{ "cells": [ { "cell_type": "code", "execution_count": null, "metada

1. {
2. "cells": [
3. {
4. "cell_type": "code",
5. "execution_count": null,
6. "metadata": {
7. "collapsed": false,
8. "deletable": true,
9. "editable": true
10. },
11. "outputs": [],
12. "source": [
13. "from pprint import pprint\n",
14. "from collections import defaultdict\n",
15. "\n",
16. "def approximate_taint_tracking(segment_size, input_partitions, output_partitions):\n",
17. " input_segments = defaultdict(set) # map from input segment to input partition indexes\n",
18. " output_segments = defaultdict(set) # map from output segment to output partition indexes\n",
19. " partition_indexes_map = defaultdict(set) # map from input partition index to output partition indexes\n",
20. " tainted_partitions = [] # list of TAINTED output partition and the input partition they are tainted by\n",
21. " \n",
22. " # build segments for input partitions\n",
23. " for partition_index, partition in enumerate(input_partitions):\n",
24. " for i in range(len(partition) - segment_size):\n",
25. " input_segments[partition[i:i + segment_size]].add(partition_index)\n",
26. "\n",
27. "\n",
28. " # build segments for output partitions\n",
29. " for partition_index, partition in enumerate(output_partitions):\n",
30. " for i in range(len(partition) - segment_size):\n",
31. " output_segments[partition[i:i + segment_size]].add(partition_index)\n",
32. "\n",
33. " # map input segments to output segments\n",
34. " for segment in input_segments:\n",
35. " for partition_index in input_segments[segment]:\n",
36. " partition_indexes_map[partition_index].update(output_segments[segment])\n",
37. "\n",
38. " # mark input partitions that are TAINTED by multipule output_partitions as injections\n",
39. " for partition_index in partition_indexes_map:\n",
40. " tainted_output_partitions = [output_partitions[output_partition_index] \n",
41. " for output_partition_index \n",
42. " in partition_indexes_map[partition_index]]\n",
43. " \n",
44. " # add tainted_output_partitions to tainted_partitions\n",
45. " if tainted_output_partitions:\n",
46. " tainted_partitions.append([\n",
47. " # if more the one output is TAINTED by a single input control was INJECTED\n",
48. " 'INJECTED' if len(tainted_output_partitions) > 1 else 'TAINTED', \n",
49. " input_partitions[partition_index], \n",
50. " tainted_output_partitions,\n",
51. " ])\n",
52. " \n",
53. " return tainted_partitions"
54. ]
55. },
56. {
57. "cell_type": "markdown",
58. "metadata": {
59. "deletable": true,
60. "editable": true
61. },
62. "source": [
63. "Example\n",
64. "==\n",
65. "\n",
66. "JSON\n",
67. "--\n",
68. "\n",
69. "raw input\n",
70. "\n",
71. "```JSON\n",
72. "{\"email\": \"me@example.com\", \"password\": \"mYw0rd!3 OR '1'='1'\"}\n",
73. "```\n",
74. "\n",
75. "partioned input\n",
76. "\n",
77. "```python\n",
78. "['me@example.com', 'mYw0rd!3 OR \\'1\\'=\\'1\\'']\n",
79. "```\n",
80. "SQL\n",
81. "--\n",
82. "\n",
83. "raw output\n",
84. "\n",
85. "```SQL\n",
86. "SELECT user_id\n",
87. "FROM users\n",
88. "WHERE users_email = me@example.com\n",
89. "AND Users_pw = mYw0rd!3\n",
90. "OR '1'='1';\n",
91. "```\n",
92. "\n",
93. "partioned output\n",
94. "\n",
95. "```python\n",
96. "['user_id', 'users', 'users_email = me@example.com', 'Users_pw = mYw0rd!3', '\\'1\\'=\\'1\\'']\n",
97. "```"
98. ]
99. },
100. {
101. "cell_type": "code",
102. "execution_count": null,
103. "metadata": {
104. "collapsed": true,
105. "deletable": true,
106. "editable": true
107. },
108. "outputs": [],
109. "source": [
110. "json_partitions = ['me@example.com', 'mYw0rd!3 OR \\'1\\'=\\'1\\'']\n",
111. "\n",
112. "sql_partitions = ['user_id', 'users', 'users_email = me@example.com', 'Users_pw = mYw0rd!3', '\\'1\\'=\\'1\\'']"
113. ]
114. },
115. {
116. "cell_type": "markdown",
117. "metadata": {
118. "deletable": true,
119. "editable": true
120. },
121. "source": [
122. "Detecting both TAINTED and INJECTED outputs"
123. ]
124. },
125. {
126. "cell_type": "code",
127. "execution_count": null,
128. "metadata": {
129. "collapsed": false,
130. "deletable": true,
131. "editable": true
132. },
133. "outputs": [],
134. "source": [
135. "pprint(approximate_taint_tracking(segment_size=5, input_partitions=json_partitions, output_partitions=sql_partitions))"
136. ]
137. },
138. {
139. "cell_type": "markdown",
140. "metadata": {
141. "deletable": true,
142. "editable": true
143. },
144. "source": [
145. "Tuning the false positive false negative rate with segment sizing"
146. ]
147. },
148. {
149. "cell_type": "code",
150. "execution_count": null,
151. "metadata": {
152. "collapsed": false,
153. "deletable": true,
154. "editable": true,
155. "scrolled": false
156. },
157. "outputs": [],
158. "source": [
159. "for i in range(1,15):\n",
160. " print \"\\n\\nsegment_size={}\\n-\".format(i)\n",
161. " pprint(approximate_taint_tracking(\n",
162. " segment_size=i, \n",
163. " input_partitions=json_partitions, \n",
164. " output_partitions=sql_partitions,\n",
165. " ))"
166. ]
167. },
168. {
169. "cell_type": "code",
170. "execution_count": null,
171. "metadata": {
172. "collapsed": true,
173. "deletable": true,
174. "editable": true
175. },
176. "outputs": [],
177. "source": []
178. }
179. ],
180. "metadata": {
181. "kernelspec": {
182. "display_name": "Python 2",
183. "language": "python",
184. "name": "python2"
185. },
186. "language_info": {
187. "codemirror_mode": {
188. "name": "ipython",
189. "version": 2
190. },
191. "file_extension": ".py",
192. "mimetype": "text/x-python",
193. "name": "python",
194. "nbconvert_exporter": "python",
195. "pygments_lexer": "ipython2",
196. "version": "2.7.13"
197. }
198. },
199. "nbformat": 4,
200. "nbformat_minor": 2
201. }