A Dynamic Technique for Enhancing the Security and Privacy of Web Applications presented at BlackHatDC 2007

by Ariel Waissbein, Ezequiel D. Gutesman,

URL : https://www.blackhat.com/presentations/bh-usa-07/Gutesman_Waissbein_and_Futoransky/Presentation/bh-usa-07-gutesman_futoransky_and_waissbein.pdf

Summary : Web applications are often preferred targets in todays threat landscape. Many widely deployed applications were developed in haste and are often ridden with SQL injection, file inclusion and cross-site scripting bugs, creating weak links in any Internet-exposed environment.
In this presentation, CoreLabs researchers Ezequiel Gutesman and Ariel Waissbein will address this issue by introducing a new application protection technology that efficiently identifies and blocks several attack vectors on the fly. The protection technique is based on very granular run-time taint analysis of an applications data and does not require access or changes to the applications source code.
Applications written in the most common web scripting languages, including PHP, ASP, Python, Perl and Java, can be protected using this technology to prevent database injection, shell injection, cross-site scripting and directory-transversal attacks. A fully functional implementation of the protection technique for PHP will be described in detail.