Hybrid taint analysis for Java EE

We present a new approach to protect Java EE web applications against injection attacks, which can handle large commercial systems. We first describe a novel approach to taint analysis for Java EE, which can be characterized by "strings only", "taint ranges", and "no bytecode instrumentation". We then explain how to combine this method with static analysis, based on the JOANA IFC framework. The resulting hybrid analysis will boost scalability and precision, while guaranteeing protection against XSS. The approach has been implemented in the Juturna tool; application examples and measurements are discussed.