Poor Coding Leads to DoS Attack and Security Issues in Web Applications for Sensors

Riphah Institute of Systems Engineering, Riphah International University, Islamabad 44000, Pakistan Department of Computer Science, National University of Computer and Emerging Sciences, Islamabad, Pakistan Department of Computer Science and Information Technology, Islamic Azad University, Mahdishahr Branch, Mahdishahr, Iran Department of Information Technology, Quaid-E-Awam University of Engineering, Science and Technology, Nawabshah 67450, Pakistan Department of Information Technology, University of Sufism and Modern Sciences, Bhitshah 70140, Pakistan


Introduction
With the growing number of mobile app users, everyone is trying to develop their business apps as soon as possible. So these mobile apps are used to track the user's activities, getting information regarding vehicle locations, and tracking of logistics. For tracking vehicles, different types of mobile apps or sensors are used. For the full functionality of these apps or sensor devices, support software is required such as Personal Home Page (PHP) for the backend server, MySQL for data storage, and NodeJS for other required functionality as per requirements of clients or devices. Too many different types of open-source frameworks are used for backend functionality if the old version of these third-party tools is used. en they may have a well-known vulnerability that can be exploited by an attacker or adversaries.
All of the above Structured Query Language (SQL) injection attacks are more dangerous for the web application or for other devices (like mobile apps or sensors) which are using it as web services.
is attack is at the top of all injection-type family attacks or web application attacks. In this attack, the weakness of input fields is exploited by the attackers. It is performed by inserting the SQL query command into the input or the query will be appended with the targeted Uniform Resource Locator (URL). ese SQL queries are transformed into SQL code which is inserted by an attacker [1,2]. is injection vulnerability is the main point of web application security exploitation by an attacker. ese loopholes in web application remain because the testing of input boxes is sanitized properly [1]. If the PHP old version is used during the development and testing phase, it will also make web applications vulnerable. A web application developed on a local system with the latest version of PHP and the old version installed on the production server may lead to the unavailability of web application services for users.
is may disturb other applications during the upgradation of the PHP version if there is a shared server to save the operational cost of hosting or any old version of PHP framework such as WordPress in use that can be also more dangerous for web application services [3]. With these vulnerable frameworks, the attacker can delete databases or ask for a ransom to restore those databases or encrypted code. Another issue for the performance and security of web applications is the sockets used for communication between the web server and sensors. e nature of sensors is heterogeneous; due to this, the use of the same protocol for communication is not possible [4]. ese sensors are more vulnerable to be exploited due to low computing and power storage.
ese sensors are used for the different types of services such as, in the health system for monitoring conditions of patients [5], in vehicles to trace the location, and in water management for checking the level of water at rivers, etc. As the usage of IoT sensors is growing in every area of life, the number of attacks also increase. ese attacks are performed on different layers of IoT sensors to stop services for legitimate users, or to forward fake information. is research paper has used sensors in the vehicles for tracking them. e sensors are supported by socket-based communication for sending and receiving information from clients to the server. With the use of these sensors, it creates easiness for the monitoring of taxis and getting the information regarding peak hours more business areas for taxi services. As the number of requests increases and socket connections are going to backlog, then the server starts to stop binding port of sockets with Internet Protocol (IP) Address. To fix the error of port binding with IP address, this backlog should be cleared with two methods. First, in this paper, we have to kill all backlog connections manually or the second option is to restart the service of the socket connection program. As these two methods are performed, these services of sensor connections will be down for the users. It can be said it is a self-created Denial of Service DoS attack on services [6]. Due to this type of SQL injection attack, not only specific application is disturbed, but this complete database server is crashed so that all other applications are not accessible to valid users, which is the cause of DDoS attacks on databases servers. Another issue with sockets is that systems firewalls will be applied to make a socket with the server. It will be a more critical issue with the security of a web server because everyone is allowed to make a socket connection with the server and this can be exploited by an attacker for malicious activities.
is paper is described as follows: In Section 2, the related work is described for the most threatening web application attacks, sensor-based devices usage, and security issues, and WebSocket related problems. In Section 3, we described the proposed methodology. In Section 3.1, we will define how the database server is crashed with poor coding. In Section 4.2, we mentioned a few major issues related to WebSockets by using PHP programming. Section 4 will describe the results and discussions. In Section 5, this paper will be concluded.

Related Work
For one and half decade, the SQL injection attack was at top of all attacks on the web application. Every attacker targets the vulnerability of SQL injection in a web application to exploit them and take control of all services related to the webserver.
is attack is performed by appending or inserting malicious SQL queries with a legitimate query. e author has proposed WAVES to test the vulnerabilities of SQL injection in web applications based on the black-box method [7].
is will find out every entry point of SQL injection in web applications by using the web crawling method. After that, it will use a predefined number of methods and attack techniques on those vulnerabilities for the SQL injection attack. In the last step, WAVES will monitor the web application traffic for checking the reaction of that attack, and for more betterment of the attack method, the machine learning method is used. e researcher has proposed the method for tautology-based SQL injection queries based on the application layer-created queries and should be analyzed with a static method by combining it with an automated process [8]. But it is limited to tautologybased SQL injection and will not detect or prevent attacks related to this. e AMNESIA model has been proposed by an author and it is based on static and dynamic analysis of the queries [9]. In the static analysis process, the AMNESIA looks into the application generated legitimate queries with every connection to the database; on this condition, it will create a prototype of queries. In the second process of dynamic analysis, AMNESIA interprets all queries; after that, these will be forwarded to the database and then it will be comparing every query with a static prototype model already created. If any query is out of scope from this model, then these queries will be considered as SQL injection attacks and these queries will not be executed on a database server. But this model has more ratio of false positive or false negative if queries are encrypted by developers. e ARDILLA tool has been proposed by an author for the detection of SQL injection and Cross-Site Scripting attacks in real-time [10]. e ARDILLA is developed for the PHP scripts input testing only and sessions are not handled by this tool.
e Web Application SQL injection Protector (WASP) has been proposed by the researcher, and this tool is used to detect SQL injection attacks from stored procedures with real-time configuration [11]. But this tool needs much more improvement for the protection of web applications from SQL injection and XSS attacks.
As the demand for easy life increased due to this usage, IoT devices or sensors are also increased. Some people need to know about their business, such as tracking their goods, vehicles, Cab services and monitoring of patient's health conditions, etc. e latest version of Homecare is known as E-Homecare services which have functions of injection timings, diet management, a routine of exercise, and monitoring of health conditions [12]. "SmartPill" Wireless container is utilized to transmit intraluminal pH, pressure, and temperature information at standard interims to SmartPill GI Monitoring framework [13]. Titan implantable hemodynamic sensor (IHM) is a gadget having a size of a pencil eraser that can be embedded in the core of a patient to quantify basic factors like temperature, and afterward, remotely transmit this information to a protected database [14]. Intelligent vehicle: An arrangement of mechanical applications to gather data on the position, kinematics, and elements of the vehicle, the condition of nature, and the condition of the driver and the traveler, to survey such data and settle on choices dependent on it. It is fit for duplex correspondence with a side of the road foundation and different vehicles, to utilize computerized map applications and satellite situating frameworks, it has a functioning web association and its physical location [15]. A Smart Sustainable City (SSC) using Information and Communication Technologies (ICTs) for the creative city will give a better life, productivity of urban facilities, and competitiveness in between them. With this, current and future needs can be met as per economically, socially, and environmental changes [16]. e scholar in [17] proposed a 2-pivot MAG for distinguishing vehicle driving direction. A high discovery pace of 99% was seen when making a trip vehicles pass near the sensor. Execution corrupted to 89% as the signal-to-noise ratio (SNR) decreased. A two-edge, four-state machine calculation was presented in [18] for vehicle discovery utilizing 3-hub MAG.
e WebSocket protocol was created as a major aspect of the HTML 5 activity to encourage communications channels over TCP. WebSocket is neither a request/response nor a distribute/subscribe in the protocol. In WebSocket, a customer introduces a handshake with a server to set up a WebSocket session. e handshake itself is like HTTP, so web servers can deal with WebSocket sessions just as HTTP associations through a similar port [19]. As the WebSocket connection is established between client and server, they can send or receive data to each other with half-duplex. is connection will remain active with unlimited time and can be closed by the client or server as they want [20]. e Websocket Application Program Interface (API) provides great functionality to websites to establish a connection and transmit data to any server [21]. Due to this functionality, it is easy and effortless for a developer to work on WebSockets in websites for transmitting data. e major drawback of WebSocket that it does not add the HyperText Transfer Protocol (HTTP) header along with the connection. Due to this, the policy of origin resource verification does not provide a secure connection anymore because these origins can be spoofed [22]. As per the author, another security issue is cache poisoning with Websockets; to protect them from this vulnerability, the protocol working group introduced the method of frame-masking [21,23]. With the addition of frame-masking, the cross-site scripting injection attack has been blocked, but the information of WebSocket cannot be transferred in plain text between client and server. e frame-masking has been used with WebSockets for the protection from cache poisoning attack, but it makes it harder the detection of malicious data via firewalls and other virus detection tools [24]. e firewalls can be bypassed by the attackers to compromise the targeted user browser and create that as a WebSocket proxy between him and the targeted organization network [25]. It is also vulnerable to another more common attack type of Denial of Service (DoS). In this case, attackers are trying to overwhelm the clients or server with bursts of information or maybe too many numbers of connections request; due to this, the legitimate users will not be able to complete their requests. In any case, on the web applications that use WebSockets, the XSS vulnerabilities open up a few new dangers. For example, with an XSS defencelessness, the attack might have the option to supersede the callback elements of a WebSocket association with custom ones [22]. is methodology permits the attacker to sniff the traffic, control the information, or actualize a man-in-the-middle attack against WebSocket associations.
When InnoDB is applied with MySQL creating too many issues related to SQL injection attacks which may lead to a complete crash of the database server. erefore, there is a need for a solution for the prevention of this type of SQL injection attack.

Proposed Methodology
is research will describe the practical deployment of WebSockets for the tracking of a vehicle installed sensors in them.
e complete deployment scenarios of the vehicle tracking application are defined in this section. To take care of major constraints regarding low power storage, these sensors have been implemented in idle state condition or can say it in passive mode sensors. is web application and MySQL server are deployed on Ubuntu 19.04 along with all updates of operating systems. And all other tools are also upto-date as per deployment of this application, which is implemented about six months ago. Furthermore, in this research proposed method the latest PHP version 7.3, Laravel framework 5.4.36, MySQL 5.7, and NodeJS v13.3.0 are installed for the proposed application (see Figure 1). e aim is to avoid the well-known vulnerabilities regarding the operating system, web application framework, database server, and version of PHP used for WebSockets. To avoid fake sensors, the authentication process has been implemented with the help of the Laravel framework web application. In this process, the drivers or vendors of vehicles need to be registered at web application along with their personal information and sensor identification number, which may be its serial number. As the constraint of sensors, these are accepting WebSockets only for communication instead of any API. So for this communication between vehicles and servers, the WebSocket program is developed in custom PHP, which is defined in the results and discussions section. For the security of web applications at the operating system level, iptables or Uncomplicated Firewall (UFW) has been used to block unauthorized users. For more protection at the system level, the version of the apache web server and operating system is configured as hidden in apache2.conf (see Figure 2) with red circle options.
e user's login information, sensor details, and movement of vehicles are stored in the MySQL database, which is also hosted on the same server along with a web application. For the optimization of the MySQL database, in this research, the InnoDB has been used for the stored procedure, which gives the functionality of foreign key relationships between tables. e more features and drawbacks of InnoDB and MyISAM stored procedure are explained in the next section of the crashing database server. All critical information regarding users, sensors, and vehicles is stored in a database, so the implemented security of it at the system level such as disallow remote login on a database for the root or normal users from any IP address. e default databases in MySQL have been removed, and the database users have been created with complex password authentication to avoid the brute-force attacks on MySQL databases. And for the protection from cache poisoning or man-in-the-middle attack, encryption has been implemented for the WebSocket communication between sensors and with a web application server. To compare the WebSocket issues regarding performance and backlog closing of connections with sensors, the NodeJS has been implemented for it.

Crashing Database Server.
e most critical part of any web application is its databases because it is the main source of information storage regarding its users, user sessions, integrated third-party applications information, financial information, locations of users or vehicles tracking information, and much more. As per the last two-decade research work regarding web application attacks and OWASP top 10 attack reports of 2013 and 2016 [26,27], the SQL injection attack is at top of all. is attack is more dangerous for web applications in the form of information stealing, DoS attack [28], system crashing, alteration in database records to insert the fake information, traffic redirection, and getting root rights of system. is attack is easy to be performed by attackers with little effort. at is why everyone is trying to exploit this injection vulnerability. e SQL injection attack is performed on web applications that have the vulnerability of weak validation on input fields such as login form. ese input fields are not sanitized properly. For the better performance and optimization of MySQL database, two types of stored procedures are used, namely InnoDB and MyISAM. ese methods' usage is based on the requirements of web applications.
e advantages and disadvantages are explained as follows.
3.2. InnoDB Store Procedure. For the transactional database or relationships of tables, the InnoDB stored procedure is used [29]. is is used for more write operations into databases such as insert and update. is stored procedure is used for solving the issue of table-locking weakness. e InnoDB is used in applications where data integrity is in high demand for the users, and this is achieved with the help of Receiving data Sending data WebSockets  relationship and transaction functionality. It is used for faster write operations into databases because it supports locking the tables at row-level for better integrity. It is the most fitting stored procedure for high-simultaneousness and high-exchange remaining tasks at hand.

MyISAM Store Procedure.
e default stored procedure for MySQL is MyISAM used for the high usage of reading operations. But another issue with this is that the less transactional and low level of concurrent write operations are supported. If any application needs big-size tables and fewer changes are required, then MyISAM stored procedure is used as a priority [29]. If anyone wants to use it as transactional, then they need to add an extra MySQL SQL extension of Lock Table and Unlock Tables. It is used for the high speed read and simple in implementation due to this most popular for general-purpose stored usage.
In this research paper, we have used the InnoDB stored procedure for the vehicle tracking application. In this application, the relationships between tables and more write operations are needed. e user login information, sensor information, vendors' details, and the location tracking of vehicles are stored in this database. As per the previous study of the SQL injection attack, sanitized input fields for malicious query protection used the latest version of framework and MySQL. But still, the database server has been crashed with one wrong value entry at the user login page. at wrong password value with special characters is in bold (see Figure 3).
In 2008 or early for bypassing HTTP communication, a new method for two-way communication has been developed. Maltreatment of HTTP for bidirectional correspondence prompts imperfect utilization of HTTP connections, causing superfluous issues for correspondence parties. For the solution of this issue, it has been added into working draft 10 for the HTML5 in June 2008 and that program function was named TCP connection which is based on Transmission Control Protocol (TCP) socket API [30]. e TCP connection was renamed WebSocket in late July 2008. Originally the WebSocket was created by the World Wide Web Consortium (W3C) and the WHATWG group, but it was transferred to Internet Engineering Task Force (IETF) for further development in February 2010. As the too many numbers revisions, IEFT published the final version as a WebSocket protocol with Request For Comments (RFC) 6455 in December 2011 [31]. e communication methods are used [32] given below.

Request or Response
Method. It is a system where the customer sends a solicitation to the server and gets a reaction. is procedure is driven by some cooperation, for example, the snap of a catch on the website page to invigorate the entire page. At the point when Asynchronous JavaScript and XML (AJAX) entered the image, it made the website pages' dynamic through the use of JavaScript mechanization and aided in stacking some piece of the page without stacking the entire page once more. When InnoDB is applied with MySQL creating too many issues related to SQL injection attacks, it may lead to a complete crash of the database server. erefore, there is a need for a solution for the prevention of this type of SQL injection attack.

Polling
Method. It is a system for situations where information should be invigorated without client collaboration, for example, the score of a football coordinate. In surveying, the information is brought after a set timeframe and it continues hitting the server, whether or not the information has changed or not. is makes superfluous solicitations the server, opening an association and afterward shutting it without fail. It is related to WebSockets that shows how they handle the request of users.

Long Polling Method. It is an instrument mishandling
Request/Response where the association is kept open for a specific timeframe. At the point when the customer utilizes long surveying, the server reacts to the customer simply after the information is fit to be sent, which contrasts with the conventional Request/Response strategy where the reaction is sent to the customer directly after the solicitation. is is one of the approaches to accomplish constant correspondence. However, it works just with known time interims.
is research has used the PHP custom program for the WebSocket communication between vehicle sensors and web application server.
is connection is used for the tracking of vehicles to get more information regarding peak hours of passengers for taxis and movement of vehicle information for their vendors. e connection between the web server and vehicle sensors has no time limit to close that connection as the few logs of the CLOSE_WAIT state are given (see Figure 4).
As in the above log entries regarding CLOSE_WAIT state or it is known as long-polling of WebSocket connection are given there are too many more connections in this state. It is causing too many problems for the webserver. e main issue of this the IP address cannot be bind with port 25001 of WebSocket for new connection requests for sensors. And sending or receiving of information from vehicle sensors is also stopped due to this issue of IP address binding. e Websocket connection creation code and temporary solution to this custom PHP program and permanent solution of this problem are discussed in the next section of results and discussion.

Results and Discussion
is section will discuss the issue of wrong entry from the user into SQL databases which crashed its InnoDB store procedure, how the WebSocket connections are created in the PHP custom program, and the issue of CLOSE_WAIT state of those connections for an unlimited time. e temporary solution to this problem is to apply the timer for unused opened connections to closing those WebSocket connections. A permanent solution to this problem is the usage of NodeJS-based application for the unlimited WebSocket connections without any overhead on the server. As per best knowledge, this research has used the latest software and tools for this web application of the vehicle's tracking system to avoid known vulnerabilities of SQL injection, PHP frameworks, Apache web server, and any other vulnerability related to the operating system. First, we will discuss how the MySQL database server has been crashed with a single entry at the login page.

InnoDB Crashed.
e InnoDB store procedure is used for the transactional operations and relationships between tables. It is used in web applications on which write operations are performed more frequently with the support of table lock for the integrity of data. But database server has been crashed with a single wrong entry into the database at the login page as described in Figure 3. Due to that wrong entry, the InnoDB store procedure has been crashed. e MySQL InnoDB crash is shown in Figure 5.
As in Figure 5, it is crashed due to the wrong value that has been inserted into databases. It was the main reason behind the crash of it. e value of key_buffer_size is inserted in large size from its normal value. Because of this reason, the InnoDB has been crashed. Figure 6 is given for more details regarding the database crash.
To recover from this issue, we have applied two methods: First, this research proposed changing the store procedure from InnoDB to MyISAM, and secondly, changing the value of my.cnf file to recovery mode for InnoDB. As the database structure changed from InnoDB to MyISAM, all relationships between tables have been deleted with this operation and transactional operations for insertion are also disturbed. is process has taken down web service for the sensors to track the location of vehicles and it is a shared hosting server. Due to this, other web application are also unavailable for the users. is is known as a self-DoS attack on organization's web services to clients. As in Figure 7, the recovery mode entry in my.cnf file has been added for a temporary solution to crashed InnoDB. e InnoDB has been set as in recovery mode to fix the crashing issue of the store procedure. But due to these changes, the insertion, updating, and deletion operations have been locked into databases. All databases with the InnoDB store procedure have been disturbed due to these changes. e users of those web applications are unable to write data into a database. To recover from this issue, the MySQL database server has been reinstalled after getting a backup of all databases on this server. As experienced, the single wrong value has been entered by a user at the login page that has created this problem. To protect the database from this issue again, we have applied a limit of value on that field of the login page. And go through again for validation of each input filed of web application against any malicious record entry.

WebSocket Long Polling Issue.
As in this research, as earlier mentioned in section V regarding states of Web-Sockets for communication between client and server. e first two states of request/response and poling are working fine in the PHP custom program for connection between vehicle sensors and web application for tracking. e code section for WebSocket connection creation between sensors and web applications (see Figure 8).
If a WebSocket connection is already created with the binding of the same port with IP address, then it shows us the message of WebSocket cannot be created. e connection creation time has been set to 300 seconds in decremented order. As the connection is successful, the host IP address and port will be a bind. Communication will be started between sensors and web servers for the storage of information regarding the tracking of vehicles or insurance details, etc.
We have faced issues at the long-polling connection. ey are going into the backlog for an unlimited period. As in this research shown in Figure 3 in Section 6, there are too many connections in the state of CLOSE_WAIT and due to this, the new connection cannot be created and old connections are unable to send or receive required data. is problem occurs as more than 10 users are trying to connect with the webserver at the same time. is is not good for the production servers as in real-time, there are 0.3 million users who will have to use this service. For sharing their location information, insurance details, and other required details for the security of users. e issue of IP address binding with port occurred as the number of users is increasing as in Figure 9. We have just given a single error message of IP address bind, but there are too many numbers of the same type of error messages regarding binding.
To avoid this, IP address binding with the port of WebSocket has been applied a temporary solution. In this research, we have created a service for WebSocket connections (see Figure 10). is service has been added into crontab job scheduling and this service has been restarted after every two hours to kill the backlog of WebSocket connection (see Figure 11).
By doing this, the service of WebSocket connection to users is unavailable because there is a need to kill all the processes related to these connections for sensors. is is not good for production servers or applications that the service of Websocket will be restarted after every few hours and critical for the real-time application, it is not considered as good practice in the case of the vehicle tracking system.

Permanent Solution for WebSocket Connections.
To solve this issue, we have implemented WebSocket connections between sensors and webserver by using NodeJS 13.3.0 version. is research has faced the issue of the backlog in the state CLOSE_WAIT for too many number connections  due to which new connection request is not completed. And old connections are unable to send or receive data for tracking the vehicles. e connection code in NodeJS is as shown in Figure 12.
In the above connection, the function has been created for the WebSocket for the sensors installed in vehicles. With the help of NodeJS, the autotest of more than 100K requests for the WebSocket connection has been created without any issue of backlog or error of IP address binding with the port (see Figure 13).
And in production currently, almost 5K requests are handled by the server without any error of binding port with IP address. e long-polling connections are not opened for the unlimited time between sensors and webserver. As the data regarding vehicle location tracking, its insurance details, and vendor details are shared or inserted into the database, the connection will be closed. e confusion matrix has been given in Table 1 for the proposed methodology in this research paper. e second name of the confusion matrix is the error matrix which is used for the quantity-based analysis of static data. e proposed system to change from the structure of the MySQL database from InnoDB to MyISAM is best against the attack mentioned in the above sections. e overall accuracy of this proposed method is 96.154%.    Security and Communication Networks

Conclusions
For ease of business and to facilitate the customer's everyone wants his existence on web applications and mobile apps. As the trend of monitoring increased for security reasons and to get more data for traffic jams, peak hours for customers are hiring taxis, delivery services, health services, or online education, etc. Due to this, the usage of IoT devices is also increased. With the use of these devices, some existing security and some new issues have been arising such as for communication, WebSockets has been introduced in back 2008 and existing type of attacks is SQL injection. As have experienced just the latest tools, frameworks or operating system is not a solution to security breaches for a web application or sensors devices. But there is another factor with service unavailability, which is poor coding and selection of poor programming software solution of Web-Socket connections between sensors and the webserver. As the high-security risk to the web applications is an SQL injection attack, it is performed on web applications that are not sanitized properly for input fields as we have seen that just a single wrong value entered at the login page crashed the MySQL InnoDB store procedure. Due to this, the services vehicles tracking to clients remain unavailable for a long time. To come online again temporarily, the stored procedure has been changed from InnoDB to MyISAM. But with this change, the performance of transactional operation decreased and relationships between tables also deleted. ere is a need to change the mode MySQL for InnoDB into recovery mode. Due to this, other hosted websites also go down. For the protection from the injection type of attacks on web applications, the input fields need to be sanitized so that malicious users should be unable to insert malicious scripts into targeted web applications. Secondly, the Web-Socket connection program was written in the PHP custom program, which has created another issue of the binding IP address with ports. e new connections of WebSocket are not created and old connections are also unable to send or receive data. For a temporary solution, we have implemented WebSocket connection service restart in CronJob of Ubuntu. And this was not a good solution for the production server. So, this research has changed the program for WebSocket connections which is NodeJS as a permanent solution to this issue. Now webserver can handle 100K+ requests without any problem of IP address binding with port numbers.

Data Availability
Data used to support this study are available from the corresponding author upon request via email (bux.khuda@ gmail.com).

Conflicts of Interest
e authors declare no conflicts of interest.