A measurement study of insecure javascript practices on the web

JavaScript is an interpreted programming language most often used for enhancing webpage interactivity and functionality. It has powerful capabilities to interact with webpage documents and browser windows, however, it has also opened the door for many browser-based security attacks. Insecure engineering practices of using JavaScript may not directly lead to security breaches, but they can create new attack vectors and greatly increase the risks of browser-based attacks. In this article, we present the first measurement study on insecure practices of using JavaScript on the Web. Our focus is on the insecure practices of JavaScript inclusion and dynamic generation, and we examine their severity and nature on 6,805 unique websites. Our measurement results reveal that insecure JavaScript practices are common at various websites: (1) at least 66.4% of the measured websites manifest the insecure practices of including JavaScript files from external domains into the top-level documents of their webpages; (2) over 44.4% of the measured websites use the dangerous eval() function to dynamically generate and execute JavaScript code on their webpages; and (3) in JavaScript dynamic generation, using the document.write() method and the innerHTML property is much more popular than using the relatively secure technique of creating script elements via DOM methods. Our analysis indicates that safe alternatives to these insecure practices exist in common cases and ought to be adopted by website developers and administrators for reducing potential security risks.

[1]  Gerti Kappel,et al.  Web Engineering , 2011, Lecture Notes in Computer Science.

[2]  Axel C. Schwickert,et al.  Web Site Engineering , 2001 .

[3]  David Flanagan,et al.  JavaScript: The Definitive Guide , 1996 .

[4]  Bing Liu,et al.  Web data extraction based on partial tree alignment , 2005, WWW '05.

[5]  Helen J. Wang,et al.  Subspace: secure cross-domain communication for web mashups , 2007, WWW '07.

[6]  Kevin Borders,et al.  Analyzing websites for user-visible security design flaws , 2008, SOUPS '08.

[7]  Zhendong Su,et al.  Static detection of cross-site scripting vulnerabilities , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[8]  Xuxian Jiang,et al.  Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities , 2006, NDSS.

[9]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[10]  Collin Jackson,et al.  Robust defenses for cross-site request forgery , 2008, CCS.

[11]  Niels Provos,et al.  All Your iFRAMEs Point to Us , 2008, USENIX Security Symposium.

[12]  Benjamin Livshits,et al.  GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code , 2009, USENIX Security Symposium.

[13]  Helen J. Wang,et al.  The Multi-Principal OS Construction of the Gazelle Web Browser , 2009, USENIX Security Symposium.

[14]  Dan Boneh,et al.  Protecting browser state from web privacy attacks , 2006, WWW '06.

[15]  Chuan Yue Preventing the Revealing of Online Passwords to Inappropriate Websites with LoginInspector , 2012, LISA.

[16]  João M. B. Cavalcanti,et al.  Web Engineering: Managing Diversity and Complexity in Web Application Development , 2001 .

[17]  Benjamin Livshits,et al.  Spectator: Detection and Containment of JavaScript Worms , 2008, USENIX Annual Technical Conference.

[18]  Markus Jakobsson,et al.  Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft , 2006 .

[19]  San Murugesan,et al.  Web Engineering : Managing Diversity and Complexity of Web Application Development , 2001 .

[20]  Paul C. van Oorschot,et al.  SOMA: mutual approval for included content in web pages , 2008, CCS.

[21]  Stefano Ceri,et al.  Conceptual Modeling of Data-Intensive Web Applications , 2002, IEEE Internet Comput..

[22]  Balachander Krishnamurthy,et al.  Cat and mouse: content delivery tradeoffs in web access , 2006, WWW '06.

[23]  Benjamin Livshits,et al.  JSMeter: Comparing the Behavior of JavaScript Benchmarks with Real Web Applications , 2010, WebApps.

[24]  Woojong Suh Web Engineering: Principles And Techniques , 2005 .

[25]  Adam Barth,et al.  Preventing Capability Leaks in Secure JavaScript Subsets , 2010, NDSS.

[26]  Gustavo Rossi,et al.  Web Engineering: Modelling and Implementing Web Applications (Human-Computer Interaction Series) , 2007 .

[27]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[28]  Lujo Bauer,et al.  Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.

[29]  Benjamin G. Zorn,et al.  Zozzle: Low-overhead Mostly Static JavaScript Malware Detection , 2010 .

[30]  Christopher Krügel,et al.  Client-side cross-site scripting protection , 2009, Comput. Secur..

[31]  Helen J. Wang,et al.  On the Incoherencies in Web Browser Access Control Policies , 2010, 2010 IEEE Symposium on Security and Privacy.

[32]  Roger S. Pressman,et al.  Web Engineering , 2001, Lecture Notes in Computer Science.

[33]  Ajay Chander,et al.  JavaScript instrumentation for browser security , 2007, POPL '07.

[34]  Alberto H. F. Laender,et al.  Automatic web news extraction using tree edit distance , 2004, WWW '04.

[35]  Christopher Krügel,et al.  Detection and analysis of drive-by-download attacks and malicious JavaScript code , 2010, WWW '10.

[36]  Periklis Akritidis,et al.  Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure , 2008, TSEC.

[37]  Wuu Yang,et al.  Identifying syntactic differences between two programs , 1991, Softw. Pract. Exp..

[38]  Jeremiah Grossman,et al.  XSS Attacks: Cross Site Scripting Exploits and Defense , 2007 .

[39]  Benjamin Livshits,et al.  AjaxScope: a platform for remotely monitoring the client-side behavior of web 2.0 applications , 2007, TWEB.

[40]  Stefano Ceri,et al.  Designing Data-Intensive Web Applications , 2002 .

[41]  emilia-mendes-nile-mosley,et al.  Web Engineering , 2006 .

[42]  Gerti Kappel,et al.  Web engineering : the discipline of systematic development of web applications , 2006 .

[43]  Christopher Krügel,et al.  Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks , 2009, DIMVA.

[44]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[45]  Steven D. Gribble,et al.  A Crawler-based Study of Spyware in the Web , 2006, NDSS.

[46]  Christopher Krügel,et al.  SecuBat: a web vulnerability scanner , 2006, WWW '06.

[47]  Haining Wang,et al.  Characterizing insecure javascript practices on the web , 2009, WWW '09.

[48]  Dan Boneh,et al.  Exposing private information by timing web applications , 2007, WWW '07.

[49]  Benjamin Livshits,et al.  ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser , 2010, 2010 IEEE Symposium on Security and Privacy.

[50]  James R. Larus,et al.  Optimally profiling and tracing programs , 1992, POPL '92.

[51]  Christopher A. Welty,et al.  Augmenting abstract syntax trees for program understanding , 1997, Proceedings 12th IEEE International Conference Automated Software Engineering.

[52]  Collin Jackson,et al.  Securing frame communication in browsers , 2008, CACM.

[53]  Michael Hicks,et al.  Defeating script injection attacks with browser-enforced embedded policies , 2007, WWW '07.

[54]  Rui Zhao,et al.  All your browser-saved passwords could belong to us: a security analysis and a cloud-based new design , 2013, CODASPY '13.

[55]  David L. Jones,et al.  Web Site Engineering: Beyond Web Page Design , 1998 .

[56]  Helen J. Wang,et al.  Protection and communication abstractions for web browsers in MashupOS , 2007, SOSP.

[57]  Helen J. Wang,et al.  BrowserShield: vulnerability-driven filtering of dynamic HTML , 2006, OSDI '06.

[58]  Mengjun Xie,et al.  An automatic HTTP cookie management system , 2010, Comput. Networks.

[59]  Jan Vitek,et al.  Automated construction of JavaScript benchmarks , 2011, OOPSLA '11.

[60]  Wouter Joosen,et al.  You are what you include: large-scale evaluation of remote javascript inclusions , 2012, CCS.

[61]  Benjamin Livshits,et al.  ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection , 2011, USENIX Security Symposium.

[62]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[63]  Jan Vitek,et al.  An analysis of the dynamic behavior of JavaScript programs , 2010, PLDI '10.

[64]  Haining Wang,et al.  BogusBiter: A transparent protection against phishing attacks , 2010, TOIT.

[65]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[66]  Gustavo Rossi,et al.  Web Engineering: Modelling and Implementing Web Applications , 2008, Human-Computer Interaction Series.

[67]  Helen J. Wang,et al.  A Systematic Approach to Uncover Security Flaws in GUI Logic , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[68]  Benjamin Livshits,et al.  AjaxScope: A Platform for Remotely Monitoring the Client-Side Behavior of Web 2.0 Applications , 2010, ACM Trans. Web.

[69]  Benjamin Livshits,et al.  Fast and Precise Sanitizer Analysis with BEK , 2011, USENIX Security Symposium.

[70]  José Meseguer,et al.  A Systematic Approach to Uncover GUI Logic Flaws for Web Security , 2006 .

[71]  Jan Vitek,et al.  The Eval That Men Do - A Large-Scale Study of the Use of Eval in JavaScript Applications , 2011, ECOOP.

[72]  Giovanni Vigna,et al.  Prophiler: a fast filter for the large-scale detection of malicious web pages , 2011, WWW.