String Context Sensitivity = Precise OpenRedirect, XSS and SSRF for Java, C#, PHP, JS/TS


We are really happy to announce that we improved the accuracy of four of our taint analysis rules for Java, C#, PHP, JS/TS:

  • Open Redirect (S5146),
  • XSS (S5131 and S5696)
  • SSRF (S5144)

The Problem

These rules should raise a vulnerability only when a specific part of the url/request is user-controlled.
Let’s take a closer look at the Open Redirect case to better illustrate the problem we were facing before.

An URL can be split into these parts:

Your software can allow a user input to control the value of one of these parts. Until today, when a user input was part of a URL and when that URL string was given as a parameter of a “redirect” function, we were raising an Open Redirect vulnerability. Here is an example of such (false-positive) vulnerability in C#:

This was a good enough first approximation but not enough for us. While reviewing a lot of Open Redirect vulnerabilities raised on open-source projects, we realized that 25% of them were false-positives and not exploitable.
Actually it’s only when the host part of the URL is user-controlled that you can have an exploitable Open Redirect vulnerability.

The Solution: String Context Sensitivity

In order to be more accurate and no longer raise these false-positives, it was required to precisely know where the tainted user inputs are concatenated and used in the sink methods.
For this we introduced a new technology in our SAST engine that we call “String Context Sensitivity”. This essentially allows us to detect the string context of a tainted value that flows into a sink, and decide whether or not an issue should be raised accordingly.
Don’t be surprised if you see some of your vulnerabilities being closed automatically at your next analysis. That’s expected, they were just false-positives better handled today thanks to this change.

You will definitely hear more about this technology in the future because we expect to implement it for Python and also on other vulnerability types such as SQL Injection.

This is available now on SonarCloud and will be included in SonarQube 9.0 Developer Edition.