Skip to main content

PHP Aspis: using partial taint tracking to protect against injection attacks

Papagiannis, Ioannis and Migliavacca, Matteo and Pietzuch, Peter (2011) PHP Aspis: using partial taint tracking to protect against injection attacks. In: WebApps'11 Proceedings of the 2nd USENIX conference on Web application development. USENIX Association, Berkeley, California, USA, pp. 13-24. ISBN 978931971867. (Access to this publication is currently restricted. You may be able to access a copy if URLs are provided)

Restricted to Repository staff only
Contact us about this Publication Download (229kB)


Web applications are increasingly popular victims of security attacks. Injection attacks, such as Cross Site Scripting or SQL Injection, are a persistent problem.

Even though developers are aware of them, the suggested best practices for protection are error prone: unless all user input is consistently filtered, any application may be vulnerable. When hosting web applications, administrators face a dilemma: they can only deploy applications that are trusted or they risk their system’s security. To prevent injection vulnerabilities, we introduce PHP Aspis: a source code transformation tool that applies partial taint tracking at the language level. PHP Aspis augments values with taint meta-data to track their origin in order to detect injection vulnerabilities. To improve performance, PHP Aspis carries out taint propagation only in an application’s most vulnerable parts: thirdparty plugins. We evaluate PHP Aspis with Wordpress, a popular open source weblog platform, and show that it prevents all code injection exploits that were found in Wordpress plugins in 2010.

Item Type: Book section
Subjects: Q Science > QA Mathematics (inc Computing science) > QA 76 Software, computer programming,
Divisions: Faculties > Sciences > School of Computing > Security Group
Faculties > Sciences > School of Computing > Data Science
Depositing User: Matteo Migliavacca
Date Deposited: 23 Oct 2012 20:42 UTC
Last Modified: 24 Jan 2020 04:04 UTC
Resource URI: (The current URI for this page, for reference purposes)
Migliavacca, Matteo:
  • Depositors only (login required):


Downloads per month over past year