JavaScript Instrumentation in Practice [chapter]

Haruka Kikuchi, Dachuan Yu, Ajay Chander, Hiroshi Inamura, Igor Serikov
2008 Lecture Notes in Computer Science  
JavaScript provides useful client-side computation facilities, enabling richer and more dynamic web applications. Unfortunately, the power and ubiquity of JavaScript has also been exploited to launch various browser-based attacks. Our previous work proposed a theoretical framework applying policy-based code instrumentation to JavaScript. This paper further reports our experience carrying out the theory in practice. Specifically, we discuss how the instrumentation is performed on various
more » ... pt and HTML syntactic constructs, present a new policy construction method for facilitating the creation and compilation of security policies, and document various practical difficulties arose during our prototyping. Our prototype currently works with several different web browsers, including Safari Mobile running on iPhones. We report our results based on experiments using representative real-world web applications. Although discussing a particular prototype, we believe the techniques therein will also be useful to other studies on JavaScript security.
doi:10.1007/978-3-540-89330-1_23 fatcat:6u7x6ihgnnbb5ll4g3lqhlpeha