WebTaint: Dynamic Taint Tracking for Java-based Web Applications

Abstract: The internet is a source of information and it connects the world through a single platform. Many businesses have taken advantage of this to share information, to communicate with customers, and to create new business opportunities. However, this does not come without drawbacks as there exists an elevated risk to become targeted in attacks. The thesis implemented a dynamic taint tracker, named WebTaint, to detect and prevent confidentiality and integrity vulnerabilities in Java-based web applications. We evaluated to what extent WebTaint can combat integrity vulnerabilities. The possible advantages and disadvantages of using the application is introduced as well as an explication whether the application was capable of being integrated into production services. The results show that WebTaint helps to combat SQL Injection and Cross-Site Scripting attacks. However, there are drawbacks in the form of additional time and memory overhead. The implemented solution is therefore not suitable for time or memory sensitive domains. WebTaint could be recommended for use in test environments where security experts utilize the taint tracker to find TaintExceptions through manual and automatic attacks.