A Reusable SQL Injection Detection Method for Java Web Applications

• Chengwan He,
• Yue He,

Vol. 14, No. 6, June 30, 2020
10.3837/tiis.2020.06.014, Download Paper (Free):

• SQL injection attack
• aspect-oriented programming
• Taint Analysis
• aspect library
• metamodel

Abstract

The fundamental reason why most SQL injection detection methods are difficult to use in practice is the low reusability of the implementation code. This paper presents a reusable SQL injection detection method for Java Web applications based on AOP (Aspect-Oriented Programming) and dynamic taint analysis, which encapsulates the dynamic taint analysis processes into different aspects and establishes aspect library to realize the large-grained reuse of the code for detecting SQL injection attacks. A metamodel of aspect library is proposed, and a management tool for the aspect library is implemented. Experiments show that this method can effectively detect 7 known types of SQL injection attack such as tautologies, logically incorrect queries, union query, piggy-backed queries, stored procedures, inference query, alternate encodings and so on, and support the large-grained reuse of the code for detecting SQL injection attacks.

Statistics

Cite this article