Web Vulnerability Detection Based On Static Taint Analysis

In the current Internet environment,Web applications are very widespread,and Web security problems are becoming more and more serious.For Web applications that lack input verification,an attacker can construct malicious input and steal sensitive information from users and service providers,causing serious harm.Taint analysis is a code vulnerability detection technology based on data flow analysis.The idea is to mark sensitive data that needs to be tracked or external untrusted data as taint,and track the flow of taint in the application.It can be divided into dynamic taint analysis and static taint analysis.Static stain analysis does not need to run the program,and can cover all paths of the code.The analysis is more comprehensive,but due to lack of runtime information,static analysis will cause large number of false positives.Based on the static taint analysis,we build a static taint analysis system for Web vulnerability detection called STAS.In order to solve the problem of excessive high false positive rate in static taint analysis,STAS has taken some measures.In terms of taint representation,we use fine-grained taint representation to record the state of the variable itself and achieve variable field-level recording.In other words,in the case of recording the variable's own state,a variable field status record is also added.Similar records are recorded for structures such as maps and lists.At the same time,the internal variable status of maps,collections and other structures is recorded,which increases the accuracy of the taint analysis results.We record and track the values of basic data type variables,and make a simple judgment on the branch of the program,which excludes some invalid paths.In the inter-process taint analysis,we analyze the spread of taint beween instance objects,method parameters,and return values.These improvements significantly improve the accuracy of taint analysis.We datected four vulnerabilities in SQL injection,cross-site scripting,command injection,and path traversal on the OWASP Benchmark.We compared the result of STAS and Fortify.The false negative rate and false positive rate of STAS are 0.3% and 9.9%,Fortify's false negative rate and false positive rate are 17.3% and 42.0%.The results show that STAS has a better detection effect on injected Web vulnerabilities than Fortify.