To get a trial key
fill out the form below
Team License (a basic version)
Enterprise License (extended version)
* By clicking this button you agree to our Privacy Policy statement

Request our prices
New License
License Renewal
--Select currency--
USD
EUR
GBP
RUB
* By clicking this button you agree to our Privacy Policy statement

Free PVS-Studio license for Microsoft MVP specialists
* By clicking this button you agree to our Privacy Policy statement

To get the licence for your open-source project, please fill out this form
* By clicking this button you agree to our Privacy Policy statement

I am interested to try it on the platforms:
* By clicking this button you agree to our Privacy Policy statement

Message submitted.

Your message has been sent. We will email you at


If you haven't received our response, please do the following:
check your Spam/Junk folder and click the "Not Spam" button for our message.
This way, you won't miss messages from our team in the future.

>
>
>
Taint analysis (taint checking)

Taint analysis (taint checking)

Aug 17 2021

Taint analysis (taint checking) is a technology that allows us to track unverified external data distribution across the program during its operation. If such data gets into code key points, this situation can lead to various vulnerabilities, including SQL injection, cross-site scripting (XSS), path traversal and others. Attackers may use these vulnerabilities to disrupt the correct system operation, obtain confidential data or conduct other unauthorized operations.

Taint sources

The primary concept in this topic is tainted data. This term refers to some values that an attacker can use for unauthorized and malicious operations when interacting with the system. Depending on how external data is used, an application may be vulnerable to various attacks. For example, an application may be vulnerable to SQL injections if it uses unverified external data to form database queries.

Thus, external data may be potentially tainted. Taint sources are locations where an application gets access to potentially tainted data. For example, a taint source can be an operation of getting the value of an HTTP request parameter:

void ProcessRequest(HttpRequest request)
{
  ....
  string name = request.Form["name"]; // taint source
  // now "name" contains potentially tainted data
  ....
}

Tainted data transmission

An important aspect of conducting taint analysis is determining the routes that tainted data may take in the application. In the example, tainted data is transmitted from a taint source to the name variable. Subsequently, the data can also be transmitted into other variables or act as a function's arguments:

void ProcessRequest(HttpRequest request)
{
  string name = request.Form["name"]; // taint source
  // now "name" contains potentially tainted data

  string sql = $"SELECT * FROM Users WHERE name='{name}'";
  ExecuteReaderCommand(sql); // tainted data passed as an argument
  ....
}

void ExecuteReaderCommand(string sql)
{
  // sql contains potentially tainted data here 
  ....
}

Note one more way that the tainted data can be transmitted. The name variable, which stores potentially tainted data, is used to form a string that is written into the sql variable. As a result, the value of the sql variable can be potentially tainted as well.

Taint sinks

From the taint analysis point of view, an application is vulnerable if tainted data can get into some of the application's key points. They are called taint sinks. Every potential vulnerability has its own sinks. For an SQL injection, a sink may be the transfer point of the query string to the SQL command object:

void ProcessRequest(HttpRequest request)
{
  string name = request.Form["name"]; // <= taint source
  // now "name" contains potentially tainted data

  string sql = $"SELECT * FROM Users WHERE name='{name}'";
  ExecuteReaderCommand(sql); // tainted data passed as an argument
  ....
}

void ExecuteReaderCommand(string sql)
{
  using (var command = new SqlCommand(sql, _connection)) // <= sink
  {
    using (var reader = command.ExecuteReader()) { /*....*/ }
  }
  ....
}

Here the external data from the source (request.Form["name"]) is directly used in forming an SQL query that is passed further to the sink - the SqlCommand constructor. Taint analysis checks whether there is a path that tainted data can follow from the source to the sink.

In fact, taint analysis is a form of static analysis. Thus, static analysis tools can implement it as a separate mechanism or a set of diagnostic rules. For example, if PVS-Studio checks the code above, it issues the following warning: "V5608 Possible SQL injection inside method. Potentially tainted data in the first argument 'sql' is used to create SQL command".

Let's look at another example of an attack - XSS (cross-site scripting). It allows an attacker to inject malicious code into web pages opened by users. The sink in this case can be the Response.Write method call:

protected void Page_Load(object sender, EventArgs e)
{
  ....

  var userName = Request.Params["userName"];  // taint source
  
  string message;
  if (string.IsNullOrWhiteSpace(userName))
  {
    message = "Empty 'userName' parameter";
  }
  else
  {
    message = $"'{userName}' data has been processed.";
  }
  
  Response.Write(message);          // taint sink
}

While performing taint analysis, PVS-Studio discovered that data from Request.Params["userName"] may get to Response.Write - and issued the following warning:

V5610 Possible XSS vulnerability. Potentially tainted data in the 'message' variable might be used to execute a malicious script.

If a malicious script is written into the userName request parameter, then because of the Response.Write call the tainted data is passed onto the page loaded by the user and can be executed later. Here's the vulnerability.

For more information on the various vulnerability types, read the documentation related to these rules:

Potential vulnerability elimination

To eliminate a potential vulnerability, you can check external data or convert it to a secure form. The specific approach depends on the attack type. In case of an SQL injection, we can use parameterized queries:

String userName = Request.Form["userName"];
String query = "SELECT * FROM Users WHERE UserName = @userName";

using (var command = new SqlCommand(query, _connection))
{
  var userNameParam = new SqlParameter("@userName", userName);
  command.Parameters.Add(userNameParam);
            
  using (var reader = command.ExecuteReader())
  ....
}

Accordingly, when conducting taint analysis, PVS-Studio does not issue a warning for this code.

There are ways to prevent other attacks as well. In case of XSS you can use special methods for converting external data. HtmlEncode is one of them:

protected void Page_Load(object sender, EventArgs e)
{
  String userName = Request.Form["userName"];
  ....
  var encodedUserName = System.Net.WebUtility.HtmlEncode(userName);
  var message = $"'{encodedUserName}' data has been processed.";
  
  Response.Write(message);
}

After the malicious script has been processed this way, it gets to the web page as plain text. Therefore, no dangerous actions are performed.

Additional links:

Popular related articles
Free PVS-Studio for those who develops open source projects

Date: Dec 22 2018

Author: Andrey Karpov

On the New 2019 year's eve, a PVS-Studio team decided to make a nice gift for all contributors of open-source projects hosted on GitHub, GitLab or Bitbucket. They are given free usage of PVS-Studio s…
Characteristics of PVS-Studio Analyzer by the Example of EFL Core Libraries, 10-15% of False Positives

Date: Jul 31 2017

Author: Andrey Karpov

After I wrote quite a big article about the analysis of the Tizen OS code, I received a large number of questions concerning the percentage of false positives and the density of errors (how many erro…
The way static analyzers fight against false positives, and why they do it

Date: Mar 20 2017

Author: Andrey Karpov

In my previous article I wrote that I don't like the approach of evaluating the efficiency of static analyzers with the help of synthetic tests. In that article, I give the example of a code fragment…
Static analysis as part of the development process in Unreal Engine

Date: Jun 27 2017

Author: Andrey Karpov

Unreal Engine continues to develop as new code is added and previously written code is changed. What is the inevitable consequence of ongoing development in a project? The emergence of new bugs in th…
PVS-Studio ROI

Date: Jan 30 2019

Author: Andrey Karpov

Occasionally, we're asked a question, what monetary value the company will receive from using PVS-Studio. We decided to draw up a response in the form of an article and provide tables, which will sho…
Appreciate Static Code Analysis!

Date: Oct 16 2017

Author: Andrey Karpov

I am really astonished by the capabilities of static code analysis even though I am one of the developers of PVS-Studio analyzer myself. The tool surprised me the other day as it turned out to be sma…
PVS-Studio for Java

Date: Jan 17 2019

Author: Andrey Karpov

In the seventh version of the PVS-Studio static analyzer, we added support of the Java language. It's time for a brief story of how we've started making support of the Java language, how far we've co…
The Evil within the Comparison Functions

Date: May 19 2017

Author: Andrey Karpov

Perhaps, readers remember my article titled "Last line effect". It describes a pattern I've once noticed: in most cases programmers make an error in the last line of similar text blocks. Now I want t…
How PVS-Studio Proved to Be More Attentive Than Three and a Half Programmers

Date: Oct 22 2018

Author: Andrey Karpov

Just like other static analyzers, PVS-Studio often produces false positives. What you are about to read is a short story where I'll tell you how PVS-Studio proved, just one more time, to be more atte…
Technologies used in the PVS-Studio code analyzer for finding bugs and potential vulnerabilities

Date: Nov 21 2018

Author: Andrey Karpov

A brief description of technologies used in the PVS-Studio tool, which let us effectively detect a large number of error patterns and potential vulnerabilities. The article describes the implementati…

Comments (0)

Next comments
This website uses cookies and other technology to provide you a more personalized experience. By continuing the view of our web-pages you accept the terms of using these files. If you don't want your personal data to be processed, please, leave this site.
Learn More →
Accept