search

SAP / project-foxhound

A web browser with dynamic data-flow tracking enabled in the Javascript engine and DOM, based on Mozilla Firefox (https://github.com/mozilla/gecko-dev). It can be used to identify insecure data flows or data privacy leaks in client-side web applications.
GNU General Public License v3.0
80 stars 15 forks source link

Foxhound: Don't add duplicate taint operations #207

Open tmbrbr opened 8 months ago

tmbrbr commented 8 months ago

Don't add a new TaintNode if the operation is the same (i.e. same Operation, Arguments and Location) as the previous operation. This way, we only add a single operation in e.g. a for loop.

leeN commented 8 months ago

The changes generally look perfectly fine; I'm wondering whether we might lose information that could be interesting.

If I understand it correctly, if we repeatedly perform the same operation, we won't add this anymore.

Say, and this is somewhat contrived, we have code like this:

let foo = location.hash;
for(int i = 0; i < 3; i++) {
  foo = decodeURIComponent(foo);
}

If, for example, we do not do URI encoding, the taint flow only has 1 decode operation. It might be possible to encode several times to end up with an XSS payload after this loop, which we would not be able to find anymore, right?

tmbrbr commented 8 months ago

Good catch, perhaps we can add a counter to the taint operations to keep track of this.