Characterizing insecure javascript practices on the web

JavaScript is an interpreted programming language most often used for enhancing webpage interactivity and functionality. It has powerful capabilities to interact with webpage documents and browser windows, however, it has also opened the door for many browser-based security attacks. Insecure engineering practices of using JavaScript may not directly lead to security breaches, but they can create new attack vectors and greatly increase the risks of browser-based attacks. In this paper, we present the first measurement study on insecure practices of using JavaScript on the Web. Our focus is on the insecure practices of JavaScript inclusion and dynamic generation, and we examine their severity and nature on 6,805 unique websites. Our measurement results reveal that insecure JavaScript practices are common at various websites: (1) at least 66.4% of the measured websites manifest the insecure practices of including JavaScript files from external domains into the top-level documents of their webpages; (2) over 44.4% of the measured websites use the dangerous eval() function to dynamically generate and execute JavaScript code on their webpages; and (3) in JavaScript dynamic generation, using the document.write() method and the innerHTML property is much more popular than using the relatively secure technique of creating script elements via DOM methods. Our analysis indicates that safe alternatives to these insecure practices exist in common cases and ought to be adopted by website developers and administrators for reducing potential security risks.

[1]  Alexander Nabutovsky,et al.  Disconnectedness of sublevel sets of some Riemannian functionals , 1996 .

[2]  Rodney G. Downey,et al.  There is No Fat Orbit , 1996, Ann. Pure Appl. Log..

[3]  Robert I. Soare,et al.  Definable Properties of the Computably Enumerable Sets , 1998, Ann. Pure Appl. Log..

[4]  Benjamin Livshits,et al.  Spectator: Detection and Containment of JavaScript Worms , 2008, USENIX Annual Technical Conference.

[5]  Michael Stob,et al.  Splitting properties and jump classes , 1981 .

[6]  Bing Liu,et al.  Web data extraction based on partial tree alignment , 2005, WWW '05.

[7]  Gustavo Rossi,et al.  Web Engineering: Modelling and Implementing Web Applications , 2008, Human-Computer Interaction Series.

[8]  Wolfgang Maass Characterization of recursively enumerable sets with supersets effectively isomorphic to all recursively enumerable sets , 1983 .

[9]  Helen J. Wang,et al.  A Systematic Approach to Uncover Security Flaws in GUI Logic , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[10]  Xuxian Jiang,et al.  Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities , 2006, NDSS.

[11]  Michael Stob,et al.  Friedberg Splittings of Recursively Enumerable Sets , 1993, Ann. Pure Appl. Log..

[12]  Alberto H. F. Laender,et al.  Automatic web news extraction using tree edit distance , 2004, WWW '04.

[13]  A. Lachlan On Some Games Which Are Relevant to the Theory of Recursively Enumerable Sets , 1970 .

[14]  André Nies,et al.  On the filter of computably enumerable supersets of an r-maximal set , 2001, Arch. Math. Log..

[15]  San Murugesan,et al.  Web Engineering : Managing Diversity and Complexity of Web Application Development , 2001 .

[16]  Mengjun Xie,et al.  Automatic Cookie Usage Setting with CookiePicker , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[17]  Peter Cholak ATOMLESS r-MAXIMAL SETS , 2007 .

[18]  Gerti Kappel,et al.  Web Engineering , 2011, Lecture Notes in Computer Science.

[19]  R. Soare,et al.  The 0 3 -automorphism Method and Noninvariant Classes of Degrees , 1996 .

[20]  Michael Stob,et al.  Automorphisms of the lattice of recursively enumerable sets: promptly simple sets , 1992 .

[21]  Stefano Ceri,et al.  Designing Data-Intensive Web Applications , 2002 .

[22]  Wolfgang Maass,et al.  On the orbits of hyperhypersimple sets , 1984, Journal of Symbolic Logic.

[23]  Michael Stob,et al.  The intervals of the lattice of recursively enumerable sets determined by major subsets , 1983, Ann. Pure Appl. Log..

[24]  Dan Boneh,et al.  Exposing private information by timing web applications , 2007, WWW '07.

[25]  Christopher A. Welty,et al.  Augmenting abstract syntax trees for program understanding , 1997, Proceedings 12th IEEE International Conference Automated Software Engineering.

[26]  Wolfgang Maass Variations on Promptly Simple Sets , 1985, J. Symb. Log..

[27]  Gustavo Rossi,et al.  Web Engineering: Modelling and Implementing Web Applications (Human-Computer Interaction Series) , 2007 .

[28]  Alexander Nabutovsky,et al.  Geometry of the space of triangulations of a compact manifold , 1996 .

[29]  Peter Cholak The Dense Simple Sets are Orbit Complete with Respect to the Simple Sets , 1998, Ann. Pure Appl. Log..

[30]  Donald A. Martin,et al.  Classes of Recursively Enumerable Sets and Degrees of Unsolvability , 1966 .

[31]  Robert I. Soare,et al.  Codable sets and orbits of computably enumerable sets , 1998, Journal of Symbolic Logic.

[32]  Robert I. Soare,et al.  Automorphisms of the lattice of recursively enumerable sets. Part II: Low sets , 1982, Ann. Math. Log..

[33]  Robert I. Soare,et al.  Definability, automorphisms, and dynamic properties of computably enumerable sets , 1996, Bull. Symb. Log..

[34]  Leo Harrington,et al.  On the Definability of the double jump in the computably Enumerable Sets , 2002, J. Math. Log..

[35]  Emil L. Post Recursively enumerable sets of positive integers and their decision problems , 1944 .

[36]  Dan Boneh,et al.  Protecting browser state from web privacy attacks , 2006, WWW '06.

[37]  R. Friedberg,et al.  TWO RECURSIVELY ENUMERABLE SETS OF INCOMPARABLE DEGREES OF UNSOLVABILITY (SOLUTION OF POST'S PROBLEM, 1944). , 1957, Proceedings of the National Academy of Sciences of the United States of America.

[38]  Alistair H. Lachlan,et al.  Degrees of recursively enumerable sets which have no maximal supersets , 1968, Journal of Symbolic Logic.

[39]  Peter Cholak Automorphisms of the lattice of recursively enumerable sets , 1995, Memoirs of the American Mathematical Society.

[40]  Rodney G. Downey,et al.  Some orbits for E , 2001, Ann. Pure Appl. Log..

[41]  Paul C. van Oorschot,et al.  SOMA: mutual approval for included content in web pages , 2008, CCS.

[42]  J. C. E. Dekker,et al.  A theorem on hypersimple sets , 1954 .

[43]  James R. Larus,et al.  Optimally profiling and tracing programs , 1992, POPL '92.

[44]  Michael Hicks,et al.  Defeating script injection attacks with browser-enforced embedded policies , 2007, WWW '07.

[45]  David Flanagan,et al.  JavaScript: The Definitive Guide , 1996 .

[46]  Michael Stob,et al.  Automorphisms of the lattice of recursively enumerable sets: Orbits , 1992 .

[47]  Peter A. Cholak The global structure of computably enumerable sets , 1993 .

[48]  Christopher Krügel,et al.  SecuBat: a web vulnerability scanner , 2006, WWW '06.

[49]  Helen J. Wang,et al.  BrowserShield: vulnerability-driven filtering of dynamic HTML , 2006, OSDI '06.

[50]  Kevin Borders,et al.  Analyzing websites for user-visible security design flaws , 2008, SOUPS '08.

[51]  Zhendong Su,et al.  Static detection of cross-site scripting vulnerabilities , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[52]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[53]  Balachander Krishnamurthy,et al.  Cat and mouse: content delivery tradeoffs in web access , 2006, WWW '06.

[54]  A. Church An Unsolvable Problem of Elementary Number Theory , 1936 .

[55]  Periklis Akritidis,et al.  Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure , 2008, TSEC.

[56]  Robert I. Soare,et al.  An Overview of the Computably Enumerable Sets , 1999, Handbook of Computability Theory.

[57]  Richard M. Friedberg,et al.  Three theorems on recursive enumeration. I. Decomposition. II. Maximal set. III. Enumeration without duplication , 1958, Journal of Symbolic Logic.

[58]  Woojong Suh Web Engineering: Principles And Techniques , 2005 .

[59]  Robert I. Soare,et al.  Recursively enumerable sets and degrees - a study of computable functions and computability generated sets , 1987, Perspectives in mathematical logic.

[60]  Collin Jackson,et al.  Robust defenses for cross-site request forgery , 2008, CCS.

[61]  Niels Provos,et al.  All Your iFRAMEs Point to Us , 2008, USENIX Security Symposium.

[62]  Rolf Herken,et al.  The Universal Turing Machine: A Half-Century Survey , 1992 .

[63]  S. Cooper,et al.  Computability, enumerability, unsolvability: directions in recursion theory , 1996 .

[64]  Ajay Chander,et al.  JavaScript instrumentation for browser security , 2007, POPL '07.

[65]  Wuu Yang,et al.  Identifying syntactic differences between two programs , 1991, Softw. Pract. Exp..

[66]  Steven D. Gribble,et al.  A Crawler-based Study of Spyware in the Web , 2006, NDSS.

[67]  Roger S. Pressman,et al.  Web Engineering , 2001, Lecture Notes in Computer Science.

[68]  Gerti Kappel,et al.  Web engineering : the discipline of systematic development of web applications , 2006 .