DocumentCode
3673298
Title
Bypassing XSS Auditor: Taking advantage of badly written PHP code
Author
Anastasios Stasinopoulos;Christoforos Ntantogian;Christos Xenakis
Author_Institution
Department of Digital Systems, University of Piraeus, Greece
fYear
2014
Firstpage
290
Lastpage
295
Abstract
XSS attacks have become very common nowadays, due to bad-written PHP web applications. In order to provide users with rudimentary protection against XSS attacks most web browser vendors have developed built-in protection mechanisms, called XSS filters. In this paper, we analyze two attacks that take advantage of poorly written PHP code to bypass the XSS filter of WebKit engine named XSS Auditor and perform XSS attacks. In particular, the first attack is called PHP Array Injection, while the second attack is a variant of the first one and it is named as PHP Array-like Injection. Both attacks take advantage of improper management of variables and arrays in PHP code to bypass the XSS Auditor. We elaborate on these attacks by presenting concrete examples of poorly written PHP code and constructing attack vectors to bypass the XSS Auditor. To defend against the identified attacks, we provide proper code writing rules for developers, in order to build secure web applications. Additionally, we have managed to patch the XSS Auditor, so that it can detect our identified XSS attacks.
Keywords
"Engines","Mechanical factors","Rendering (computer graphics)","Reactive power","Encoding"
Publisher
ieee
Conference_Titel
Signal Processing and Information Technology (ISSPIT), 2014 IEEE International Symposium on
ISSN
2162-7843
Type
conf
DOI
10.1109/ISSPIT.2014.7300602
Filename
7300602
Link To Document