1 Superglobals Sanitization against SQL injection and XSS

Abstract

SQL injection attack, exploit the problem of insufficient input data validation to trick PHP applications into executing unintended queries that allow hackers to bypass login screen, read, update, alter, create, or even delete sensitive data stored in the backend database. Cross site Scripting-XSS, harness the same problem to access sensitive page contents, session cookies, and a variety of other information retained by the browser on behalf of the user. This problem can be solved by performing static source code analysis to detect taintable points in the code before the application is deployed on the web. In this paper, we present a novel technique depend on reading your PHP source code file line by line and uses regular expressions to precisely find superglobals that hold form parameters, request details, cookies and session information and automatically add a user-defined function named as sanitizer to the source code. The Sanitizer will receive superglobals values to sanitize them against SQL injection and XSS. We implemented our approach in a simple tool called SQL Injection-XSS sanitizer. Our results show that the tool is capable of protecting PHP applications against untrusted input data with high rate.