With the proliferation of Web 2.0 technologies, functionality in web applications is increasingly moving from server-side to client-side code, primarily JavaScript. The dynamic and eventdriven nature of JavaScript code, which is often machine generated or obfuscated, combined with reliance on complex frameworks and asynchronous communication, makes it difficult to perform effective security auditing of client-side JavaScript using existing staticand dynamic-analysis techniques. We present a commercial-grade hybrid-analysis solution for automated security assessment of client-side JavaScript code. Our approach brings together the advantages of the white-box and black-box methodologies while overcoming their weaknesses. A black-box component interacts with the subject web application and collects pages that contain client-side JavaScript code. The pages are then analyzed using static taint analysis to detect security vulnerabilities. The black-box component provides URLs and other pieces of dynamic information that contribute toward specializing the static analysis, making it much more precise and effective than its baseline version, as we demonstrate empirically. General Terms Algorithms, Security, Verification.
[1]
Thomas W. Reps,et al.
Precise interprocedural dataflow analysis via graph reachability
,
1995,
POPL '95.
[2]
Reinhard Wilhelm,et al.
Parametric shape analysis via 3-valued logic
,
1999,
POPL '99.
[3]
Yasuhiko Minamide,et al.
Static approximation of dynamically generated Web pages
,
2005,
WWW '05.
[4]
Jennifer Ann Lean.
Web
,
2006
.
[5]
Alessandro Orso,et al.
Dytan: a generic dynamic taint analysis framework
,
2007,
ISSTA '07.
[6]
Manu Sridharan,et al.
TAJ: effective taint analysis of web applications
,
2009,
PLDI '09.