Static Identification of Injection Attacks in Java