Faculty Publications

Permanent URI for this communityhttps://idr.nitk.ac.in/handle/123456789/18736

Publications by NITK Faculty

Browse

Author: search.filters.author.Pais, A.R.Subject: search.filters.subject.Database systems

Search Results

Now showing 1 - 4 of 4
  • No Thumbnail Available
    Item
    Securing native XML database-driven web applications from XQuery injection vulnerabilities
    (Elsevier Inc. usjcs@elsevier.com, 2016) Palsetia, N.; Deepa, G.; Ahmed Khan, F.; Santhi Thilagam, P.S.; Pais, A.R.
    Database-driven web applications today are XML-based as they handle highly diverse information and favor integration of data with other applications. Web applications have become the most popular way to deliver essential services to customers, and the increasing dependency of individuals on web applications makes them an attractive target for adversaries. The adversaries exploit vulnerabilities in the database-driven applications to craft injection attacks which include SQL, XQuery and XPath injections. A large amount of work has been done on identification of SQL injection vulnerabilities resulting in several tools available for the purpose. However, a limited work has been done so far for the identification of XML injection vulnerabilities and the existing tools only identify XML injection vulnerabilities which could lead to a specific type of attack. Hence, this work proposes a black-box fuzzing approach to detect different types of XQuery injection vulnerabilities in web applications driven by native XML databases. A prototype XQueryFuzzer is developed and tested on various vulnerable applications developed with BaseX as the native XML database. An experimental evaluation demonstrates that the prototype is effective against detection of XQuery injection vulnerabilities. Three new categories of attacks specific to XQuery, but not listed in OWASP are identified during testing. © 2016 Elsevier Inc.
  • No Thumbnail Available
    Item
    Black-box detection of XQuery injection and parameter tampering vulnerabilities in web applications
    (Springer Verlag service@springer.de, 2018) Deepa, G.; Santhi Thilagam, P.S.; Ahmed Khan, F.A.; Praseed, A.; Pais, A.R.; Palsetia, N.
    As web applications become the most popular way to deliver essential services to customers, they also become attractive targets for attackers. The attackers craft injection attacks in database-driven applications through the user-input fields intended for interacting with the applications. Even though precautionary measures such as user-input sanitization is employed at the client side of the application, the attackers can disable the JavaScript at client side and still inject attacks through HTTP parameters. The injected parameters result in attacks due to improper server-side validation of user input. The injected parameters may either contain malicious SQL/XML commands leading to SQL/XPath/XQuery injection or be invalid input that intend to violate the expected behavior of the web application. The former is known as an injection attack, while the latter is called a parameter tampering attack. While SQL injection has been intensively examined by the research community, limited work has been done so far for identifying XML injection and parameter tampering vulnerabilities. Database-driven web applications today rely on XML databases, as XML has gained rapid acceptance due to the fact that it favors integration of data with other applications and handles diverse information. Hence, this work proposes a black-box fuzzing approach to detect XQuery injection and parameter tampering vulnerabilities in web applications driven by native XML databases. A prototype XiParam is developed and tested on vulnerable applications developed with a native XML database, BaseX, as the backend. The experimental evaluation clearly demonstrates that the prototype is effective against detection of both XQuery injection and parameter tampering vulnerabilities. © 2017, Springer-Verlag Berlin Heidelberg.
  • No Thumbnail Available
    Item
    A novel fingerprint template protection and fingerprint authentication scheme using visual secret sharing and super-resolution
    (Springer, 2021) Muhammed, A.; Mhala, N.C.; Pais, A.R.
    Fingerprint is the most recommended and extensively practicing biometric trait for personal authentication. Most of the fingerprint authentication systems trust minutiae as the characteristic for authentication. These characteristics are preserved as fingerprint templates in the database. However, it is observed that the databases are not secure and can be negotiated. Recent studies reveal that, if a person’s minutiae points are dripped, fingerprint can be restored from these points. Similarly, if the fingerprint records are lost, it is a permanent damage. There is no mechanism to replace the fingerprint as it is part of the human body. Hence there is a necessity to secure the fingerprint template in the database. In this paper, we introduce a novel fingerprint template protection and fingerprint authentication scheme using visual secret sharing and super-resolution. During enrollment, a secret fingerprint image is encrypted into n shares. Each share is stored in a distinct database. During authentication, the shares are collected from various databases. The original secret fingerprint image is restored using a multiple image super-resolution procedure. The experimental results show that the reconstructed fingerprints are similar to the original fingerprints. The proposed method is robust, secure, and efficient in terms of fingerprint template protection and authentication. © 2020, Springer Science+Business Media, LLC, part of Springer Nature.
  • No Thumbnail Available
    Item
    Secure latent fingerprint storage and self-recovered reconstruction using POB number system
    (Elsevier B.V., 2023) Muhammed, A.; Pais, A.R.
    Latent fingerprints are the unintentionally deposited fingerprint impressions gathered from the crime scenes. Many criminal investigation agencies consider latent fingerprints as a significant court accepted evidence. A typical latent fingerprint comes in low quality. Hence, a slight modification in the latent fingerprint may induce a marked shift in the recognition performance. Due to this, wrongdoers behind the crime scenes may try to remove or alter the latent fingerprint information by accessing the fingerprint database. Unlike regular fingerprint enrollment, retaking a latent fingerprint is not always possible. Preserving the latent fingerprints in a single database makes it vulnerable to single-point attacks. Hence, this paper presents a secure way to store and retrieve latent fingerprint information using POB-based (n,n) VSS technique. The proposed method encrypts each latent fingerprint as n secret shares, and stores them in n distinct databases. The distributed storage protects the data from single-point attacks. Along with secure storage, we also introduce a self-recovery mechanism in the case of fingerprint share tampering. The self-recovery mechanism protects the latent fingerprint from different tampering attacks. The proposed method has been evaluated using NIST Special Database4 (NIST-SD4) and IIIT Delhi latent fingerprint datasets. The experimental results show that the proposed technique offers secure distributed storage with lossless reconstruction of latent fingerprint images whenever needed. The proposed self-recovery mechanism enables the recovery of latent fingerprint images even in the case of share tampering. © 2023