: V. Benjamin Livshits, Monica S. LamVenue
Defect Type: SQL injection, cross-site scripting, HTTP parameter tampering, URL tampering, hidden form field tampering, cookie poisoning, HTTP header manipulation, path traversal, other user-defined vulnerabilities
Uses Annotations: Yes
Requires Annotations: Yes
This paper presents a new method for finding security vulnerabilities in Java web applications. The authors use a tainted object model to track user inputs that are passed into an application and verify that user inputs are never used without being sanitized. They use a sound points-to scheme for tracking references to objects which contrasts with many other static analysis methods that sacrifice accuracy for speed. This sound scheme, the authors claim, is the key to their method’s performance. The method requires programmers to specify pattern descriptions for ways tainted data can be used without being sanitized. These pattern descriptions are represented in an included language called Program Query Language (PQL). The tool implementation also includes an Eclipse plugin for viewing analysis results.
The authors validated their method by performing an analysis on 9 open source web applications, including one web application designed to have vulnerabilities for testing purposes. Their method reported 41 warnings total, 12 of which were determined to be false positives, giving a 30% false positive rate. One key thing that the authors observed was that when they increased the precision of their analysis, the runtimes actually decreased. They conclude that the performance improvement occurs because the more precise analysis doesn’t have to track and process as many potentially tainted references. The authors also make the point that good vulnerability pattern specifications are essential to reducing the number of false positives reported. The tool also took up to 10 minutes to run on the larger programs.
This tool has a lot of potential for being very useful to a lot of projects. The requirement of writing vulnerability pattern specifications adds a lot of up-front work, but the amount of work required for writing specifications would decrease as the specification library grew. The eclipse plugin is also nice for developers, although the long run times suggest that it would be best to use this tool as a pre-release process rather than a compile-time process.