Input injection detection in Java code

Author

Pasaribu, Edward Samuel ; Asnar, Yudistira ; Inggriani Liem, M.M.

Author_Institution

Data & Software Eng. Res. Group, Inst. Teknol. Bandung, Bandung, Indonesia

fYear

2014

Firstpage

1

Lastpage

6

Abstract

Input Injections are considered as the most common and effective vulnerabilities to exploit in many software systems (esp. web apps). In this paper, we propose a way to detect such vulnerabilities, such as SQL injection, command injection, and cross-site scripting. Input injection is caused by executing user inputs which have not been validated or sanitized, so that the purpose of execution is changed by malicious agents into their advantages. The input injection detector is done by extending an existing static analysis tool, namely FindBugs. The detection uses a dataflow analysis to monitor user-contaminated variables. To improve accuracy, reducing false positives and false negatives, dataflow analysis is used to monitor variables that have been validated or sanitized by developers. Our detector has only few false positives and false negatives based on our testing using our test cases and existing applications, i.e. WebGoat and ADempiere.

Keywords

Java; data flow analysis; program debugging; program testing; software agents; FindBugs; Java code; dataflow analysis; input injection detection; malicious agents; software systems; static analysis tool; testing; user-contaminated variable monitoring; Computer bugs; Databases; Detectors; Java; Monitoring; Software; Testing; FindBugs; dataflow analysis; detection; input injection; static analysis;

fLanguage

English

Publisher

ieee

Conference_Titel

Data and Software Engineering (ICODSE), 2014 International Conference on

Print_ISBN

978-1-4799-8175-5

Type

conf

DOI

10.1109/ICODSE.2014.7062698

Filename

7062698