Research On The Detection Technology For Vulnerability In Java Web Program Based On Regular Expression

Many Web applications suffer from network attack patterns such as XSS and SQLinjection attack due to the lack of the validation for user input. The attackers launch theattack by constructing malicious and precise SQL statement and then submit to thedatabase server in order to deceive the server to perform the statements to achieve theirpurpose, or they embed the malicious script into the Web page HTML tags to deceive theclient browser to execute for achieving the theft of cookie.SQL injection and XSS attack have their own feature, but the same reason of thesetwo attack modes is the lack of validation and filtering mechanism for user input. Regularexpression has been widely used in detecting Web application vulnerability because of itssimple form and powerful function. This paper mainly focuses on how to detect theexistence of SQL injection attacks and XSS vulnerability by using regular expression andits automata form to make the intersection with the value set of the string at certainprogram point. In order to detect whether the vulnerabilities exist, we need to construct theregular expression which stands for attack mode as elaborate as possible. At the same timewe need to construct the string manipulation library which simulates the string operationto get the value of the string at the program points. We get the dependence information ofthe source code based on static analysis, and then do the dependence analysis for thevulnerable point of the program to construct the corresponding vulnerable pointdependence graph for the potential vulnerable point so as to obtain the set value of thestring in different program points. And then we can determine the existence of SQLinjection and XSS attacks vulnerability in the program points. Finally the system filtersthe characters in the attack string and gives the descriptions and proposed operations toguarantee the safety of the program effectively.The experimental results show that we can detect the majority of SQL injection andXSS attacks accurately and make effective treatment on the basis of the elaboratelyconstructed regular expressions, automata operation library and static analysis for theprogram.