Video hosting site adds new features to open source XSS and SQLi detection software

Vimeo's Psalm security tool expanded to support taint analysis

Psalm, Vimeo’s open source static analysis tool for PHP applications, has been expanded to support taint analysis.

Taint analysis involves checking the flow of user input in application code and determining whether ‘tainted’ input can affect program execution in malicious ways.

Psalm analyzes the source code of PHP applications and looks for possible cross-site scripting (XSS) and SQL injection bugs related to user input sources, such as query string parameters, cookies, and web forms.

Developers can also define their own custom taint sources. The tool builds a graph that spots problematic paths between the user input and rendered HTML code or server code such as database queries.

Psalm reader

Psalm detects several taint types in user input such as SQL code, shell commands, and client-side code. The tool is also highly configurable in order to reduce false positives.

The addition of the taint analysis function comes after the security team at Vimeo found that commercial tools of this kind produced too many false positives.

“In 2018 we tried a product from RIPS Tech (now part of SonarQube) and it generated a 1,200-page PDF report, and none of the issues were exploitable on,” Psalm developer Matthew Brown told The Daily Swig.

Read about more of the latest hacking tools

After reading about Facebook’s taint analysis tool, Brown decided to implement a similar feature into Psalm.

“Making the tool open source means it can be improved much faster than I’d be able to on my own, which in turn helps Vimeo,” Brown says.

Raining XSS

Brown tested Psalm’s taint analysis feature on Vimeo’s codebase during development, and so far, the tool has reported about 35 exploitable security vulnerabilities – all of them XSS.

“Most of those were stored XSS, the rest just XSS via query-strings (which don’t work in Chrome),” he said. “I was sort of hoping to find an SQL vulnerability, but luckily we’re pretty diligent about using prepared queries.”

The taint analysis feature was added to Psalm’s GitHub repository last week. Brown plans to further improve the tool as he gathers input and feedback from other developers.

“Because Psalm is open source with a public issue tracker, a bunch of people have been poking holes,” he said.

“I’ve fixed eight taint analysis issues in the last 48 hours, and I expect there’ll be a ton more before the week is over.

“Psalm’s taint analysis benefits from many ongoing improvements in Psalm’s underlying type inference engine, too.”

Check out the Psalm website for further details.

RECOMMENDED RMIScout: New hacking tool brute-forces Java RMI servers for vulnerabilities