JIID: Java input injection detector for pre-deployment vulnerability detection

Most common approach to detect security vulnerabilities is to scan code using vulnerability scanning software. This is either static analysis or dynamic analysis. Both approaches, when performed independently, have their own pros and cons. In order to protect software from attackers, vulnerabilities should be removed as early as possible. Detection of vulnerabilities in an application before its deployment helps in reduction of cost required to fix it. In this paper we propose an approach of pre-deployment testing of an web application. We use both static and dynamic analysis techniques to detect vulnerabilities present in the application. This approach helps in reduction of false positives and false negatives, cost, as well as the time required for fixing the vulnerabilities. We focus on input injection vulnerabilities as they are most common vulnerabilities found in today´s web applications. Injection vulnerabilities are those vulnerabilities that are exploited by entering a malicious input value. We use a tool called FindBugs for our static analysis and tomcat server for dynamic analysis.