Date of Award
Master of Science
Johnny S. Wong
SQLIA, SQL Injection Attacks are one of the most common threats for web applications. In these types of attacks, the attacker alters the queries to the database via specially crafted input strings, resulting in illegal access to the database. In our paper we present a new approach to detect SQL injection attacks by using the Execution Plans in MS SQL Server. An Execution plan, generated by the query optimizer, explains how queries are executed in the database server. The database administrators extensively use execution plans to optimize SQL queries. In our approach we use execution plan to detect SQL injection attacks by observing the changes in the structure of query executed in the database. Two execution plans are generated for the same query, one during the development phase i.e. from the query written by the developer and another during the run time i.e. when the user executes the query written by the developer. These two execution plans are compared to detect SQLIA. In this paper we show how our approach detects various types of SQLIA and compare our approach with other tools that has been successful in identifying SQLIA. We also show how our approach can be extended to other databases like MYSQL, Oracle etc. and propose a futuristic model, which detects SQLIA in all relational databases.
Nagarajan, Sriram, "Detecting SQLIA using execution plans" (2016). Graduate Theses and Dissertations. 15098.