A dynamic technique for enhancing the security and privacy of web applications
Ariel Futoransky, Ezequiel Gutesman and Ariel Waissbein
Black Hat USA 2007 Briefings, August 1-2, 2007. Las Vegas, NV, USA
Date published


Web application security and privacy became a central concern among the security community. The problems that are faced once an application is compromised necessarily demands special attention. The emerging programming languages, which allow unexperienced users to quickly develop applications, still fail to introduce mechanisms for preventing the aforementioned attacks. We introduce a technique for enhancing the security and privacy for a web-based solution, by augmenting its execution environment to include tracking information, that permits to efficiently identify and thwart several attack scenarios. The technique has been implemented to protect PHP, and could be extended to protect other web-development languages (such as Java, ASP.NET, Python, Perl and Ruby.) Typical exploitation methods as database-injection attacks, shell injection attacks, cross-site scripting attacks and directory-traversal attacks are prevented. Moreover, this technique prevents untrusted users from obtaining private data stored within the web application’s network; thus, putting off the theft of sensitive data, as credit card information, as well as averting information leakage.