Find in Library

SQLIA vulnerabilities undermine the integrity of the Web background database, and have always been a major threat to Web application security. This paper proposes a solution to detect and verify SQLIA vulnerabilities in Java Web programs. It combines static analysis and dynamic verification, and formalizes the definition of instruction- level taint propagation semantics, which can effectively track the spread of taint information across files and pages. Static analysis first handles and classifies Sources to obtain a true and reliable Source collection, and then applies the multiple-fold relationship of methods, requests, sessions, method calls, etc. to match the potential Source and Sink pair, so that the analysis process can filter the unrelated Sources and Sinks. Finally, this paper combines static taint analysis and live variables analysis to eliminate Sources and Sinks where there is no taint propagation paths. Dynamic verification first instruments the program, then performs dynamic taint propagation and produces a trace while executing it. After that, it verifies the correctness of the results of static analysis by analyzing the trace, and obtains real bugs with taint propagation paths. A prototype system is implemented on top of Soot, and experimental results of several open source programs show the effectiveness of the approach.