Countering code-injection attacks with instruction-set randomization
Proceedings of the 10th ACM conference on Computer and communications security
A General Dynamic Information Flow Tracking Framework for Security Applications
ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
Defeating script injection attacks with browser-enforced embedded policies
Proceedings of the 16th international conference on World Wide Web
Randomized Instruction Sets and Runtime Environments Past Research and Future Directions
IEEE Security and Privacy
xJS: practical XSS prevention for web application development
WebApps'10 Proceedings of the 2010 USENIX conference on Web application development
An architecture for enforcing javascript randomization in web2.0 applications
ISC'10 Proceedings of the 13th international conference on Information security
| Hi-index | 0.00 |
We analyze the source code of four well-known large web applications, namely WordPress, phpBB, phpMyAdmin and Drupal. We want to quantify the level of language intermixing in modern web applications and, if possible, we want to categorize all coding idioms that involve intermixing of JavaScript with a server-side programming language, like PHP. Our analysis processes more than half of a million of LoCs and identifies about 1,000 scripts. These scripts contain 163 cases, where the source code is mixed in a way that is hard to isolate JavaScript from PHP. We manually investigate all 163 scripts and proceed in a classification scheme of five distinct classes. Our analysis can be beneficial for all applications that apply operations in the client-side part of a web application, various XSS mitigation schemes, as well as code refactoring and optimization tools.