Automated Discovery of JavaScript Code Injection Attacks in PHP Web Applications

Abstract

This paper discussed some of the performance issues in the existing defensive solutions of Java Script injection attacks (e.g. Cross-Site Scripting (XSS) attacks). Moreover, a high level of comparison for such existing solutions has been done based on some useful metrics. Based on the identified performance issues, this paper proposed an automated detection system, which scans the numerous possible locations of web sites for JavaScript injection vulnerabilities. Our detection system, firstly, scans the web site for discovering the injection locations. Secondly, it injects the malicious XSS attack vectors in such injection points. Lastly, it takes an input as the list of different XSS attacks exploited in the second step and scan for these attacks in the vulnerable web application. Detection capability of our automated system is evaluated on a real world PHP web application i.e. BlogIt and results obtained are very promising.