research-article

Saving the world wide web from vulnerable JavaScript

Authors:

Salvatore Guarnieri,

Stephen Teilhet,

Ryan BergAuthors Info & Claims

ISSTA '11: Proceedings of the 2011 International Symposium on Software Testing and Analysis

Pages 177 - 187

https://doi.org/10.1145/2001420.2001442

Published: 17 July 2011 Publication History

Abstract

JavaScript is the most popular client-side scripting language for Web applications. Exploitable JavaScript code exposes end users to integrity and confidentiality violations. Client-side vulnerabilities can cost an enterprise money and reputation, and cause serious damage to innocent users of the Web application. In spite of all this, recent research in the area of information-flow security has focused more on other languages that are more suitable for server-side programming, such as Java.

Static analysis of JavaScript code is very challenging due to the dynamic nature of the language. This paper presents Actarus, a novel, product-quality static taint analysis for JavaScript that scales to large programs and soundly models all the JavaScript constructs with the exception of reflective calls. This paper discusses the experimental results obtained by running Actarus on a collection of 9,726 Web pages obtained by crawling the 50 most visited Web sites worldwide as well as 19 other popular Web sites. The results expose 526 vulnerabilities in 11 sites. Those vulnerabilities, if exploited, can allow malicious JavaScript code execution.

References

[1]

L. O. Andersen. Program Analysis and Specialization for the C Programming Language. PhD thesis, University of Copenhagen, Copenhagen, Denmark, 1994.

[2]

K. Ashcraft and D. Engler. Using Programmer-Written Compiler Extensions to Catch Security Holes. In S&P, 2002.

Digital Library

[3]

D. F. Bacon and P. F. Sweeney. Fast Static Analysis of C++ Virtual Function Calls. In OOPSLA, 1996.

Digital Library

[4]

S. Bandhakavi, S. T. King, P. Madhusudan, and M. Winslett. VEX: Vetting Browser Extensions for Security Vulnerabilities. In USENIX Security, 2010.

Digital Library

[5]

W. Chang, B. Streiff, and C. Lin. Efficient and Extensible Security Enforcement Using Dynamic Data Flow Analysis. In CCS, 2008.

Digital Library

[6]

R. Chugh, J. A. Meister, R. Jhala, and S. Lerner. Staged Information Flow for JavaScript. In PLDI, 2009.

Digital Library

[7]

R. Cytron, J. Ferrante, B. K. Rosen, M. N. Wegman, and F. K. Zadeck. Efficiently Computing Static Single Assignment Form and the Control Dependence Graph. TOPLAS, 13(4), 1991.

Digital Library

[8]

J. Dean, D. Grove, and C. Chambers. Optimization of Object-Oriented Programs Using Static Class Hierarchy Analysis. In ECOOP, 1995.

Digital Library

[9]

D. E. Denning. A Lattice Model of Secure Information Flow. CACM, 19(5), 1976.

Digital Library

[10]

D. E. Denning and P. J. Denning. Certification of Programs for Secure Information Flow. CACM, 20(7), 1977.

Digital Library

[11]

A. Deutsch. A Storeless Model of Aliasing and Its Abstractions Using Finite Representations of Right-regular Equivalence Relations. In ICCL, 1992.

[12]

S. Fink, E. Yahav, N. Dor, G. Ramalingam, and E. Geay. Effective Typestate Verification in the Presence of Aliasing. In ISSTA, 2006.

Digital Library

[13]

J. S. Foster, T. Terauchi, and A. Aiken. Flow-Sensitive Type Qualifiers. In PLDI, 2002.

Digital Library

[14]

J. A. Goguen and J. Meseguer. Security Policies and Security Models. In S&P, 1982.

[15]

D. Grove and C. Chambers. A Framework for Call Graph Construction Algorithms. TOPLAS, 23(6), 2001.

Digital Library

[16]

S. Guarnieri and B. Livshits. GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for Javascript Code. In USENIX Security, 2009.

Digital Library

[17]

A. Guha, S. Krishnamurthi, and T. Jim. Using Static Analysis for Ajax Intrusion Detection. In WWW, 2009.

Digital Library

[18]

C. Hammer, J. Krinke, and G. Snelting. Information Flow Control for Java Based on Path Conditions in Dependence Graphs. In S&P, 2006.

[19]

O. Lhoták and L. J. Hendren. Context-Sensitive Points-to Analysis: Is It Worth It? In CC, 2006.

[20]

V. B. Livshits and M. S. Lam. Finding Security Vulnerabilities in Java Applications with Static Analysis. In USENIX Security, 2005.

Digital Library

[21]

S. Maffeis, J. C. Mitchell, and A. Taly. Isolating JavaScript with Filters, Rewriting and Wrappers. In ESORICS, 2009.

Digital Library

[22]

Y. Minamide. Static Approximation of Dynamically Generated Web Pages. In WWW, 2005.

Digital Library

[23]

A. C. Myers. JFlow: Practical Mostly-static Information Flow Control. In POPL, 1999.

Digital Library

[24]

A. C. Myers and B. Liskov. A Decentralized Model for Information Flow Control. In SOSP, 1997.

Digital Library

[25]

J. Newsome and D. Song. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In NDSS, 2005.

[26]

T. Reps, S. Horwitz, and M. Sagiv. Precise Interprocedural Dataflow Analysis via Graph Reachability. In POPL, 1995.

Digital Library

[27]

G. Richards, S. Lebresne, B. Burg, and J. Vitek. An Analysis of the Dynamic Behavior of JavaScript Programs. In PLDI, 2010.

Digital Library

[28]

B. G. Ryder. Dimensions of Precision in Reference Analysis of Object-Oriented Languages. In CC, 2003. Invited Paper.

Digital Library

[29]

P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A Symbolic Execution Framework for JavaScript. In IEEE Symposium on Security and Privacy, pages 513--528, 2010.

Digital Library

[30]

P. Saxena, S. Hanna, P. Poosankam, and D. Song. FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications. In NDSS, 2010.

[31]

U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting Format String Vulnerabilities with Type Qualifiers. In USENIX Security, 2001.

Digital Library

[32]

O. Shivers. Control-Flow Analysis of Higher-Order Languages or Taming Lambda. PhD thesis, Carnegie Mellon University, Pittsburgh, PA, USA, 1991.

Digital Library

[33]

G. Snelting, T. Robschink, and J. Krinke. Efficent Path Conditions in Dependence Graphs for Software Safety Analysis. TOSEM, 15(4), 2006.

Digital Library

[34]

M. Sridharan, S. J. Fink, and R. Bodík. Thin Slicing. In PLDI, 2007.

Digital Library

[35]

O. Tripp, M. Pistoia, S. J. Fink, M. Sridharan, and O. Weisman. TAJ: Effective Taint Analysis of Web Applications. In PLDI, 2009.

Digital Library

[36]

P. Vogt, F. Nentwich, N. Jovanovich, E. Kirda, C. Kruegel, and G. Vigna. Cross-site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In NDSS, 2007.

[37]

D. Volpano, C. Irvine, and G. Smith. A Sound Type System for Secure Flow Analysis. JCS, 4(2--3), 1996.

Digital Library

[38]

G. Wassermann and Z. Su. Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In PLDI, 2007.

Digital Library

[39]

G. Wassermann and Z. Su. Static Detection of Cross-site Scripting Vulnerabilities. In ICSE 2008, 2008.

Digital Library

[40]

J. Whaley and M. S. Lam. Cloning Based Context-Sensitive Pointer Alias Analysis Using Binary Decision Diagrams. In PLDI, 2004.

Digital Library

[41]

D. Yu, A. Chander, N. Islam, and I. Serikov. JavaScript Instrumentation for Browser Security. In POPL, 2007.

Digital Library

Cited By

Wang YFan MLiu JTao JJin WWang HXiong QLiu T(2024)Do as You Say: Consistency Detection of Data Practice in Program Code and Privacy Policy in Mini-AppIEEE Transactions on Software Engineering10.1109/TSE.2024.347928850:12(3225-3248)Online publication date: 1-Dec-2024
https://dl.acm.org/doi/10.1109/TSE.2024.3479288
Pujar SZheng YBuratti LLewis BChen YLaredo JMorari AEpstein ELin TYang BSu Z(2024)Analyzing source code vulnerabilities in the D2A dataset with ML ensembles and C-BERTEmpirical Software Engineering10.1007/s10664-023-10405-929:2Online publication date: 22-Feb-2024
https://doi.org/10.1007/s10664-023-10405-9
Lončarević SSkendrović BKovačević IGroš S(2023)Detecting JavaScript libraries using identifiers and hashes2023 46th MIPRO ICT and Electronics Convention (MIPRO)10.23919/MIPRO57284.2023.10159971(1246-1251)Online publication date: 22-May-2023
https://doi.org/10.23919/MIPRO57284.2023.10159971
Show More Cited By

Index Terms

Saving the world wide web from vulnerable JavaScript

Recommendations

On evaluating and securing firefox for Android browser extensions
MOBILESoft 2014: Proceedings of the 1st International Conference on Mobile Software Engineering and Systems

Unsafely or maliciously coded extensions allow an attacker to run their own code in the victim's browser with elevated privileges. This gives the attacker a large amount of control over not only the browser but the underlying machine as well. The topic ...
Javascript for the World Wide Web: Visual QuickStart Guide
Analyzing Information Flow in JavaScript-Based Browser Extensions
ACSAC '09: Proceedings of the 2009 Annual Computer Security Applications Conference

JavaScript-based browser extensions (JSEs) enhance the core functionality of web browsers by improving their look and feel, and are widely available for commodity browsers. To enable a rich set of functionalities, browsers typically execute JSEs with ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ISSTA '11: Proceedings of the 2011 International Symposium on Software Testing and Analysis

July 2011

394 pages

ISBN:9781450305624

DOI:10.1145/2001420

General Chair:
Matthew Dwyer
University of Nebraska
,
Program Chair:
Frank Tip
IBM T.J. Watson Research Center

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

In-Cooperation

SIGPLAN: ACM Special Interest Group on Programming Languages

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 July 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ISSTA '11

Sponsor:

SIGSOFT

ISSTA '11: International Symposium on Software Testing and Analysis

July 17 - 21, 2011

Ontario, Toronto, Canada

Acceptance Rates

Overall Acceptance Rate 58 of 213 submissions, 27%

Upcoming Conference

ISSTA '25

Sponsor:
sigsoft

34th ACM SIGSOFT International Symposium on Software Testing and Analysis

June 25 - 28, 2025

Trondheim , Norway

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

112
Total Citations
View Citations
1,271
Total Downloads

Downloads (Last 12 months)70
Downloads (Last 6 weeks)8

Reflects downloads up to 25 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Wang YFan MLiu JTao JJin WWang HXiong QLiu T(2024)Do as You Say: Consistency Detection of Data Practice in Program Code and Privacy Policy in Mini-AppIEEE Transactions on Software Engineering10.1109/TSE.2024.347928850:12(3225-3248)Online publication date: 1-Dec-2024
https://dl.acm.org/doi/10.1109/TSE.2024.3479288
Pujar SZheng YBuratti LLewis BChen YLaredo JMorari AEpstein ELin TYang BSu Z(2024)Analyzing source code vulnerabilities in the D2A dataset with ML ensembles and C-BERTEmpirical Software Engineering10.1007/s10664-023-10405-929:2Online publication date: 22-Feb-2024
https://doi.org/10.1007/s10664-023-10405-9
Lončarević SSkendrović BKovačević IGroš S(2023)Detecting JavaScript libraries using identifiers and hashes2023 46th MIPRO ICT and Electronics Convention (MIPRO)10.23919/MIPRO57284.2023.10159971(1246-1251)Online publication date: 22-May-2023
https://doi.org/10.23919/MIPRO57284.2023.10159971
Pagon VSkendrovć BKovačević IGroš S(2023)JavaScript Library Version Detection2023 46th MIPRO ICT and Electronics Convention (MIPRO)10.23919/MIPRO57284.2023.10159725(1240-1245)Online publication date: 22-May-2023
https://doi.org/10.23919/MIPRO57284.2023.10159725
Pinckney DCassano FGuha ABell JChandra SBlincoe KTonella P(2023)npm-follower: A Complete Dataset Tracking the NPM EcosystemProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3613094(2132-2136)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3611643.3613094
Zhao R(2023)FProbe: The Flow-Centric Detection and a Large-Scale Measurement of Browser Fingerprinting2023 32nd International Conference on Computer Communications and Networks (ICCCN)10.1109/ICCCN58024.2023.10230168(1-10)Online publication date: Jul-2023
https://doi.org/10.1109/ICCCN58024.2023.10230168
Meng SWang LWang SWang KXiao XBai GWang HBissyandé TKlein JBird CSarro F(2023)WeMinT: Tainting Sensitive Data Leaks in WeChat Mini-ProgramsProceedings of the 38th IEEE/ACM International Conference on Automated Software Engineering10.1109/ASE56229.2023.00151(1403-1415)Online publication date: 11-Nov-2023
https://dl.acm.org/doi/10.1109/ASE56229.2023.00151
Hassanshahi BLee HKrishnan P(2022)Gelato: Feedback-driven and Guided Security Analysis of Client-side Web Applications2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER53432.2022.00079(618-629)Online publication date: Mar-2022
https://doi.org/10.1109/SANER53432.2022.00079
Berisford CBlackburn LOllett JTonner TYuen CWalton ROlayinka O(2022)Can gamification help to teach Cybersecurity?2022 20th International Conference on Information Technology Based Higher Education and Training (ITHET)10.1109/ITHET56107.2022.10031716(1-9)Online publication date: 7-Nov-2022
https://doi.org/10.1109/ITHET56107.2022.10031716
Sprecher SKerschbaumer CKirda E(2022)SoK: All or Nothing - A Postmortem of Solutions to the Third-Party Script Inclusion Permission Model and a Path Forward2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP53844.2022.00021(206-222)Online publication date: Jun-2022
https://doi.org/10.1109/EuroSP53844.2022.00021
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten