Web Forensic Evidence of SQL Injection Analysis

In the WEB 2.0 generation, web attack becomes common and widely exploits by the intruders to unauthorized access. According to the survey from OWASP (Open Web Application Security Project's), SQL injection attack (SQLIA) placed the first in the OWASP 2013's top 10 list of cyber threats that web service facing. SQLIA is a technique of inserting SQL meta-characters and commands into web-based input field to change the original meaning of the SQL queries in order to manipulate the execution of the malicious SQL queries to access the databases unauthorized. It unable be detected by firewall or antivirus due to the SQLIA is just injecting meta- character and do not have any malicious. Hence, forensic analysis to find out the evidence attack play an important role to making conclusion about and incident to prove or disprove intruder's guilt. Methodologies forensic analyses of web application that present previously are only simple statistical analysis, parsing capabilities or simple signature matching. Thus, we proposed a method by analyzing the URL request and decode it before analyzing with the rule set that provided by PHPIDS. After that we, cluster these attacks by calculate the distance with every cluster and cluster it with the nearest centroid point. To find the pattern of the SQL injection to cluster these attacks, we apply a method with extracting the SQL keyword as token set form URL request and analyze these request based on K-mean method to find the standard centroid to cluster these attacks.