{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,3]],"date-time":"2026-05-03T01:52:14Z","timestamp":1777773134271,"version":"3.51.4"},"reference-count":69,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2019,7,2]],"date-time":"2019-07-02T00:00:00Z","timestamp":1562025600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100006831","name":"United States Air Force","doi-asserted-by":"crossref","award":["FA8750-12-C-0174"],"award-info":[{"award-number":["FA8750-12-C-0174"]}],"id":[{"id":"10.13039\/100006831","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Program. Lang. Syst."],"published-print":{"date-parts":[[2019,9,30]]},"abstract":"\n The most dangerous security-related software errors, according to the OWASP Top Ten 2017 list, affect web applications. They are potential injection attacks that exploit user-provided data to execute undesired operations: database access and updates (\n SQL injection<\/jats:italic>\n ); generation of malicious web pages (\n cross-site scripting injection<\/jats:italic>\n ); redirection to user-specified web pages (\n redirect injection<\/jats:italic>\n ); execution of OS commands and arbitrary scripts (\n command injection<\/jats:italic>\n ); loading of user-specified, possibly heavy or dangerous classes at run time (\n reflection injection<\/jats:italic>\n ); access to arbitrary files on the file system (\n path-traversal<\/jats:italic>\n ); and storing user-provided data into heap regions normally assumed to be shielded from the outside world (\n trust boundary violation<\/jats:italic>\n ). All these attacks exploit the same weakness: unconstrained propagation of data from\n sources<\/jats:italic>\n that the user of a web application controls into\n sinks<\/jats:italic>\n whose activation might trigger dangerous operations. Although web applications are written in a variety of languages, Java remains a frequent choice, in particular for banking applications, where security has tangible relevance.\n <\/jats:p>\n \n This article defines a unified, sound protection mechanism against such attacks, based on the identification of all possible explicit flows of\n tainted<\/jats:italic>\n data in Java code. Such flows can be arbitrarily complex, passing through dynamically allocated data structures in the heap. The analysis is based on abstract interpretation and is interprocedural, flow-sensitive, and context-sensitive. Its notion of taint applies to reference (non-primitive) types dynamically allocated in the heap and is object-sensitive and field-sensitive. The analysis works by translating the program into Boolean formulas that model all possible data flows. Its implementation, within the Julia analyzer for Java and Android, found injection security vulnerabilities in the Internet banking service and in the customer relationship management of large Italian banks, as well as in a set of open-source third-party applications. It found the command injection, which is at the origin of the 2017 Equifax data breach, one of the worst data breaches ever. For objective, repeatable results, this article also evaluates the implementation on two open-source security benchmarks: the Juliet Suite and the OWASP Benchmark for the automatic comparison of static analyzers for cybersecurity. We compared this technique against more than 10 other static analyzers, both free and commercial. The result of these experiments is that ours is the only analysis for injection that is sound (up to well-stated limitations such as multithreading and native code) and works on industrial code, and it is also much more precise than other tools.\n <\/jats:p>","DOI":"10.1145\/3332371","type":"journal-article","created":{"date-parts":[[2019,7,2]],"date-time":"2019-07-02T12:50:33Z","timestamp":1562071833000},"page":"1-58","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":31,"title":["Static Identification of Injection Attacks in Java"],"prefix":"10.1145","volume":"41","author":[{"given":"Fausto","family":"Spoto","sequence":"first","affiliation":[{"name":"Universit\u00e0 di Verona, Italy and JuliaSoft Srl, Verona, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Elisa","family":"Burato","sequence":"additional","affiliation":[{"name":"JuliaSoft Srl, Verona, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Michael D.","family":"Ernst","sequence":"additional","affiliation":[{"name":"University of Washington, Seattle, WA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Pietro","family":"Ferrara","sequence":"additional","affiliation":[{"name":"JuliaSoft Srl, Verona, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Alberto","family":"Lovato","sequence":"additional","affiliation":[{"name":"Universit\u00e0 di Verona, Verona, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Damiano","family":"Macedonio","sequence":"additional","affiliation":[{"name":"JuliaSoft Srl, Verona, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ciprian","family":"Spiridon","sequence":"additional","affiliation":[{"name":"JuliaSoft Srl, Verona, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2019,7,2]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"H. R. Andersen. 1999. An introduction to binary decision diagrams. Retrieved from: http:\/\/configit.com\/configit_wordpress\/wp-content\/uploads\/2013\/07\/bdd-eap.pdf."},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1145\/2610384.2610403"},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/2594291.2594299"},{"key":"e_1_2_1_4_1","volume-title":"Proceedings of the 30th European Conference on Object-Oriented Programming (ECOOP\u201916)","volume":"56","author":"Avgustinov P.","unstructured":"P. Avgustinov, O. de Moor, M. Peyton Jones, and M. Sch\u00e4fer. 2016. QL: Object-oriented queries on relational data. In Proceedings of the 30th European Conference on Object-Oriented Programming (ECOOP\u201916) (LIPIcs), Vol. 56. Schloss Dagstuhl\u2014Leibniz-Zentrum f\u00fcr Informatik, 2:1--2:25."},{"key":"e_1_2_1_5_1","volume-title":"Proceedings of the 30th IEEE\/ACM International Conference on Automated Software Engineering (ASE\u201915)","author":"Barros P.","unstructured":"P. Barros, R. Just, S. Millstein, P. Vines, W. Dietl, M. d\u2019Amorim, and M. D. Ernst. 2015. Static analysis of implicit control flow: Resolving Java reflection and Android intents (T). In Proceedings of the 30th IEEE\/ACM International Conference on Automated Software Engineering (ASE\u201915). 669--679."},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1017\/S0960129512000850"},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cl.2005.05.002"},{"key":"e_1_2_1_8_1","volume-title":"Content-type: Malicious\u2014New Apache Struts2 0-day under attack. Retrieved from: https:\/\/blog.talosintelligence.com\/2017\/03\/apache-0-day-exploited.html.","author":"Biasini N.","year":"2017","unstructured":"N. Biasini. 2017. Content-type: Malicious\u2014New Apache Struts2 0-day under attack. Retrieved from: https:\/\/blog.talosintelligence.com\/2017\/03\/apache-0-day-exploited.html."},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/136035.136043"},{"key":"e_1_2_1_10_1","volume-title":"Proceedings of the 1st Italian Conference on Security (ITASEC\u201917)","author":"Burato E.","unstructured":"E. Burato, P. Ferrara, and F. Spoto. 2017. Security analysis of the OWASP benchmark with Julia. In Proceedings of the 1st Italian Conference on Security (ITASEC\u201917)."},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1016\/S0096-0551(02)00006-1"},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/512950.512973"},{"key":"e_1_2_1_13_1","volume-title":"Proceedings of the International Symposium on Security in Computing and Communications (SSCC\u201914)","author":"Doshi J. C.","unstructured":"J. C. Doshi, M. Christian, and B. H. Trivedi. 2014. SQL FILTER\u2014SQL injection prevention and logging using dynamic network filter. In Proceedings of the International Symposium on Security in Computing and Communications (SSCC\u201914). 400--406."},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-48899-7_10"},{"key":"e_1_2_1_15_1","volume-title":"Proceedings of the Privacy Forum, Revised Selected Papers (Lecture Notes in Computer Science)","volume":"11079","author":"Ferrara P.","unstructured":"P. Ferrara, L. Olivieri, and F. Spoto. 2018. Tailoring taint analysis to GDPR. In Proceedings of the Privacy Forum, Revised Selected Papers (Lecture Notes in Computer Science), Vol. 11079. Springer, 63--76."},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/COMPSAC.2007.43"},{"key":"e_1_2_1_17_1","volume-title":"Proceedings of the Workshop on Information Technologies and Systems (WITS\u201904)","author":"Genaim S.","unstructured":"S. Genaim, R. Giacobazzi, and I. Mastroeni. 2004. Modeling secure information flow with Boolean functions. In Proceedings of the Workshop on Information Technologies and Systems (WITS\u201904), Peter Ryan (Ed.)."},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-30579-8_23"},{"key":"e_1_2_1_19_1","volume-title":"Proceedings of the Workshop on Formal Techniques for Java-like Programs (FTfJP\u201908)","author":"Genaim S.","unstructured":"S. Genaim and F. Spoto. 2008. Constancy analysis. In Proceedings of the Workshop on Formal Techniques for Java-like Programs (FTfJP\u201908), M. Huisman (Ed.). Radboud University."},{"key":"e_1_2_1_20_1","volume-title":"Proceedings of the Conference on Machine Learning for Programming Workshop, affiliated with FLoC\u201918","author":"H\u00e9lie J.","unstructured":"J. H\u00e9lie, I. Wright, and A. Ziegler. 2018. Measuring software development productivity: A machine learning approach. In Proceedings of the Conference on Machine Learning for Programming Workshop, affiliated with FLoC\u201918."},{"key":"e_1_2_1_21_1","unstructured":"Oracle Inc. 2019. Java Platform Enterprise Edition. Retrieved from: http:\/\/www.oracle.com\/technetwork\/java\/javaee\/overview\/index.html."},{"key":"e_1_2_1_22_1","unstructured":"Oracle Inc. 2019. JavaServer Pages Technology. Retrieved from: http:\/\/www.oracle.com\/technetwork\/java\/javaee\/jsp\/index.html."},{"key":"e_1_2_1_23_1","unstructured":"Pivotal Software Inc. 2019. Spring. Retrieved from: https:\/\/spring.io."},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2014.04.007"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2016.04.005"},{"key":"e_1_2_1_26_1","volume-title":"Proceedings of the Asian Symposium on Programming Languages and Systems (APLAS\u201902)","author":"Kobayashi N.","unstructured":"N. Kobayashi and K. Shirane. 2002. Type-based information flow analysis for low-level languages. In Proceedings of the Asian Symposium on Programming Languages and Systems (APLAS\u201902)."},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-014-0219-6"},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2017.53"},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.5555\/645395.651928"},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","unstructured":"T. Lindholm F. Yellin G. Bracha and A. Buckley. 2013. The Java Virtual Machine Specification Java SE 7 Edition (1st ed.). Addison-Wesley Professional.","DOI":"10.5555\/2462629"},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/COMPSAC.2013.42"},{"key":"e_1_2_1_32_1","volume-title":"Proceedings of the 40th IEEE Computer Software and Applications Conference (COMPSAC\u201916)","author":"Liu L.","unstructured":"L. Liu, J. Xu, H. Yang, C. Guo, J. Kang, S. Xu, B. Zhang, and G. Si. 2016. An effective penetration test approach based on feature matrix for exposing SQL injection vulnerability. In Proceedings of the 40th IEEE Computer Software and Applications Conference (COMPSAC\u201916). 123--132."},{"key":"e_1_2_1_33_1","volume-title":"Proceedings of the International Conference on Information Assurance and Security (IAS\u201914)","author":"Makiou A.","unstructured":"A. Makiou, Y. Begriche, and A. Serhrouchni. 2014. Improving web application firewalls to detect advanced SQL injection attacks. In Proceedings of the International Conference on Information Assurance and Security (IAS\u201914). 35--40."},{"key":"e_1_2_1_34_1","unstructured":"MITRE\/SANS. 2011. Top 25 most dangerous software errors. Retrieved from http:\/\/cwe.mitre.org\/top25."},{"key":"e_1_2_1_35_1","volume-title":"Proceedings of the National Computer Security Conference (NCSC\u201989)","author":"Mizuno M.","year":"1989","unstructured":"M. Mizuno. 1989. A least fixed point approach to inter-procedural information flow control. In Proceedings of the National Computer Security Conference (NCSC\u201989). 558--570. Retrieved from: citeseer.nj.nec.com\/mizuno89least.html."},{"key":"e_1_2_1_36_1","volume-title":"Proceedings of the International Conference on Security of Information and Networks (SIN\u201914)","author":"Naghmeh Moradpoor Sheykhkanloo N. M.","year":"2014","unstructured":"N. M. Naghmeh Moradpoor Sheykhkanloo. 2014. Employing neural networks for the detection of SQL injection attack. In Proceedings of the International Conference on Security of Information and Networks (SIN\u201914). 318."},{"key":"e_1_2_1_37_1","unstructured":"National Institute of Standards and Technology. 2006. Juliet test suite for Java. Retrieved from: https:\/\/samate.nist.gov\/SRD\/testsuite.php."},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/2529990"},{"key":"e_1_2_1_39_1","unstructured":"NIST. 2017. CVE-2017-5638 detail. Retrieved from: https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-5638."},{"key":"e_1_2_1_40_1","unstructured":"S. A. O\u2019Brien. 2017. Giant Equifax data breach: 143 million people could be affected. Retrieved from: http:\/\/money.cnn.com\/2017\/09\/07\/technology\/business\/equifax-data-breach\/index.html."},{"key":"e_1_2_1_41_1","unstructured":"OWASP. 2018. Benchmark. Retrieved from: https:\/\/www.owasp.org\/index.php\/Benchmark."},{"key":"e_1_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/117954.117965"},{"key":"e_1_2_1_43_1","volume-title":"Proceedings of the International Conference on Smart Computing and Communication (SmartCom\u201918)","volume":"11344","author":"Panarotto F.","unstructured":"F. Panarotto, A. Cortesi, P. Ferrara, A. Mandal, and Spoto F. 2018. Static analysis of Android apps interaction with automotive CAN. In Proceedings of the International Conference on Smart Computing and Communication (SmartCom\u201918) (Lecture Notes in Computer Science), M. Qiu (Ed.), Vol. 11344. Springer, 114--123."},{"key":"e_1_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.5555\/2391451.2391481"},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2012.05.003"},{"key":"e_1_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.17706\/jcp.12.2.183-189"},{"key":"e_1_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1016\/S0950-5849(98)00093-7"},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/199448.199462"},{"key":"e_1_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1109\/JSAC.2002.806121"},{"key":"e_1_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1023\/A:1011553200337"},{"key":"e_1_2_1_51_1","unstructured":"Gotham Digital Science. 2017. An Analysis of CVE-2017-5638. Retrieved from: https:\/\/blog.gdssecurity.com\/labs\/2017\/3\/27\/an-analysis-of-cve-2017-5638.html."},{"key":"e_1_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1007\/11547662_22"},{"key":"e_1_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1109\/HASE.2012.31"},{"key":"e_1_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1109\/MC.2012.283"},{"key":"e_1_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-36563-8_15"},{"key":"e_1_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1145\/351240.351244"},{"key":"e_1_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1109\/SEFM.2008.8"},{"key":"e_1_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-53413-7_3"},{"key":"e_1_2_1_59_1","first-page":"316","article-title":"Inferential SQL injection attacks","volume":"18","author":"Stampar M.","year":"2016","unstructured":"M. Stampar. 2016. Inferential SQL injection attacks. I. J. Netw. Secur. 18, 2 (2016), 316--325.","journal-title":"I. J. Netw. Secur."},{"key":"e_1_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1145\/353171.353190"},{"key":"e_1_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-37057-1_15"},{"key":"e_1_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1145\/1543135.1542486"},{"key":"e_1_2_1_63_1","doi-asserted-by":"publisher","DOI":"10.1145\/1094811.1094828"},{"key":"e_1_2_1_64_1","doi-asserted-by":"publisher","DOI":"10.5555\/647476.727758"},{"key":"e_1_2_1_65_1","doi-asserted-by":"publisher","DOI":"10.5555\/353629.353648"},{"key":"e_1_2_1_66_1","doi-asserted-by":"publisher","DOI":"10.1145\/1250734.1250739"},{"key":"e_1_2_1_67_1","unstructured":"J. Whaley. 2008. Java binary decision diagram library. Retrieved from: http:\/\/javabdd.sourceforge.net\/."},{"key":"e_1_2_1_68_1","volume-title":"Proceedings of the International Conference on Genetic and Evolutionary Computing (ICGEC\u201914)","author":"Wu T.-Y.","year":"2014","unstructured":"T.-Y. Wu, J.-S. Pan, C.-M. Chen, and C.-W. Lin. 2014. Towards SQL injection attacks detection mechanism using parse tree. In Proceedings of the International Conference on Genetic and Evolutionary Computing (ICGEC\u201914). 371--380."},{"key":"e_1_2_1_69_1","volume-title":"Proceedings of the International Symposium on Computing and Networking (CANDAR\u201916)","author":"Xiao L.","unstructured":"L. Xiao, S. Matsumoto, T. Ishikawa, and K. Sakurai. 2016. SQL injection attack detection method using expectation criterion. In Proceedings of the International Symposium on Computing and Networking (CANDAR\u201916). 649--654."}],"container-title":["ACM Transactions on Programming Languages and Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3332371","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3332371","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3332371","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T23:54:37Z","timestamp":1750204477000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3332371"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,7,2]]},"references-count":69,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2019,9,30]]}},"alternative-id":["10.1145\/3332371"],"URL":"https:\/\/doi.org\/10.1145\/3332371","relation":{},"ISSN":["0164-0925","1558-4593"],"issn-type":[{"value":"0164-0925","type":"print"},{"value":"1558-4593","type":"electronic"}],"subject":[],"published":{"date-parts":[[2019,7,2]]},"assertion":[{"value":"2017-06-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2019-05-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2019-07-02","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}