjin [15], but proved unable to detect the stored procedure and alternate encoding attacks. SQLIPA that exploits hash value method to improve user authentication mechanism was presented by S. Ali et al [16]. The drawback of this technique was detecting merely Tautologies attacks. Usage of prepared Statement was proposed by Stephen Thomas et al [17]. Utilizing JDBC for database connectivity, the Prepared Statement on the spot liberate the special characters before implementing the query. The main drawback of this approach was that it could not stop all types of SQLIA. PDO (PHP Data Object) that defined a lightweight, persistent interface for integrating with databases in PHP was suggested by M. Sendiang et al [18], Parameterized Queries in PDO could merely prohibit tautologies and union attacks. Data validation and database lockdown proposed by M. Zabi et al [19] in order to minimize the SQL injection in Microsoft Internet information server. The main drawback of this approach was that it could only stop tautologies attacks. Static and dynamic analysis was proposed by Lee, Inyong et al [20] in which SQL query is cleansed during the runtime and then the query was matched with the predefined SQL query. This approach can abstain all types of SQL attacks except realtime SQL attacks. New methodology was proposed by Sailor Pratik et al [21] In this approach the application was blocking the common keywords such as union, special characters, delimiters and so on with the impression that it will be comparatively better and easy approach but it raised unauthentic alarm. Runtime controlling approach progressed by Ramya Dharam [22] was presented and evaluated to detect and prevent tautologies attack in web applications. Their view was to not only validate the client side code but also we have to validate the server side code during runtime. 6 PROPOSED SOLUTION & IMPLEMENTATION The SPWEPTLU (Stored Procedure with execution permission to legitimate users) technique helps in detecting and preventing SQLI, XSS (Cross-Site Scripting) and other types of attacks that can be performed via application penetration. This approach consists of the following steps. 1. Identify the organization business entities roles and create separate user login for each roles. 35 IJSER International Journal of Scientific & Engineering Research, Volume 12, Issue 1, January-2021 ISSN 2229-5518 IJSER © 2021 http://www.ijser.org Fig9:Logins In figure 9, we identified the business entities roles such student, teacher, president etc. And then created logins for each mentioned entities under the security tab. 2. Write stored procedure. Fig 10: Database Procedure. In figure 10 we write our procedure inside the database with the below mentioned rules in order to lock security flaws and prevent security attacks. Rules of persistent and secure procedure writing in SQL I. Do not use concatenation even inside the stored procedure with parameters because it is also vulnerable to security attacks though, sometimes the circumstances comes where we need concatenation of few columns, in that case we can use the concat() function which is secure way of concatenating the strings or columns. Alternative way can be using local variables inside the procedure. Fig 11: Avoid concatenation. CREATE PROC sp_CheckStudentAppraisl_Record_ Exists @Teacher_ID VARCHAR(50), @Class_ID numeric(18,0), @Section_ID numeric(18,0), @Subject_ID numeric(18,0), @Month_ID numeric(18,0), @check_Record_Exists AS NUMERIC(18,0) out AS BEGIN SET NOCOUNT ON; -- Get the Current Session DECLARE @Session_ID AS NUMERIC(18,0); SELECT @Session_ID = Session_ID FROM tblSession WHERE Year = YEAR(GETDATE()) -- Get the Apprasial Result If Exists DECLARE @Exists_StudentApprisal AS NUMERIC(18,0); -- Select the data from required tables SELECT@Exists_StudentAppri sal = COUNT(Apprisal)FROM tblStudent_Performance WHERE Enroll_ID IN (SELECT tblEnrollment.Enroll_ID FROM tblEnrollment INNER JOIN tblOfferedSubjects ON tblEnrollment.Class_Subject_ID = tblOfferedSubjects.Class_Subject_ID INNER JOIN tblClass ON tblOfferedSubjects.Class_ID = tblClass.Class_ID INNER JOIN tblStudent ON tblEnrollment.Student_ID = tblStudent.Student_ID WHERE(tblEnrollment.Session_ID = @Session_ID) AND (tblClass.Class_ID = @Class_ID) AND (tblEnrollment.Section_ID = @Section_ID) AND (tblOfferedSubjects.Subject_ID = @Subject_ID) AND (tblEnrollment.Teacher_ID = @Teacher_ID) AND (tblStudent.Student_Current_Status = 1)) AND Month_ID = @Month_ID IF (@Exists_StudentApprisal = 0) BEGIN SET @check_Record_Exists = 0 END ELSE IF (@Exists_StudentApprisal !=0) BEGIN SET @check_Record_Exists = 1 END END 36 IJSER International Journal of Scientific & Engineering Research, Volume 12, Issue 1, January-2021 ISSN 2229-5518 IJSER © 2021 http://www.ijser.org II. Follow suggestions stated by Microsoft in the best practices article [23]. These suggestions may improve procedure performance and security. 3. Assign procedure to proper role. Fig 12: Grant procedure to role. In figure 12 we grant execute only to those entities in an organization that mentioned procedure is part of their tasks or roles for example the teacher at the school can only be able to check students appraisal no other entities should be able to check or access the students appraisal by performing injection or any other sort of attacks so we grant the execute permission to teacher only for checking students appraisal. In this case if malicious user tries to inject any malicious statement, the database engine will stop him/her. For example the teacher bypasses the rules or penetrates into the system though the application and injects some series of harmful statements or queries, so the database will automatically not executing that statements and generates error. Fig 13: User perform procedure call that is not part of his/her role + attack. Fig 14: Denial message from database. Fig 15: User perform procedure call that is part of his/her role + attack. Fig 16: Procedure executed but the attack denied by the database engine. 4. Finally, Calling procedure through application. Fig 17: Calling procedure from app. In figure 17, we include the proper connection according to the currently login user‘s role then we simply call the procedure with passing the arguments as a SQL parameters from application and binding it with the parameters that we predefined in SQL procedure in the database in order to treat every single parameter as a variable not as a series of string as we do in a normal query with concatenation or passing simple parameters to a query. SPWEPTLU technique flow chart for preventing SQLIA GRANT EXEC ON sp_CheckStudentAppraisl_Record_ Exists To Teacher EXEC sp_CheckStudentAppraisl_Record_ Exists; Shutdown; Msg 229, Level 14, State 5, Procedure sp_AddYear, Line 1 [Batch Start Line 0]. The EXECUTE permission was denied on the object 'sp_AddYear', database 'Khalid Bin Walid', schema 'dbo'. DECLARE @result AS NUMERIC(18,0); EXECsp_CheckStudentAppraisl_Recor d_Exists 'KBW2020010005',2,1,1,1,@result out;print @result; DELETE FROM tblStudent_Performance; Msg 229, Level 14, State 5, Line 3 The DELETE permission was denied on the object 'tblStudent_Performance', database 'Khalid Bin Walid', schema 'dbo'. 37 IJSER International Journal of Scientific & Engineering Research, Volume 12, Issue 1, January-2021 ISSN 2229-5518 IJSER © 2021 http://www.ijser.org Fig 18: SPWEPTLU technique flow chart for preventing SQLIA. Cross site scripting attack prevention The SPWEPTLU (Stored procedure with execution permission to legitimate users) technique also helps to prevent cross sitescripting attacks because it stores the user input as a variable before passing it to the database and then it brings it back from the database in a string form hence, it will be displayed later in the DOM (document object model) as a string not as a script to be implemented. Fig 19: XSS attack. So this information will be stored as a text using stored procedure and will be fetch back from database to the user interface as text and will have no effect on script of the page thus, it prevents from XSS attacks. SPWEPTLU technique flow chart for preventing XSS Fig 20: SPWEPTLU technique flow chart for preventing XSS. Advantages of Proposed Solution i). Security reinforcement: Restricting permissions in the database helps security reinforcement. ii). Concealed logic: In the proposed solution all the logics implemented internally in the database are hidden from the users. iii). Denial of Arbitrary Actions: The users are not able to perform any action arbitrarily because they don‘t have any information related to any table or any column, in fact the users are just blindly executing assigned procedures that they are not informed of what is written inside of it. iv). Permission restriction: The users are not able to perform anything because they only have execution permission to assigned procedures but they don‘t have the permission to view the procedure definition or to view any column in fact the users don‘t know whether there exists any table, procedure, function or view in the database or not. v). Performance optimization: Stored procedures are executed quickly because, they are near to the database engine therefore we save time to access database certain times for different operations as we do in a normal query. vi). Automatic denial of attacks: In the proposed solution, the database itself cease the attacks when it encounters. vii). Data accuracy and consistency: data can be manipulated by accurate user and consistency exists in the data because it cannot be changed by any attacks. viii). XSS attacks prevention: the proposed solution prevents from cross site scripting attacks because the JavaScript that the user passes to the server will be stored as a parameter string thus, it cannot be optimized by the attackers. 38 IJSER International Journal of Scientific & Engineering Research, Volume 12, Issue 1, January-2021 ISSN 2229-5518 IJSER © 2021 http://www.ijser.org ix). Data security: As data are stored in such a way that users are not aware of its existence therefore the users would not be able to do anything. This approach firms data security. Implementable by all relational databases such as Oracle, MYSQL, SQLSERVER and so on. 7 CONCLUSION & FUTURE WORK There are many vulnerable applications in today‘s world, because the programmers mainly focus on user interfaces and functionalities to produce a software irrespective of focusing on security which is the core part of software development and one of such security threat is SQL injection and XSS attacks through which attackers penetrate into the system and harm the organization. Thus some organizations use various inaccurate techniques as discussed trivial by the researchers we mentioned above such as parameterized query, wrongly usage of stored procedure, using available software packages in the market that claims to prevent SQLIA. Hence the paper introduce optimal approach for not only detecting the SQL injection and XSS attacks but also to prevent it from happening by using the stored procedure with execute permission to legitimate users technique that helps to prevent any sort of application wise security attacks. The future work for this paper is to enhance the capability of this approach to detect and prevent SQLIA at application level. REFERENCES [1] W. G. J. Halfond and A. Orso, "Preventing SQL Injection Attacks Using AMNESIA," Presented at the Proceedings of the 28th International Conference on Software Engineering (ICSE), ACM, Shanghai, China. [2] A. Alazab , A. Khresiat , ― New Strategy for Mitigating of SQL Injection Attack‖, International Journal of Computer Applications (IJCA), Volume 154, paper No.11. [3] X.Fu, X. Lu, B. Peltsverger, S. Chen, G. Southwestern, K. Qian, and S. Polytechnic, ―A Static Analysis Framework for Detecting SQL Injection Vulnerabilities‖ 31st Annual International Computer Software and Applications Conference (COMPSAC 2007), IEEE, ISSN: 0730- 3157, pages Number 1–8. , China. [4] W. G. J. Halfond, A. Orso, and I. C. Society, ―WASP: Protecting Web Applications Using Positive Tainting and SyntaxAware Evaluation‖, IEEE Transactions on Software Engineering, volume. 34, Issue 1, pages. 65–81, 2008. [5] M. H. A. S. P. Medhane, ―R-WASP: Real Time-Web Application SQL Injection Detector and Preventer‖, International Journal of Innovative Technology and Exploring Engineering (IJITEE) ISSN: 2278-3075, Volume-2, Issue-5, pages. 327– 330. [6] N.S. Ali, A. Shibghatullah, ―Protection Web Applications Using RealTime Technique to Detect Structured Query Language Injection Attacks‖, International Journal of Computer Applications (IJCA), Volume 149, paperNo:6. [7] S. Manmadhan , Manesh T. , ―A Method of detecting SQL Injection Attack to Secure Web Applications‖, International Journal of Distributed and Parallel Systems (IJDPS) ,Volume.3, Issue.6. [8] M. Martin, B. Livshits, and M. S. Lam., ―Finding Application Errors and Security Flaws Using PQL: A Program Query Language‖ ACM SIGPLAN Notices, Volume: 40, Issue: 10 Pages: 365-383. [9] C. Gould, Z. Su, and P. Devanbu. JDBC Checker, ―A Static Analysis Tool for SQL/JDBC Applications‖, in Proceedings of the 26th International Conference on Software Engineering (ICSE04) Formal Demos, ACM, ISBN: 0-7695-2163-0, pages 697– 698. [10] P. Bisht, P. Madhusudan, and V. N. Venkatakrishnan, ―CANDID: Dynamic Candidate Evaluations for Automatic Prevention of SQL Injection Attacks‖, ACM Transaction on Information System Security, pages.1–39. [11] Macro Cova, Davide Balzarotti.‖ Swaddler: An Approach for the Anomaly-based Detection of State Violations in Web Applications‖, In Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID), pages: 63–86. [12] A. Roichman, E. Gudes, ―DIWeDa - Detecting Intrusions in Web Databases‖. In Proceeding of the 22nd Annual IFIP WG 11.3 Working Conference on Data and Applications Security, Springer, volume. 5094, pages. 313–329, Heidelberg. [13] William G. Halfond, Alessandro Orso, "Using Positive Tainting and Syntax Aware Evaluation to Counter SQL Injection Attacks", 14th ACM SIGSOFT International Symposium on Foundations of Software Engineering, ACM. Pages: 175 – 185. [14] P.Grazie., PhD, ―SQL Prevent Thesis‖, University of British Columbia (UBC) Vancouver, Canada. [15] Mei Junjin, ―An Approach for SQL Injection Vulnerability Detection‖ Proceedings of the 2009 Sixth International Conference on Information Technology: New Generations, IEEE Computer Society, Las Vegas, Pages 1411-1414. [16] S. Ali, SK. Shahzad and H. Javed, ―SQLIPA: An Authentication Mechanism against SQL Injection‖, European Journal of Scientific Research, Volume.38, Number.4, pages: 604-611. [17] Stephen Thomas, Laurie Williams, ―Using Automated Fix Generation to Secure SQL Statements‖, Proceedings of the Third International Workshop on Software Engineering for Secure Systems (SESS '07), page 9. [18] M. Sendiang, A. Polii, J. Mappadang, ―Minimization of SQL Injection in Scheduling Application Development‖, International Conference on Knowledge Creation and Intelligent Computing (KCIC), IEEE, Indonesia. [19] M. Zabi, M.Joseph ―Minimization of SQL Injection‖, International Conference of Technology Sight, IEEE, Saudi. [20] Lee, Inyong, Soonki Jeong, Sangsoo Yeo, and Jongsub Moon. "A Novel Method for SQL Injection Attack Detection based on Removing SQL Query Attribute Values." Mathematical and Computer Modelling, Volume 55, Issues 1–2, Pages 58–68. [21] Pratik H Sailor, Prof. Jaydeep Gheewala. "Detection and Prevention of SQL Injection Attacks", International Journal of Engineering Development and Research (IJEDR), ISSN: 2321-9939, Vol.2, Available: http://www.ijedr.org/papers/IJEDR1402215.pdf. [22] ―Runtime Monitors for Tautology based SQL Injection Attacks‖, Ramya Dharam, Sajjan G.Shiva, ―International Journal of Cyber Security and Digital Forensics (IJCSDF). [23] ―Microsoft Suggestion for Proper Procedure Writing‖, Available: https://docs.microsoft.com/en-us/sql/t-sql/statements/createprocedure-transact-sql?view=sql-server-ver15#see-also 39 IJSER