Enhancing Java Web Application Security: Injection Vulnerability Detection via Interprocedural Analysis and Deep Learning

Injection attacks exploit vulnerabilities in how applications handle user input, allowing malicious code to infiltrate the execution environment of web applications, leading to severe consequences, such as data leaks and system crashes. Traditional dynamic and static detection methods suffer from limitations in manual rule or pattern design and intraprocedural analysis, lacking the capability to automatically learn complex features. Meanwhile, deep learning models encounter challenges, such as feature redundancy and inefficiency, in processing long code sequences. Here, we propose a prototype for detecting Injection Vulnerabilities in Java web applications based on Interprocedural analysis and the bidirectional encoder representations from transformers BERT-BiLSTM-CRF model (IVIB), effectively transforming vulnerability detection into text sequence annotation. IVIB employs interprocedural analysis to trace complete program data flow, control flow, method and class dependencies, reducing redundancy through a system dependency graph. Then, we develop intermediate language representation rules and conversion mechanisms specifically for Java programs, symbolically representing code snippets and annotating them to construct a corpus. IVIB achieves remarkable results, with over 96% accuracy, precision, recall, and F1-score in binary classification, surpassing other state-of-the-art models in multiclassification performance. Evaluation on real-world projects demonstrates IVIB's effectiveness, detecting 28 vulnerabilities out of 30 vulnerable slices with low false positives and no false negatives.