Escolar Documentos
Profissional Documentos
Cultura Documentos
ISSN: 2278-0181
ICCCS - 2017 Conference Proceedings
I. INTRODUCTION
● Linkage leakage- The attacker links the database IV. WEB SECURITY THREATS
values to the position of index values.
1. Ajax Security: AJAX (Asynchronous JavaScript
III. DATABASE THREATS and XML) technology is a mainstream technology
of Web2.0 which facilitates the browser to provide
Since database contains vital information therefore it users with more natural browsing experience. It
also faces a lots of threats. The threats can be supports asynchronous communication. With
categorized as follows: asynchronous communication, user is able to
1. Excessive privileges: If users are granted database submit, wait and refresh freely, update partial page
privileges that exceed their use or requirements, dynamically. So it allows users to have a smooth
then these privileges can be used to gain some experience similar in desktop applications [3].
confidential information. The solution to this However, it is lacking the ability to solve security
problem (besides good hiring policies) is query- problems.
level access control. Query-level access control Ajax Security (Server Side)- AJAX-based
restricts privileges to minimum-required Web applications also use the same server-
operations and data[4]. side security schemes which the regular
2. Privilege abuse: Users may abuse or misuse the Web applications do. You just need to
access privileges for unauthorized purpose. The specify authentication, authorization, and
solution is access control policies that apply not data protection requirements in your
only to what data is accessible, but how data is web.xml file or in your program. But the
accessed. By enforcing policies for time of day, AJAX-based Web applications are also
location, and application client and volume of data vulnerable to the same security threats as
retrieved, it is possible to identify users who are regular Web applications.
abusing access privileges[4]. Ajax Security (Client Side)- The JavaScript
3. Unauthorized privilege elevation: Attackers may code is visible to the user as well as to any
convert some low-level access privileges to high- hacker. Hacker can use this JavaScript code
level access privileges. for extracting the server-side weaknesses.
4. Platform vulnerabilities: The platform or operating 2. Cross Site Scripting: Cross-site Scripting occurs
system may be vulnerable to leakage and when dynamically generated web pages display
corruption of data. input that is not properly authenticated [3]. These
5. SQL injection: SQL injection specifically targets a attacks occur when an attacker uses some web
user to send unauthorized database queries which application to send some malicious code, which is
makes the server to reveal the information (which generally in the form of a browser side script, to a
it wouldn’t do normally). Using this user can also different end user. So the attacker can use this to
access the entire database. send some malicious script to any user and the
6. Denial of service: This attack involves making the end user’s browser will have no way to know that
resource unavailable for the purpose it was the script shouldn’t be trusted, and will therefore
designed. This means that the access to data or the execute the script. Since, it thinks the script came
application is denied to the user. from some trusted source that malicious script
7. Backup Exposure: The backup storage media can access any of the cookies or sessions, tokens,
remains unprotected from any attacks. As a result or any other sensitive information which the
there are several attacks on the database backup browser contains.
disks and tapes.
V. CONTROL METHODS FOR DATABASE 2. Correlated data: when visible data is connected to
THREATS invisible data semantically.
Inference detection can be done through:
Access control is responsible for the direct access to the i. Semantic inference model: represents all possible
system with the control of rules which are accompanied by relations between attributes of data resources.
some security policies. It is basically used to restrict the ii. Security violation detection and knowledge
access of confidential information. In access control, the acquisition: it adds the new query request to the
owner of the resource is eligible to give the rights to the request log and checks if the further request is
other user of that resource based on his discretion[6]. allowed [8].
An access control system includes who can access the
objects (data, programs), subjects (users, processes), 3. User identification/authentication
through operations (read, write, run)[7]. The most important security requirement is that there must
b authorized and authenticated users to access the database
Access control can be classified as: or you must identify your users before they can access the
1. Discretionary access control: it is a means of resources. In authentication, server or the client needs to
restricting access to objects based on identity of know the identity of the user or computer. It cannot control
subjects or groups to which they belong. These are what the user is accessing but it controls who is accessing
defined by user identification during the resources. Therefore the user identification is must for
authentication ex- username, password. Its main the security concerns of the database. However, the
aim to grant and revoke privileges to users. unauthorized user may take different approaches like
2. Mandatory access control: this security default password or bypassing authentication etc. user
mechanism restricts the ability of owner of identification can be implemented by using the secure
resource to deny or grant access to a file. Criteria socket layer (SSL) [9].
is defined by the administrator. It enforces
multilevel security by categorizing both the users
and the data into security classes and then the
appropriate policy is implemented.
3. Schema object auditing: it audits only a single and secure communication in the presence of third parties
specified type of statement on a properly defined called adversaries. It prevents third party from reading
schema object, which always apply to all users of private messages by constructing and analyzing protocols.
database. Mixed cryptography involved encrypting database in a
4. Fine grained auditing: enables auditing based on diversified form over the unsecured network [12].
access to or changes in a column. It audits at the
most granular level, actions based on content and B. Securing database using steganography
data access. It is the process of hiding the confidential messages with
5. Encryption ordinary messages and extraction of its destination. It hides
Encryption is a process that convert the information into the encrypted data so that no one suspects it exists, thus
‘cipher text’ that is stored in the database. The information everyone fail to know that the file contains encrypted data.
is converted into some code and that code is only readable In steganography, data is encrypted using an algorithm into
to that person who holds the key for that particular code. redundant data. Various techniques used are audio
steganography, video steganography, IP datagram
steganography.
VII. CONCLUSION