School of Computer and Information Science, Edith Cowan University, Perth, Western Australia
Cross-Site Scripting (XSS) and SQL injection are the top vulnerabilities found in web applications. Attacks to these vulnerabilities could have been minimised through placing a good filter before the web application processes the malicious strings. However adversaries could craft variations on the attack strings in such a way that they do not get filtered. Checking through all of the possible attack strings was tedious and causes the web application performance to degrade. In this paper, we propose the use of a hash map as a data structure to address the issue. We implemented a proof-of-concept filter which we tested through an open-source web application to show that such filter could sanitise some attack strings that otherwise were too tedious to detect. Our evaluation included comparing the proposed solution with other existing ones such as prepared statements, input length limitation, white list and black list input validation; our proposed solution performed the most efficient.