Input Injections are considered as the most common and effective vulnerabilities to exploit in many software systems (esp. web apps). In this paper, we propose a way to detect such vulnerabilities, such as SQL injection, command injection, and cross-site scripting. Input injection is caused by executing user inputs which have not been validated or sanitized, so that the purpose of execution is changed by malicious agents into their advantages. The input injection detector is done by extending an existing static analysis tool, namely FindBugs. The detection uses a dataflow analysis to monitor user-contaminated variables. To improve accuracy, reducing false positives and false negatives, dataflow analysis is used to monitor variables that have been validated or sanitized by developers. Our detector has only few false positives and false negatives based on our testing using our test cases and existing applications, i.e. WebGoat and ADempiere.
[1]
Neil Daswani,et al.
Foundations of Security - What Every Programmer Needs to Know
,
2007
.
[2]
John Viega,et al.
19 deadly sins of software security : programming flaws and how to fix them
,
2005
.
[3]
Reza Azmi,et al.
Vulnerability detector using parse tree annotation
,
2010,
2010 2nd International Conference on Education Technology and Computer.
[4]
Frances E. Allen,et al.
Control-flow analysis
,
2022
.
[5]
David Hovemeyer,et al.
Finding bugs is easy
,
2004,
SIGP.
[6]
Benjamin Livshits,et al.
Finding Security Vulnerabilities in Java Applications with Static Analysis
,
2005,
USENIX Security Symposium.
[7]
Gary McGraw,et al.
Static Analysis for Security
,
2004,
IEEE Secur. Priv..