Taint analysis (taint checking) is a technology that allows us to track unverified external data distribution across the program during its operation. If such data gets into code key points, this situation can lead to various vulnerabilities, including SQL injection, cross-site scripting (XSS), path traversal and others. Attackers may use these vulnerabilities to disrupt the correct system operation, obtain confidential data or conduct other unauthorized operations.
The primary concept in this topic is tainted data. This term refers to some values that an attacker can use for unauthorized and malicious operations when interacting with the system. Depending on how external data is used, an application may be vulnerable to various attacks. For example, an application may be vulnerable to SQL injections if it uses unverified external data to form database queries.
Thus, external data may be potentially tainted. Taint sources are locations where an application gets access to potentially tainted data. For example, a taint source can be an operation of getting the value of an HTTP request parameter:
void ProcessRequest(HttpRequest request)
{
....
string name = request.Form["name"]; // taint source
// now "name" contains potentially tainted data
....
}
An important aspect of conducting taint analysis is determining the routes that tainted data may take in the application. In the example, tainted data is transmitted from a taint source to the name variable. Subsequently, the data can also be transmitted into other variables or act as a function's arguments:
void ProcessRequest(HttpRequest request)
{
string name = request.Form["name"]; // taint source
// now "name" contains potentially tainted data
string sql = $"SELECT * FROM Users WHERE name='{name}'";
ExecuteReaderCommand(sql); // tainted data passed as an argument
....
}
void ExecuteReaderCommand(string sql)
{
// sql contains potentially tainted data here
....
}
Note one more way that the tainted data can be transmitted. The name variable, which stores potentially tainted data, is used to form a string that is written into the sql variable. As a result, the value of the sql variable can be potentially tainted as well.
From the taint analysis point of view, an application is vulnerable if tainted data can get into some of the application's key points. They are called taint sinks. Every potential vulnerability has its own sinks. For an SQL injection, a sink may be the transfer point of the query string to the SQL command object:
void ProcessRequest(HttpRequest request)
{
string name = request.Form["name"]; // <= taint source
// now "name" contains potentially tainted data
string sql = $"SELECT * FROM Users WHERE name='{name}'";
ExecuteReaderCommand(sql); // tainted data passed as an argument
....
}
void ExecuteReaderCommand(string sql)
{
using (var command = new SqlCommand(sql, _connection)) // <= sink
{
using (var reader = command.ExecuteReader()) { /*....*/ }
}
....
}
Here the external data from the source (request.Form["name"]) is directly used in forming an SQL query that is passed further to the sink - the SqlCommand constructor. Taint analysis checks whether there is a path that tainted data can follow from the source to the sink.
In fact, taint analysis is a form of static analysis. Thus, static analysis tools can implement it as a separate mechanism or a set of diagnostic rules. For example, if PVS-Studio checks the code above, it issues the following warning: "V5608 Possible SQL injection inside method. Potentially tainted data in the first argument 'sql' is used to create SQL command".
Let's look at another example of an attack - XSS (cross-site scripting). It allows an attacker to inject malicious code into web pages opened by users. The sink in this case can be the Response.Write method call:
protected void Page_Load(object sender, EventArgs e)
{
....
var userName = Request.Params["userName"]; // taint source
string message;
if (string.IsNullOrWhiteSpace(userName))
{
message = "Empty 'userName' parameter";
}
else
{
message = $"'{userName}' data has been processed.";
}
Response.Write(message); // taint sink
}
While performing taint analysis, PVS-Studio discovered that data from Request.Params["userName"] may get to Response.Write - and issued the following warning:
V5610 Possible XSS vulnerability. Potentially tainted data in the 'message' variable might be used to execute a malicious script.
If a malicious script is written into the userName request parameter, then because of the Response.Write call the tainted data is passed onto the page loaded by the user and can be executed later. Here's the vulnerability.
For more information on the various vulnerability types, read the documentation related to these rules:
To eliminate a potential vulnerability, you can check external data or convert it to a secure form. The specific approach depends on the attack type. In case of an SQL injection, we can use parameterized queries:
String userName = Request.Form["userName"];
String query = "SELECT * FROM Users WHERE UserName = @userName";
using (var command = new SqlCommand(query, _connection))
{
var userNameParam = new SqlParameter("@userName", userName);
command.Parameters.Add(userNameParam);
using (var reader = command.ExecuteReader())
....
}
Accordingly, when conducting taint analysis, PVS-Studio does not issue a warning for this code.
There are ways to prevent other attacks as well. In case of XSS you can use special methods for converting external data. HtmlEncode is one of them:
protected void Page_Load(object sender, EventArgs e)
{
String userName = Request.Form["userName"];
....
var encodedUserName = System.Net.WebUtility.HtmlEncode(userName);
var message = $"'{encodedUserName}' data has been processed.";
Response.Write(message);
}
After the malicious script has been processed this way, it gets to the web page as plain text. Therefore, no dangerous actions are performed.
0