[OWASP-Security101] dynamic taint propagation project started

Christof Dallermassl christof.dallermassl at unycom.com
Fri Sep 21 21:40:42 UTC 2012

Hi all,

In the last month I was working on securing a web application against SQL-injection and cross site scripting. I was thinking a while if static source code analysis could help to detect all security flaws but finally decided that in our special case this approach would not work well.

So I decided to check the system at runtime: try to find "tainted" data (e.g. from user input = source) and follow it through the system til used in an sql statement or in the content of the web page (=sink) without being sanitized (taint removed).

I found some interesting papers, but no implementation for it, so I gave it a try myself. My project is far from being finished, but works quite well. And it is open source :-)

Short intro:
* every java.lang.String can be tainted or clean. This state will be propagated even if the string is modifed, appended to another string, cut in pieces, etc.
* strings that are retrieved from defined sources will be tainted.
* specially defined sanitation methods will remove the tainted flag from a string (e.g. encodeForHtml in ESAPI library)
* if a tainted string enters a defined sink-method a warning is printed or a security exception is thrown.

There are lots of ideas how to improve the project, but I am very interested in hearing your opinion about it in its early stage!

Have fun with https://github.com/cdaller/security_taint_propagation and do not hesitate to ask if there are problems.

More information about the Security101 mailing list