Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP Taint 2.0 (taint analysis on steroids) Dr. Yinnon Haviv IBM, Watchfire

OWASP 2 Web Application Security Scanners BB WB

OWASP 3 Taint Analysis Sources: Sinks : Sanitizers: Many injection issues: SQLi, XSS, LogForging, PathTraversal, Remote code execution … Information leakage issues

OWASP 4 What users want Run tool Get accurate results

OWASP 5 What users often get… Top complaints from users of static analysis tools: #1: Lots of false positives #2: Configuration of sanitizers is time consuming Get lots of false positives Define user-defined sanitizers  String Analysis solves this by “understanding” what sanitizers do, without configuration Run tool Get accurate results

OWASP 6 String Analysis Technology  The next generation of static analyzer technology  Detects range of possible values a string can get at point of use input .* output  [^;’]*

OWASP 7 There’s more!

OWASP 8 String Analysis can do MORE ! Inline validation Validation methods Inline Sanitization

OWASP 9 Summary of Customer Value  User defined sanitizers?  Validation methods?  Inline sanitization / validation?  The bottom line  Greater accuracy out-of-the-box  Less configuration  More reliable results  Easier to use Automatically detected / validated Automatically detected Detected in place No need for refactoring

OWASP 10 There’s more!

OWASP 11 What if your custom sanitizer is incomplete?  You wrote your own XSS sanitizer, but you forgot to handle certain characters  You THINK it works correctly, so you tell your analyzer that this is your sanitizer  Your analyzer trusts you and does not report an issue  But in fact, you do have a serious vulnerability!  With String Analysis, the analyzer doesn’t “trust you”; it is smart enough to understand on its own whether or not the sanitizer is doing everything it should be doing Do you trust this code ???

OWASP 12 Under the Hood  Tracking conditions  Describing invariants on variables values  RegExp (JSA)  CFG (Minamide) ch != ‘ ‘ && ch != ‘”‘ ch == ‘<‘ch == ‘>‘ch == ‘”‘ – Public knowledge

OWASP 13 The Challenges - An example from WebGoat A well designed sanitizer : Do you trust this code ???

OWASP 14 …%43&alert(1)%23… The Future  Generating an exploit “proves” vulnerability exists alert(1) Incorrect Sanitizer userName = alert(1) clean = alert(1) - Exploit generation

OWASP 15 Summary - Advantages of String Analysis  World’s smartest static analyzer No need to define what the sanitizers are Understands inline sanitization Understands validators Can verify your sanitizers really do what they’re supposed to  What this means for you  Greater accuracy out-of-the-box  Less configuration  More reliable results  Easier to use IBM Tokyo Research Lab

OWASP 16 Q&A ?  !