Abstract
Web applications have become an essential component of many different fields. As a client-side scripting language, JavaScript is ubiquitous across the web. Malicious JavaScript code can exploit a user’s browser, cookies, and security permissions. In this paper, we propose a static taint analysis approach for precise detection of taint-style vulnerabilities, such as DOM-based Cross-site Scripting (XSS), in JavaScript programs. The approach divides sinks into contexts to ensure that untrusted data passed to a certain context has been sufficiently sanitized. We reengineered TAJS resulting in a new analyzer, \({\text {TAJS}}_{\text {taint}}\), that adopts the new approach and uses finite state automata as its abstract string domain in order to track tainted flows more precisely. We run \({\text {TAJS}}_{\text {taint}}\) on a set of real Web pages and show that \({\text {TAJS}}_{\text {taint}}\) can precisely detect taint-style vulnerabilities, especially those that are caused by insufficient input sanitization.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html
Almashfi, N., Lu, L., Picker, K., Maldonado, C.: Precise string analysis for JavaScript programs using automata. In: Proceedings of the 2019 8th International Conference on Software and Computer Applications, ICSCA 2019, pp. 159–166. ACM, New York (2019)
Bartzis, C., Bultan, T.: Widening arithmetic automata. In: Alur, R., Peled, D.A. (eds.) CAV 2004. LNCS, vol. 3114, pp. 321–333. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-27813-9_25
Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proceedings of the 4th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, pp. 238–252. ACM (1977)
Goguen, J., Meseguer, J.: Security policies and security models. In: Proceedings of the IEEE Symposium on Security and Privacy (July), pp. 11–20, July 2012
Guarnieri, S., Livshits, B.: Gatekeeper: mostly static enforcement of security and reliability policies for JavaScript code, pp. 151–168, January 2009
Guarnieri, S., Pistoia, M., Tripp, O., Dolby, J., Teilhet, S., Berg, R.: Saving the world wide web from vulnerable JavaScript. In: Proceedings of the 2011 International Symposium on Software Testing and Analysis, ISSTA 2011, pp. 177–187. ACM, New York (2011)
Guha, A., Krishnamurthi, S., Jim, T.: Using static analysis for ajax intrusion detection. In: Proceedings of the 18th International Conference on World Wide Web, WWW 2009, pp. 561–570. ACM, New York (2009)
Jensen, S.H., Møller, A., Thiemann, P.: Type analysis for JavaScript. In: Palsberg, J., Su, Z. (eds.) SAS 2009. LNCS, vol. 5673, pp. 238–255. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03237-0_17
Jensen, S.H., Madsen, M., Møller, A.: Modeling the HTML DOM and browser API in static analysis of JavaScript web applications. In: Proceedings of the 8th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE), September 2011
Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. In: Proceedings of the 14th Conference on USENIX Security Symposium, SSYM 2005, vol. 14, p. 18. USENIX Association, Berkeley (2005)
Madsen, M., Andreasen, E.: String analysis for dynamic field access. In: Cohen, A. (ed.) CC 2014. LNCS, vol. 8409, pp. 197–217. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54807-9_12
Sridharan, M., Dolby, J., Chandra, S., Schäfer, M., Tip, F.: Correlation tracking for points-to analysis of JavaScript. In: Noble, J. (ed.) ECOOP 2012. LNCS, vol. 7313, pp. 435–458. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31057-7_20
Tripp, O., Pistoia, M., Fink, S.J., Sridharan, M., Weisman, O.: Taj: effective taint analysis of web applications. In: Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2009, pp. 87–97. ACM, New York (2009)
Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Krügel, C., Vigna, G.: Cross site scripting prevention with dynamic data tainting and static analysis. In: NDSS (2007)
Wassermann, G., Su, Z.: Static detection of cross-site scripting vulnerabilities. In: 2008 ACM/IEEE 30th International Conference on Software Engineering, ICSE 2008. IEEE Computer Society, Los Alamitos, May 2008
Wassermann, G., Su, Z.: Sound and precise analysis of web applications for injection vulnerabilities. In: Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2007, pp. 32–41. ACM, New York (2007)
Wei, S., Ryder, B.G.: Practical blended taint analysis for JavaScript. In: Proceedings of the 2013 International Symposium on Software Testing and Analysis, ISSTA 2013, pp. 336–346. ACM, New York (2013)
Yu, F., Bultan, T., Cova, M., Ibarra, O.H.: Symbolic string verification: an automata-based approach. In: Havelund, K., Majumdar, R., Palsberg, J. (eds.) SPIN 2008. LNCS, vol. 5156, pp. 306–324. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85114-1_21
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Almashfi, N., Lu, L. (2021). Static Taint Analysis for JavaScript Programs. In: Kalenkova, A., Lozano, J.A., Yavorskiy, R. (eds) Tools and Methods of Program Analysis. TMPA 2019. Communications in Computer and Information Science, vol 1288. Springer, Cham. https://doi.org/10.1007/978-3-030-71472-7_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-71472-7_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-71471-0
Online ISBN: 978-3-030-71472-7
eBook Packages: Computer ScienceComputer Science (R0)