Using static analysis for Ajax intrusion detection

Arjun Guha, Shriram Krishnamurthi, Trevor Jim
2009 Proceedings of the 18th international conference on World wide web - WWW '09  
We present a static control-flow analysis for JavaScript programs running in a web browser. Our analysis tackles numerous challenges posed by modern web applications including asynchronous communication, frameworks, and dynamic code generation. We use our analysis to extract a model of expected client behavior as seen from the server, and build an intrusion-prevention proxy for the server: the proxy intercepts client requests and disables those that do not meet the expected behavior. We insert
more » ... andom asynchronous requests to foil mimicry attacks. Finally, we evaluate our technique against several real applications and show that it protects against an attack in a widely-used web application.
doi:10.1145/1526709.1526785 dblp:conf/www/GuhaKJ09 fatcat:oezj7uezxnalteu3txg7kor4gq