Is your code tainted? Finding security vulnerabilities using taint-tracking.

“Taint tracking” is a technique used in code analysis to find security vulnerabilities and other problems.

Any data that comes from an untrusted source, for example a HTTP request, is treated as “tainted”. If that “tainted” data is able to reach a vulnerable part of your code, then you have a problem. Sophisticated code analysis tools can track this data, and reveal potential security problems. Examples of the sort of problem that can be found include cross-site scripting (XSS), code injection, SQL injection and others.

In this talk I will show how taint tracking analysis works in practice, introducing the concepts of source, sink and sanitizer. I will then demonstrate using taint tracking to find a XSS vulnerability in a django app. (We will chose a project that is designed to teach django security, where the vulnerability is deliberate.)

I will also explain how thinking in terms of “taint” can help you write safer code, even without access to code analysis.

During this talk I will use the code analysis tools on lgtm.com to demonstrate the analysis. lgtm.com is free to use for open-source projects. A paid version is available.