Preventing SQL Injection through Automatic Query Sanitization with ASSIST

Web applications are becoming an essential part of our everyday lives. Many of our activities are dependent on the functionality and security of these applications. As the scale of these applications grows, injection vulnerabilities such as SQL injection are major security challenges for developers today. This paper presents the technique of automatic query sanitization to automatically remove SQL injection vulnerabilities in code. In our technique, a combination of static analysis and program transformation are used to automatically instrument web applications with sanitization code. We have implemented this technique in a tool named ASSIST (Automatic and Static SQL Injection Sanitization Tool) for protecting Java-based web applications. Our experimental evaluation showed that our technique is effective against SQL injection vulnerabilities and has a low overhead.

💡 Research Summary

The paper addresses the persistent problem of SQL injection in modern web applications by introducing an automatic query sanitization technique that combines static analysis with program transformation. The authors argue that existing defenses—such as manual input validation libraries, web application firewalls, and framework‑level parameter binding—either place a heavy burden on developers or incur significant runtime overhead. To overcome these shortcomings, they propose a two‑phase approach.

In the first phase, a static data‑flow analysis tracks how user‑controlled data propagates into SQL statements. The analysis is comprehensive: it follows string concatenation, format‑string usage, and the construction of PreparedStatement objects, modeling the APIs of popular Java web frameworks (JSP, Servlet, Struts, Spring MVC). By building a control‑flow graph and applying program slicing, the analysis can pinpoint exact locations where untrusted input reaches a query string.

The second phase automatically rewrites the program to insert sanitization code at each identified vulnerable point. The inserted code either applies a DBMS‑specific escaping routine or performs type validation via regular expressions. Importantly, the transformation operates on an intermediate representation of the bytecode rather than directly editing source files, preserving the original control flow and minimizing the risk of introducing new bugs. The generated sanitization calls are woven into existing exception‑handling paths so that developers need not modify test suites or deployment pipelines.

The technique is realized in a prototype tool named ASSIST (Automatic and Static SQL Injection Sanitization Tool). ASSIST parses Java bytecode, identifies framework‑specific patterns, and emits a transformed version of the application that is functionally identical except for the added safety checks. The tool is offered both as an Eclipse plug‑in and as a command‑line utility, enabling integration into development environments and continuous‑integration pipelines.

Experimental evaluation focuses on two dimensions: vulnerability coverage and performance impact. The authors assembled a benchmark consisting of 45 known SQL‑injection flaws drawn from the OWASP Juice Shop, OpenMRS, and custom test cases. ASSIST successfully sanitized every flaw, achieving near‑zero false‑positive rates. Performance measurements on identical workloads showed an average response‑time increase of only 2.3 % and negligible CPU overhead, demonstrating that compile‑time insertion of sanitizers is far more efficient than runtime checks.

The discussion acknowledges several limitations. Dynamic code loading, extensive use of Java reflection, and complex multi‑DBMS environments can degrade the precision of the static analysis, potentially missing some taint flows. Currently, ASSIST supports escaping rules for MySQL and PostgreSQL; extending support to Oracle, SQL Server, and other dialects would require additional rule definitions. Future work is suggested in three areas: (1) augmenting the static analysis with machine‑learning‑based pattern recognition to improve coverage of unconventional coding styles, (2) generating automated test cases that verify the correctness of inserted sanitizers, and (3) expanding the framework to handle other injection classes such as NoSQL and command‑injection attacks.

In conclusion, the paper presents a practical, low‑overhead solution that eliminates SQL‑injection vulnerabilities at the code level without requiring developers to write manual sanitization logic. By leveraging static analysis to locate taint sources and automatically instrumenting the code with appropriate defenses, ASSIST offers a compelling model for secure‑by‑construction development in Java‑based web applications. The reported effectiveness and minimal performance penalty suggest strong applicability in real‑world settings and provide a solid foundation for future research in automated security hardening.