PHP Aspis: using partial taint tracking to protect against injection attacks

Papagiannis, Ioannis and Migliavacca, Matteo and Pietzuch, Peter (2011) PHP Aspis: using partial taint tracking to protect against injection attacks. In: WebApps '11: Proceedings of the 2nd USENIX conference on Web application development, June 15-16, 2011, Portland, Oregon, USA.. (Access to this publication is currently restricted. You may be able to access a copy if URLs are provided)

Restricted to Repository staff only
Contact us about this Publication Download (229kB)
Official URL


Web applications are increasingly popular victims of security attacks. Injection attacks, such as Cross Site Scripting or SQL Injection, are a persistent problem. Even though developers are aware of them, the suggested best practices for protection are error prone: unless all user input is consistently filtered, any application may be vulnerable. When hosting web applications, administrators face a dilemma: they can only deploy applications that are trusted or they risk their system’s security. To prevent injection vulnerabilities, we introduce PHP Aspis: a source code transformation tool that applies partial taint tracking at the language level. PHP Aspis augments values with taint meta-data to track their origin in order to detect injection vulnerabilities. To improve performance, PHP Aspis carries out taint propagation only in an application’s most vulnerable parts: thirdparty plugins. We evaluate PHP Aspis with Wordpress, a popular open source weblog platform, and show that it prevents all code injection exploits that were found in Wordpress plugins in 2010.

Item Type: Conference or workshop item (Paper)
Subjects: Q Science > QA Mathematics (inc Computing science) > QA 76 Software, computer programming,
Divisions: Faculties > Sciences > School of Computing > Security Group
Faculties > Sciences > School of Computing > Data Science
Depositing User: Matteo Migliavacca
Date Deposited: 23 Oct 2012 20:42 UTC
Last Modified: 30 Jun 2017 04:48 UTC
Resource URI: (The current URI for this page, for reference purposes)
  • Depositors only (login required):


Downloads per month over past year