This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Tainted String Library
Introduction:
In any programming language, handling strings is definitely one of the most daunting and challenging work as they pose some very serious threats in any program. Even in PHP, there are many forms of strings that have the capacity to fully crack the application. What we need in these scenarios is to check each string for contaminated values and we also need a way to flag strings to indicate that these strings are "Tainted".
Need for this library:
The only mode of the prevalent injection attacks are strings and thus they are very dangerous. Attackers craft many dangerous strings that can destroy the whole system. Thus, the program and applications need to work with safe strings. For this, we have developed this library that can flag a warning to the users when a dangerous string is used. With this library in use, all the strings that the developers thinks can cause problems - such as input fields, they can mark these strings as "tainted" and future use of these strings will generate an error if these strings are used anywhere in program without first decontaminating them.
PHPSEC Tainted String Implementation:
To "taint" a string, we created a "Tainted" class which is an abstract class that defines functions to contaminate and decontaminate a string. In other words they create or remove flags from strings to show them that they are "tainted" or not. Another class that derives the "Tainted" class is called "TaintedString" class and is responsible to actually taint/un-taint a string.
Tainted class contains the following functions:
- Is: This function tells if the string is marked as "tainted" or not. If the string is indeed marked as "tainted" then that means that other classes that uses this value will have to be careful before using it.
- contaminate: This function marks the string as "tainted". I.e. if the user passes a string to this function, then this function will mark this string as "tainted" and future use of this string will generate warnings and developers will have to be careful in using this function.
- decontaminate: This function does the exact opposite of the "contaminte()" function. It removes the field that marks this particular string as "tainted". It means that once the string becomes un-tainted then it can be used without worries and is safe for all purpose.
TaintedString class contains the following functions:
- __construct: Being the constructor of this class, the job of this function is to store the string upon which this whole class is called upon. It takes the user given string and simply stores it for future use.
- __toString: This function overrides the "toString()" method in PHP. With the use of this function, the use of a tainted string will trigger an error that would warn the use of this string.