The Construction of a Static Source Code Scanner Focused on SQL Injection Vulnerabilties in Java

Author

Carla Zurita Rubin de Celis, Montclair State UniversityFollow

Date of Award

5-2023

Document Type

Thesis

Degree Name

Master of Science (MS)

College/School

College of Science and Mathematics

Department/Program

Computer Science

Thesis Sponsor/Dissertation Chair/Project Chair

Kazi Zakia Sultana

Committee Member

Jiayin Wang

Committee Member

John Jenq

Abstract

SQL injection attacks are a significant threat to web application security, allowing attackers to execute arbitrary SQL commands and gain unauthorized access to sensitive data. Static source code analysis is a widely used technique to identify security vulnerabilities in software, including SQL injection attacks. However, existing static source code scanners often produce false positives and require a high level of expertise to use effectively. This thesis presents the design and implementation of a static source code scanner for SQL injection vulnerabilities in Java queries. The scanner uses a combination of pattern matching and data flow analysis to detect SQL injection vulnerabilities in code. The scanner identifies vulnerable code by analyzing method calls, expressions, and variable declarations to detect potential vulnerabilities.

To evaluate the scanner, malicious SQL code is manually injected in queries to test the scanner's ability to detect vulnerabilities. The results showed that the scanner could identify a high percentage of SQL injection vulnerabilities.

The limitations of the scanner include the inability to detect runtime user input validation and the reliance on predefined patterns and heuristics to identify vulnerabilities. Despite these limitations, the scanner provides a useful tool for junior developers to identify and address SQL injection vulnerabilities in their code.

This thesis presents a static source code scanner that can effectively detect SQL injection vulnerabilities in Java web applications. The scanner's design and implementation provide a useful contribution to the field of software security, and future work could focus on improving the scanner's precision and addressing its limitations.

File Format

PDF

Recommended Citation

Zurita Rubin de Celis, Carla, "The Construction of a Static Source Code Scanner Focused on SQL Injection Vulnerabilties in Java" (2023). Theses, Dissertations and Culminating Projects. 1325.
https://digitalcommons.montclair.edu/etd/1325