Detect and Sanitise Encoded Cross-Site Scripting and SQL Injection Attack Strings Using a Hash Map

Authors

Erwin Adi, BINUS University, Indonesia
Irene Salomo, BINUS University, Indonesia

Document Type

Conference Proceeding

Publisher

School of Computer and Information Science, Edith Cowan University, Perth, Western Australia

Comments

8th Australian Information Security Mangement Conference, Edith Cowan University, Perth Western Australia, 30th November 2010

Abstract

Cross-Site Scripting (XSS) and SQL injection are the top vulnerabilities found in web applications. Attacks to these vulnerabilities could have been minimised through placing a good filter before the web application processes the malicious strings. However adversaries could craft variations on the attack strings in such a way that they do not get filtered. Checking through all of the possible attack strings was tedious and causes the web application performance to degrade. In this paper, we propose the use of a hash map as a data structure to address the issue. We implemented a proof-of-concept filter which we tested through an open-source web application to show that such filter could sanitise some attack strings that otherwise were too tedious to detect. Our evaluation included comparing the proposed solution with other existing ones such as prepared statements, input length limitation, white list and black list input validation; our proposed solution performed the most efficient.

DOI

10.4225/75/57b66ecc3477a