Title :
Input injection detection in Java code
Author :
Pasaribu, Edward Samuel ; Asnar, Yudistira ; Inggriani Liem, M.M.
Author_Institution :
Data & Software Eng. Res. Group, Inst. Teknol. Bandung, Bandung, Indonesia
Abstract :
Input Injections are considered as the most common and effective vulnerabilities to exploit in many software systems (esp. web apps). In this paper, we propose a way to detect such vulnerabilities, such as SQL injection, command injection, and cross-site scripting. Input injection is caused by executing user inputs which have not been validated or sanitized, so that the purpose of execution is changed by malicious agents into their advantages. The input injection detector is done by extending an existing static analysis tool, namely FindBugs. The detection uses a dataflow analysis to monitor user-contaminated variables. To improve accuracy, reducing false positives and false negatives, dataflow analysis is used to monitor variables that have been validated or sanitized by developers. Our detector has only few false positives and false negatives based on our testing using our test cases and existing applications, i.e. WebGoat and ADempiere.
Keywords :
Java; data flow analysis; program debugging; program testing; software agents; FindBugs; Java code; dataflow analysis; input injection detection; malicious agents; software systems; static analysis tool; testing; user-contaminated variable monitoring; Computer bugs; Databases; Detectors; Java; Monitoring; Software; Testing; FindBugs; dataflow analysis; detection; input injection; static analysis;
Conference_Titel :
Data and Software Engineering (ICODSE), 2014 International Conference on
Print_ISBN :
978-1-4799-8175-5
DOI :
10.1109/ICODSE.2014.7062698
