• DocumentCode
    3673298
  • Title

    Bypassing XSS Auditor: Taking advantage of badly written PHP code

  • Author

    Anastasios Stasinopoulos;Christoforos Ntantogian;Christos Xenakis

  • Author_Institution
    Department of Digital Systems, University of Piraeus, Greece
  • fYear
    2014
  • Firstpage
    290
  • Lastpage
    295
  • Abstract
    XSS attacks have become very common nowadays, due to bad-written PHP web applications. In order to provide users with rudimentary protection against XSS attacks most web browser vendors have developed built-in protection mechanisms, called XSS filters. In this paper, we analyze two attacks that take advantage of poorly written PHP code to bypass the XSS filter of WebKit engine named XSS Auditor and perform XSS attacks. In particular, the first attack is called PHP Array Injection, while the second attack is a variant of the first one and it is named as PHP Array-like Injection. Both attacks take advantage of improper management of variables and arrays in PHP code to bypass the XSS Auditor. We elaborate on these attacks by presenting concrete examples of poorly written PHP code and constructing attack vectors to bypass the XSS Auditor. To defend against the identified attacks, we provide proper code writing rules for developers, in order to build secure web applications. Additionally, we have managed to patch the XSS Auditor, so that it can detect our identified XSS attacks.
  • Keywords
    "Engines","Mechanical factors","Rendering (computer graphics)","Reactive power","Encoding"
  • Publisher
    ieee
  • Conference_Titel
    Signal Processing and Information Technology (ISSPIT), 2014 IEEE International Symposium on
  • ISSN
    2162-7843
  • Type

    conf

  • DOI
    10.1109/ISSPIT.2014.7300602
  • Filename
    7300602