Video hosting site adds new features to open source XSS and SQLi detection software
Psalm, Vimeo’s open source static analysis tool for PHP applications, has been expanded to support taint analysis.
Taint analysis involves checking the flow of user input in application code and determining whether ‘tainted’ input can affect program execution in malicious ways.
Psalm analyzes the source code of PHP applications and looks for possible cross-site scripting (XSS) and SQL injection bugs related to user input sources, such as query string parameters, cookies, and web forms.
Developers can also define their own custom taint sources. The tool builds a graph that spots problematic paths between the user input and rendered HTML code or server code such as database queries.
Psalm detects several taint types in user input such as SQL code, shell commands, and client-side code. The tool is also highly configurable in order to reduce false positives.
The addition of the taint analysis function comes after the security team at Vimeo found that commercial tools of this kind produced too many false positives.
“In 2018 we tried a product from RIPS Tech (now part of SonarQube) and it generated a 1,200-page PDF report, and none of the issues were exploitable on vimeo.com,” Psalm developer Matthew Brown told The Daily Swig.
After reading about Facebook’s taint analysis tool, Brown decided to implement a similar feature into Psalm.
“Making the tool open source means it can be improved much faster than I’d be able to on my own, which in turn helps Vimeo,” Brown says.
Brown tested Psalm’s taint analysis feature on Vimeo’s codebase during development, and so far, the tool has reported about 35 exploitable security vulnerabilities – all of them XSS.
“Most of those were stored XSS, the rest just XSS via query-strings (which don’t work in Chrome),” he said. “I was sort of hoping to find an SQL vulnerability, but luckily we’re pretty diligent about using prepared queries.”
The taint analysis feature was added to Psalm’s GitHub repository last week. Brown plans to further improve the tool as he gathers input and feedback from other developers.
“Because Psalm is open source with a public issue tracker, a bunch of people have been poking holes,” he said.
“I’ve fixed eight taint analysis issues in the last 48 hours, and I expect there’ll be a ton more before the week is over.
“Psalm’s taint analysis benefits from many ongoing improvements in Psalm’s underlying type inference engine, too.”
Check out the Psalm website for further details.