1. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Taint 2.0 (taint analysis on steroids) Dr. Yinnon Haviv IBM, Watchfire yinnonh@il.ibm.com 10.9.2009

2. OWASP 2 Web Application Security Scanners BB WB

3. OWASP 3 Taint Analysis Sources: Sinks : Sanitizers: Many injection issues: SQLi, XSS, LogForging, PathTraversal, Remote code execution … Information leakage issues

4. OWASP 4 What users want Run tool Get accurate results

5. OWASP 5 What users often get… Top complaints from users of static analysis tools: #1: Lots of false positives #2: Configuration of sanitizers is time consuming Get lots of false positives Define user-defined sanitizers  String Analysis solves this by “understanding” what sanitizers do, without configuration Run tool Get accurate results

6. OWASP 6 String Analysis Technology  The next generation of static analyzer technology  Detects range of possible values a string can get at point of use input .* output  [^;’]*

7. OWASP 7 There’s more!

8. OWASP 8 String Analysis can do MORE ! Inline validation Validation methods Inline Sanitization

9. OWASP 9 Summary of Customer Value  User defined sanitizers?  Validation methods?  Inline sanitization / validation?  The bottom line  Greater accuracy out-of-the-box  Less configuration  More reliable results  Easier to use Automatically detected / validated Automatically detected Detected in place No need for refactoring

10. OWASP 10 There’s more!

11. OWASP 11 What if your custom sanitizer is incomplete?  You wrote your own XSS sanitizer, but you forgot to handle certain characters  You THINK it works correctly, so you tell your analyzer that this is your sanitizer  Your analyzer trusts you and does not report an issue  But in fact, you do have a serious vulnerability!  With String Analysis, the analyzer doesn’t “trust you”; it is smart enough to understand on its own whether or not the sanitizer is doing everything it should be doing Do you trust this code ???

12. OWASP 12 Under the Hood  Tracking conditions  Describing invariants on variables values  RegExp (JSA)  CFG (Minamide) ch != ‘ ‘ && ch != ‘”‘ ch == ‘<‘ch == ‘>‘ch == ‘”‘ – Public knowledge

13. OWASP 13 The Challenges - An example from WebGoat A well designed sanitizer : Do you trust this code ???

14. OWASP 14 …%43&alert(1)%23… The Future  Generating an exploit “proves” vulnerability exists alert(1) Incorrect Sanitizer userName = alert(1) clean = alert(1) - Exploit generation

15. OWASP 15 Summary - Advantages of String Analysis  World’s smartest static analyzer No need to define what the sanitizers are Understands inline sanitization Understands validators Can verify your sanitizers really do what they’re supposed to  What this means for you  Greater accuracy out-of-the-box  Less configuration  More reliable results  Easier to use IBM Tokyo Research Lab

16. OWASP 16 Q&A ?  !