Back To Schedule
Friday, May 5 • 9:00am - 10:00am
Eliminating XSS in PHP: Applying Context-Sensitive Auto-Sanitization to the PHP Programming Language

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Cross-Site Scripting (XSS) has been a problem in the modern web dating back to the earliest instances of dynamic web pages. XSS arises when programmers of web applications improperly sanitize user input, which allows malicious or otherwise undesirable input to be inserted into the business logic of the vulnerable application. Though sanitization routines provided by programming languages can prevent these attacks in most cases, they only work if programmers remember to wrap user inputs in these routines. Worse yet, the standard HTML sanitization routines of certain web frameworks (such as PHP) may not be enough to prevent XSS in all contexts. Context-sensitive auto-sanitization (CSAS) seeks to remedy this issue by automatically sanitizing untrusted data for the context in which it is output. While many modern web frameworks provide good protection against XSS, there are few options for existing PHP codebases. In this paper, we present our open-source work sponsored by Cisco Systems to implement CSAS in PHP as a PHP extension that has seen positive results of preventing XSS in PHP web applications automatically and with minimal overhead. It is additionally compatible with PHP 7 and recent versions of Wordpress, MediaWiki, RoundCube Webmail, and other widely used PHP web applications. Join us for a riveting story of the turbulent past of PHP applications numerous XSS vulnerabilities, and witness the beginning of a future of PHP web applications without XSS.


Joseph R. Connor

Joseph is a Software Security Engineer at Cisco’s Advanced Security Initiatives Group. He graduated from the University of Tennessee, Knoxville in 2016 with a BS in Computer Science. He also co-founded and led UT’s computer security organization, HackUTK.
avatar for Jared M. Smith

Jared M. Smith

Security Researcher, Oak Ridge National Laboratory
Jared is a Cyber Security Research Scientist at Oak Ridge National Laboratory, where he leads several projects on the Systems Security Research Team. He is currently working on his PhD in Computer Science at the University of Tennessee, Knoxville, where he also received his BS in... Read More →

Friday May 5, 2017 9:00am - 10:00am EDT
KEC 17 Market Square #101, Knoxville, TN 37902