Eliminating XSS in PHP: Applying Context-Sensitive Auto-Sanitization to the PHP Programming Language presented at BSidesKnoxville 2017

by Joseph R. Connor, Jared M. Smith,

Summary : Cross-Site Scripting (XSS) has been a problem in the modern web dating back to the earliest instances of dynamic web pages. XSS arises when programmers of web applications improperly sanitize user input, which allows malicious or otherwise undesirable input to be inserted into the business logic of the vulnerable application. Though sanitization routines provided by programming languages can prevent these attacks in most cases, they only work if programmers remember to wrap user inputs in these routines. Worse yet, the standard HTML sanitization routines of certain web frameworks (such as PHP) may not be enough to prevent XSS in all contexts. Context-sensitive auto-sanitization (CSAS) seeks to remedy this issue by automatically sanitizing untrusted data for the context in which it is output. While many modern web frameworks provide good protection against XSS, there are few options for existing PHP codebases. In this paper, we present our open-source work sponsored by Cisco Systems to implement CSAS in PHP as a PHP extension that has seen positive results of preventing XSS in PHP web applications automatically and with minimal overhead. It is additionally compatible with PHP 7 and recent versions of Wordpress, MediaWiki, RoundCube Webmail, and other widely used PHP web applications. Join us for a riveting story of the turbulent past of PHP applications numerous XSS vulnerabilities, and witness the beginning of a future of PHP web applications without XSS.