Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP Taint 2.0 (taint analysis on steroids) Dr. Yinnon Haviv IBM, Watchfire
OWASP 2 Web Application Security Scanners BB WB
OWASP 3 Taint Analysis Sources: Sinks : Sanitizers: Many injection issues: SQLi, XSS, LogForging, PathTraversal, Remote code execution … Information leakage issues
OWASP 4 What users want Run tool Get accurate results
OWASP 5 What users often get… Top complaints from users of static analysis tools: #1: Lots of false positives #2: Configuration of sanitizers is time consuming Get lots of false positives Define user-defined sanitizers String Analysis solves this by “understanding” what sanitizers do, without configuration Run tool Get accurate results
OWASP 6 String Analysis Technology The next generation of static analyzer technology Detects range of possible values a string can get at point of use input .* output [^;’]*
OWASP 7 There’s more!
OWASP 8 String Analysis can do MORE ! Inline validation Validation methods Inline Sanitization
OWASP 9 Summary of Customer Value User defined sanitizers? Validation methods? Inline sanitization / validation? The bottom line Greater accuracy out-of-the-box Less configuration More reliable results Easier to use Automatically detected / validated Automatically detected Detected in place No need for refactoring
OWASP 10 There’s more!
OWASP 11 What if your custom sanitizer is incomplete? You wrote your own XSS sanitizer, but you forgot to handle certain characters You THINK it works correctly, so you tell your analyzer that this is your sanitizer Your analyzer trusts you and does not report an issue But in fact, you do have a serious vulnerability! With String Analysis, the analyzer doesn’t “trust you”; it is smart enough to understand on its own whether or not the sanitizer is doing everything it should be doing Do you trust this code ???
OWASP 12 Under the Hood Tracking conditions Describing invariants on variables values RegExp (JSA) CFG (Minamide) ch != ‘ ‘ && ch != ‘”‘ ch == ‘<‘ch == ‘>‘ch == ‘”‘ – Public knowledge
OWASP 13 The Challenges - An example from WebGoat A well designed sanitizer : Do you trust this code ???
OWASP 14 …%43&alert(1)%23… The Future Generating an exploit “proves” vulnerability exists alert(1) Incorrect Sanitizer userName = alert(1) clean = alert(1) - Exploit generation
OWASP 15 Summary - Advantages of String Analysis World’s smartest static analyzer No need to define what the sanitizers are Understands inline sanitization Understands validators Can verify your sanitizers really do what they’re supposed to What this means for you Greater accuracy out-of-the-box Less configuration More reliable results Easier to use IBM Tokyo Research Lab
OWASP 16 Q&A ? !