Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Bücher
Zeitschriften
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
SLX-Digitalkonferenz: Zukunftswerkstatt 2024

Mehr Umsatz mit Top-Kontakten

Am 7. Mai erfahren Sie, wie Vertriebsteams Leadgenerierung, Leadnurturing und Leadstrategien effizient steuern können.
Erweiterte Suche
Anmelden
nach oben
Programming and Computer Software
Erschienen in: Programming and Computer Software 6/2018

01.11.2018

NoSQL Injection Attack Detection in Web Applications Using RESTful Service

verfasst von: Ahmed M. Eassa, Mohamed Elhoseny, Hazem M. El-Bakry, Ahmed S. Salama

Erschienen in: Programming and Computer Software | Ausgabe 6/2018

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

Despite the extensive research of using web services for security purposes, there is a big challenge towards finding a no radical solution for NoSQL injection attack. This paper presents an independent RESTful web service in a layered approach to detect NoSQL injection attacks in web applications. The proposed method is named DNIARS. DNIARS depends on comparing the generated patterns from NoSQL statement structure in static code state and dynamic state. Accordingly, the DNIARS can respond to the web application with the possibility of NoSQL injection attack. The proposed DNIARS was implemented in PHP plain code and can be considered as an independent framework that has the ability for responding to different requests formats like JSON, XML. To evaluate its performance, DNIARS was tested using the most common testing tools for RESTful web service. According to the results, DNIARS can work in real environments where the error rate did not exceed 1%.
Vorheriger Artikel Deep Learning Based Efficient Channel Allocation Algorithm for Next Generation Cellular Networks
Nächster Artikel Crash Processing for Selection of Unique Defects

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Jetzt informieren
Literatur
1.
Arcuri, A., RESTful API automated test case generation, Proc. 2017 IEEE Int. Conf. on Software Quality, Reliability and Security (QRS), Prague, 2017, pp. 9–20.
2.
Pautasso, C., RESTful API Design: Best Practices in API Design with RESTs, API-Univ., 2016.
3.
Zafar, R., Yafi, E., Zuhairi, M.F., and Dao, H., Big data: the NoSQL and RDBMS review, Proc. 2016 Int. Conf. on Information and Communication Technology (ICICTM), Kuala Lumpur, 2016, pp. 120–126.
4.
Eassa, A.M., Al-Tarawneh, O.H., El-Bakry, H.M., and Salama, A.S., NoSQL racket: a testing tool for detecting NoSQL injection attacks in web applicationss, Int. J. Adv. Comput. Sci. Appl., 2017, vol. 8, no. 11, pp. 614–622.
5.
Okman, L., Gal-Oz, N., Gonen, Y., Gudes, E., and Abramov, J., Security issues in NoSQL databasess, Proc. 10th IEEE Int. Conf. on Trust, Security Privacy Comput. Commun. (TrustCom), Hogn Kong, 2011, pp. 541–547.
6.
Cory, N., Travis, L., Reenu, I., and Gary, H., NoSQL vs RDBMS – why there is room for boths, Proc. SAIS 2013, Savannah, March 8–9, 2013.
7.
Schram, A. and Anderson, K.M., MySQL to NoSQL: data modelling challenges in supporting scalabilitys, Proc. 3rd Annu. Conf. on Systems, Programming, and Applications: Software for Humanity SPLASH’12, Tucson, 2012, pp. 191–202.
8.
Kaur, D. and Kaur, P., Empirical analysis of web attackss, Proc. Comput. Sci., 2016, vol. 78, pp. 298–306.CrossRef
9.
Prokhorenko, V., Kim-Kwang Raymond Choo, and Ashman, H., Web application protection techniques: a taxonomy, J. Network Comput. Appl., 2016, vol. 60, pp. 95–112.CrossRef
10.
Rababah, O.M., Al Hwaitat, A.K., Al Manaseer, S., Fakhouri, H.N., and Halaseh, R., Web threats detection and prevention frameworks, Commun. Network, 2016, vol. 8, no. 3, pp. 170–178.CrossRef
11.
Tajpour, A., Ibrahim, S., and Sharifi, M., Web application security by SQL injection DetectionTools, Int. J. Comput. Sci., 2012, vol. 9, issue 2, no 3, pp. 332–339.
12.
Bherde, G.P. and Pund, M.A., Recent attack prevention techniques in web service applications, Proc. 2016 Int. Conf. on Automatic Control and Dynamic Optimization Techniques (ICACDOT), Pune, 2016, pp. 1174–1180.
13.
Shanmughaneethi, S.V. Emilin Shyni, S.C., and Swamynathan, S., SBSQLID: securing web applications with service based SQL injection detections, Proc. Int. Conf. on Advances in Computing, Control, and Telecommunication Technologies, Trivandrum, Kerala, 2009, pp. 702–704.
14.
Jan, S., Panichella, A., Arcuri, A., and Briand, L., Automatic generation of tests to exploit XML injection vulnerabilities in web applications, IEEE Trans. Software Eng., 2017, no. 99.
15.
Shrivastava, R., Bhattacharyji, J., and Soni, R., SQL injection attacks in database using web service: detection and prevention – reviews, Asian J. Comput. Sci. Inf. Technol., 2012, vol. 2, no. 6, pp. 162–165.
16.
Mouli, V.R. and Jevitha, K.P., Web services attacks and security – a systematic literature reviews, Proc. Comput. Sci., 2016, vol. 93, pp. 870–877.CrossRef
17.
NoSQL does not have to mean no security: data security and compliance best practices for NoSQL data systems, IBM Corporation, 2016. http://​whitepapers.​ theregister.co.uk/paper/view/4306/nosql-does-not-have-to-mean-no-security.pdf. Accessed March, 1 2018.
18.
Lane, A., Securing big data: security recommendations for hadoop and NoSQL environments, Securosis L.L.C., 2012, pp. 4–6.
19.
Amreen and Dadapeer, A survey on robust security mechanism for NoSQL databases, Int. J. Innov. Res. Comput. Commun. Eng., 2016, vol. 4, no. 4, pp. 7662–7666.
20.
Ron, A., Shulman-Peleg, A., and Bronshtein, E., No SQL, no injection? Examining NoSQL securitys, Proc. 36th IEEE Symp. on Security and Privacy, San Jose, 2015, vol. 1.
21.
Gupta, N. and Agrawal, R., NoSQL security, in Advances in Computers, Elsevier, 2018.
22.
Hou, B., Qian, K., Li, L., Shi, Y., Tao, L., and Liu, J., MongoDB NoSQL injection analysis and detection, Proc. 3rd IEEE Int. Conf. on Cyber Security and Cloud Computing (CSCloud), Beijing, 2016, pp. 75–78.
23.
Priyadharshini, S. and Rajmohan, R., Analysis on database security model against NOSQL injection, Int. J. Sci. Res. Comput. Sci., Eng. Inf. Technol., 2017, vol. 2, no. 2, pp. 168–171.
24.
Sahafizadeh, E. and Nematbakhsh, M.A., A survey on security issues in big data and NoSQLs, ACSIJ J., 2015, vol. 4, issue 4, no.16, pp. 68–72.
25.
Son, S. and McKinley, K.S., Diglossia: detecting code injection attacks with precision and efficiencys, Proc. 20th ACM Conf. on Computer and Communications Security (CCS), Berlin, 2013, pp. 1181–1192.
26.
Eassa, F.E., Zaki, M., Eassa, A.M., and Aljehani, T., IMATT: an integrated multi-agent testing tool for the security of agent-based web applicationss, World J. Comput. Appl. Technol., 2012, vol. 1, no. 2, pp. 19–28.
27.
OWASP Top 10, web application security risks report. http://​www.​owasp.​org.​ Accessed March 1, 2018.
28.
CWE/SANS Top 25 Most Dangerous Software Errors. http://​cwe.​mitre.​org/​top25/​.​ Accessed March 1, 2018.
29.
Kabakus, A.T. and Kara, R., A performance evaluation of in-memory databasess, J. King Saud Univ. – Comput. Inf. Sci., 2017, vol. 29, no. 4, pp. 520–525.
30.
Shahriar, H. and Haddad, H.M., Security vulnerabilities of NoSQL and SQL databases for MOOC applicationss, Int. J. Digital Society, 2017, vol. 8, no. 1.
31.
Elhoseny, M., Abdelaziz, A., Salama, A.S., Riad, A.M., Muhammad, K., and Sangaiah, A.K., A hybrid model of Internet of Things and cloud computing to manage big data in health services applicationss, Future Generat. Comput. Syst., 2018, vol. 86, pp. 1383–1394.CrossRef
32.
Abdelaziz, A., Elhoseny, M., Salama, A.S., and Riad, A.M., A machine learning model for improving healthcare services on cloud computing environments, Measurement, 2018, vol. 119, pp. 117–128.CrossRef
33.
The DB-Engines Ranking. https://​db-engines.​com/​en /ranking_trend. Accessed March 1, 2018.
34.
Wilde, E. and Pautasso, C., REST: from Research to Practicec, New York: Springer-Verlag, 2017, pp. 35–55.
35.
Elhoseny, M., Yuan, X., ElMinir, H.K., and Riad, A.M., An energy efficient encryption method for secure dynamic WSNs, Security Commun. Networks, Wiley, 2016, vol. 9, no. 13, pp. 2024–2031.
36.
Elhoseny, M., Elminir, H., Riad, A., and Yuan, X., A secure data routing schema for WSN using elliptic curve cryptography and homomorphic encryptions, J. King Saud Univ. – Comput. Inf. Sci., Elsevier, 2016, vol. 28, no. 3, pp. 262–275.
37.
Riad, A.M., El-Minir, H.K., and Elhoseny, M., Secure routing in wireless sensor networks: a state of the arts, Int. J. Comput. Appl., 2013, vol. 67, no. 7.
38.
Elhoseny, M., Hosny, A., Hassanien, A.E., Muhammad, K., and Kumar Sangaiah, A., Secure automated forensic investigation for sustainable critical infrastructures compliant with green computing requirements, IEEE Trans. Sust. Comput., 2017, no. 99.
39.
Khari, M., Vaishali. S., and Kumar, M., Comprehensive study of web application attacks and classification, Proc. 3rd Int. Conf. on Computing for Sustainable Global Development (INDIACom), New Delhi, 2016, pp. 2159–2164.
40.
Selvakumar, G. and Kaviya, B. J., A survey on RESTful web services composition, Proc. Int. Conf. on Computer Communication and Informatics (ICCCI), Coimbatore, 2016, pp. 1–4.
Metadaten
Titel
NoSQL Injection Attack Detection in Web Applications Using RESTful Service
verfasst von
Ahmed M. Eassa
Mohamed Elhoseny
Hazem M. El-Bakry
Ahmed S. Salama
Publikationsdatum
01.11.2018
Verlag
Pleiades Publishing
Erschienen in
Programming and Computer Software / Ausgabe 6/2018
Print ISSN: 0361-7688
Elektronische ISSN: 1608-3261
DOI
https://doi.org/10.1134/S036176881901002X

Weitere Artikel der Ausgabe 6/2018

Programming and Computer Software 6/2018 Zur Ausgabe

OriginalPaper

Toward Constructing a Modular Model of Distributed Intelligence

OriginalPaper

Dynamically Changing User Interfaces: Software Solutions Based on Automatically Collected User Information

COMPUTER ALGEBRA

Application of Computer Algebra to the Reconstruction of Surface from Its Photometric Images

COMPUTER ALGEBRA

Algorithms for Solving an Algebraic Equation

OriginalPaper

Active Learning and Crowdsourcing: A Survey of Optimization Methods for Data Labeling

OriginalPaper

OS-Agnostic Identification of Processes and Threads in the Full System Emulation for Selective Instrumentation