Although I didn’t made any updates to this website, I haven’t been sitting still. I have worked my ‘but off’ to make it work. And I did. I managed to get the taint traced from source to sink, but means of only the String class itself. But that’s not where i stopped, I demonstrated that this principle not only worked in plain Java, but also in J2EE. And to top it off, it works also with other JVM languages like Scala, Jython, Groovy. Which is an added bonus.
So, in short. I managed to implement the idea that had sprung out of another Appsec conference, but then the EU 2013. The next step will be to ‘convert’ it into an OWASP project, add a roadmap, more documentation, etc, etc. Oh, and not to forget add more functionality like:
- Visual display of source sink traces
- include marking of potential safes (like ESAPI calls)
- Combining taint traces to reflect merges, etc
- And, not to forget, make JSP compiling work (as it doesn’t at this moment).
For those that are interested, the presentation that I gave at appsec usa is here.