AI-Powered CodeBuddy Uncovers and Fixes Real SQL Injection and XSS Bugs

Background

The company rewards developers with cash bonuses for discovering high‑severity vulnerabilities during crowd‑testing, which motivates thorough security reviews before release. Two real incidents—an SQL injection and a stored XSS—are used to demonstrate how the CodeBuddy AI coding assistant can accelerate vulnerability detection and remediation.

Installing CodeBuddy Plugin in IDEA

Search for the CodeBuddy plugin in IntelliJ IDEA, install it, restart the IDE, and log in to start using the AI features.

Case Study 1: SQL Injection Vulnerability

3.1 Comprehensive Code Analysis

Feed the backend source files to CodeBuddy. The assistant scans for common security issues such as SQL injection, permission checks, input validation, sensitive data handling, resource management, and exception handling.

3.2 Identified Issues

Severe SQL injection caused by concatenating the updateTime parameter directly into the query.

Insufficient input validation.

Improper exception handling.

Additional problems:

Use of the reserved word order as a table name.

Lack of permission verification.

Absence of prepared statements.

3.3 Exploiting the SQL Injection

CodeBuddy highlights that the vulnerable line builds the SQL string by appending user input, enabling attacks such as ' OR '1'='1 (returns all rows), '; DROP TABLE bd_material; -- (drops a table), and '; UPDATE bd_material SET dr=1; -- (modifies data).

3.4 Fix with Prepared Statements

// Use a prepared statement
String sql = "select * from order where status = 0 and updateTime > ?";
List<Map<String,String>> list = (List<Map<String,String>>) new BaseDAO()
    .executeQuery(sql, new MapListProcessor(), new Object[]{updateTime});

The prepared statement separates the SQL structure from the parameter values, preventing injection.

3.5 How Prepared Statements Prevent Injection

Prepared statements compile the SQL template with placeholders (e.g., ? ) once, then bind parameter values separately, ensuring the query structure cannot be altered by malicious input.

Workflow: compile template → generate execution plan → bind parameters.

String concatenation mixes data with code, allowing injection.

Prepared statements keep the query fixed and treat parameters as data only.

3.6 Performance Benefits

The SQL is compiled only once.

The execution plan can be reused.

Database parsing overhead is reduced.

Case Study 2: Stored XSS Vulnerability

4.1 XSS Overview

Cross‑Site Scripting (XSS) injects malicious scripts into web pages. Three main types exist:

Stored XSS : Malicious script is saved on the server (e.g., in a database) and executed every time the page is viewed.

Reflected XSS : Script is reflected from the request back to the browser without being stored.

DOM‑based XSS : Attack occurs entirely on the client side by manipulating the DOM.

4.2 Simulated Stored XSS Attack

A tester uploads a base64‑encoded image that actually contains the payload <body onload=alert(1)>. When the front‑end renders the image data as HTML, the script executes, showing an alert box.

<body onload=alert(1)>

4.3 CodeBuddy Detection and Fix

CodeBuddy flags the file /Users/wukong/Documents/test.html as containing a potential XSS issue.

The suggested remediation adds a proper HTML5 document structure, declares a Content‑Security‑Policy header, and enforces referrer and image source restrictions:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src 'self' data:">

After applying the changes, the XSS vulnerability is eliminated.

Conclusion

Using CodeBuddy, the team quickly identified and fixed a severe SQL injection by switching to prepared statements, and mitigated a stored XSS flaw by enforcing strict CSP and sanitizing HTML output. The walkthrough demonstrates how AI‑assisted code review can improve both security and performance.