Hybrid security analysis of web JavaScript code via dynamic partial evaluation

Omer Tripp, Pietro Ferrara, Marco Pistoia
2014 Proceedings of the 2014 International Symposium on Software Testing and Analysis - ISSTA 2014  
This paper addresses the problem of detecting JavaScript security vulnerabilities in the client side of Web applications. Such vulnerabilities are becoming a source of growing concern due to the rapid migration of server-side business logic to the client side, combined with new JavaScript-backed Web technologies, such as AJAX, HTML5 and Web 2.0. Detection of client-side vulnerabilities is challenging given the dynamic and event-driven nature of JavaScript. We present a new form of hybrid
more » ... ipt analysis, which augments static analysis with (semi-)concrete information by applying partial evaluation to JavaScript functions according to dynamic data recorded by the Web crawler. The dynamic component rewrites the program per the HTML environment containing the JavaScript code, and the static component then explores all possible behaviors of the partially evaluated program (while treating user-controlled aspects of the environment conservatively). We have implemented this hybrid architecture as the JSA tool, which we recently integrated into a commercial product. We formalize the static analysis and prove useful properties over it. We also tested the system across a set of 170,000 Web pages, comparing it with purely static and dynamic alternatives. The results we obtained provide conclusive evidence in favor of our hybrid approach. Only 10% of the reports by JSA are false alarms compared to 63% of the alarms flagged by its purely static counterpart, while not a single true warning is lost. This represents a reduction of 94% in false alarms. Compared with a commercial dynamic testing algorithm, JSA is able to detect vulnerabilities in > 4x more Web sites with only 4 false alarms.
doi:10.1145/2610384.2610385 dblp:conf/issta/TrippFP14 fatcat:ryffhyeduzad7g7uyoagvzqgru