What is Taint analysis?

Taint analysis is a process used in information security to identify the flow of user input through a system to understand the security implications of the system design. This analysis aims to mitigate risks such as SQL injection (CWE-89), which generally arise when other parts of the program use user input without proper sanitization.

Taint analysis is a key technique used in SAST tools to detect injection vulnerabilities listed in the OWASP Top 10.

How does taint checking work?

Many languages such as Ruby have taint checking mechanisms baked into them. The way this works is by marking variables that have received user input as tainted. Each variable that derives from them is marked tainted as well. Following this trail, the analysis tool can come up with a list of tainted variables.

Finally, suppose a critical operation, such as a DB call or an OS-level invocation, uses any tainted variables. In that case, the tool can alert the developer of the potential security risk.

What taint analysis detects

Taint analysis is particularly effective at finding:

  • SQL injection — user input reaching database queries
  • Command injection — user input reaching system calls
  • Cross-site scripting (XSS) — user input reaching HTML output
  • Path traversal — user input reaching file system operations

See also: SAST, Static Analysis, OWASP Top 10, CWE

The AI Code Review Platform
for fast-moving teams and their agents.

14-day free trial, no credit card needed
For growing teams and enterprises