ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Characterizing insecure javascript practices on the web
Full text PdfPdf (1.07 MB)
Source
International World Wide Web Conference archive
Proceedings of the 18th international conference on World wide web table of contents
Madrid, Spain
SESSION: Web engineering/session: client side web engineering table of contents
Pages 961-970  
Year of Publication: 2009
ISBN:978-1-60558-487-4
Authors
Chuan Yue  The College of William and Mary, Williamsburg, VA, USA
Haining Wang  The College of William and Mary, Williamsburg, VA, USA
Sponsor
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 65,   Downloads (12 Months): 244,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1526709.1526838
What is a DOI?

ABSTRACT

JavaScript is an interpreted programming language most often used for enhancing webpage interactivity and functionality. It has powerful capabilities to interact with webpage documents and browser windows, however, it has also opened the door for many browser-based security attacks. Insecure engineering practices of using JavaScript may not directly lead to security breaches, but they can create new attack vectors and greatly increase the risks of browser-based attacks. In this paper, we present the first measurement study on insecure practices of using JavaScript on the Web. Our focus is on the insecure practices of JavaScript inclusion and dynamic generation, and we examine their severity and nature on 6,805 unique websites. Our measurement results reveal that insecure JavaScript practices are common at various websites: (1) at least 66.4% of the measured websites manifest the insecure practices of including JavaScript files from external domains into the top-level documents of their webpages; (2) over 44.4% of the measured websites use the dangerous eval() function to dynamically generate and execute JavaScript code on their webpages; and (3) in JavaScript dynamic generation, using the document.write() method and the innerHTML property is much more popular than using the relatively secure technique of creating script elements via DOM methods. Our analysis indicates that safe alternatives to these insecure practices exist in common cases and ought to be adopted by website developers and administrators for reducing potential security risks.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

1
Thomas Ball , James R. Larus, Optimally profiling and tracing programs, ACM Transactions on Programming Languages and Systems (TOPLAS), v.16 n.4, p.1319-1360, July 1994  [doi>10.1145/183432.183527]
2
Adam Barth , Collin Jackson , John C. Mitchell, Robust defenses for cross-site request forgery, Proceedings of the 15th ACM conference on Computer and communications security, October 27-31, 2008, Alexandria, Virginia, USA  [doi>10.1145/1455770.1455782]
 
3
Ira D. Baxter , Andrew Yahin , Leonardo Moura , Marcelo Sant'Anna , Lorraine Bier, Clone Detection Using Abstract Syntax Trees, Proceedings of the International Conference on Software Maintenance, p.368, March 16-19, 1998
4
Andrew Bortz , Dan Boneh, Exposing private information by timing web applications, Proceedings of the 16th international conference on World Wide Web, May 08-12, 2007, Banff, Alberta, Canada  [doi>10.1145/1242572.1242656]
 
5
Stefano Ceri , Piero Fraternali , Aldo Bongio , Marco Brambilla , Sara Comai , Maristella Matera, Designing Data-Intensive Web Applications, Morgan Kaufmann Publishers Inc., San Francisco, CA, 2002
 
6
Jose Meseguer , Ralf Sasse , Helen J. Wang , Yi-Min Wang, A Systematic Approach to Uncover Security Flaws in GUI Logic, Proceedings of the 2007 IEEE Symposium on Security and Privacy, p.71-85, May 20-23, 2007  [doi>10.1109/SP.2007.6]
 
7
Woojong Suh, Web Engineering: Principles And Techniques, IGI Publishing, Hershey, PA, 2005
8
Laura Falk , Atul Prakash , Kevin Borders, Analyzing websites for user-visible security design flaws, Proceedings of the 4th symposium on Usable privacy and security, July 23-25, 2008, Pittsburgh, Pennsylvania  [doi>10.1145/1408664.1408680]
 
9
David Flanagan, JavaScript: The Definitive Guide, O'Reilly Media, Inc., 2006
 
10
S. Fogie, J. Grossman, R. Hansen, A. Rager, and P. D. Petkov. XSS Exploits: Cross Site Scripting Attacks and Defense. Syngress, ISBN 1-597-49154-3, 2007.
11
Yao-Wen Huang , Fang Yu , Christian Hang , Chung-Hung Tsai , Der-Tsai Lee , Sy-Yen Kuo, Securing web application code by static analysis and runtime protection, Proceedings of the 13th international conference on World Wide Web, May 17-20, 2004, New York, NY, USA  [doi>10.1145/988672.988679]
12
Collin Jackson , Andrew Bortz , Dan Boneh , John C. Mitchell, Protecting browser state from web privacy attacks, Proceedings of the 15th international conference on World Wide Web, May 23-26, 2006, Edinburgh, Scotland  [doi>10.1145/1135777.1135884]
13
Trevor Jim , Nikhil Swamy , Michael Hicks, Defeating script injection attacks with browser-enforced embedded policies, Proceedings of the 16th international conference on World Wide Web, May 08-12, 2007, Banff, Alberta, Canada  [doi>10.1145/1242572.1242654]
14
Stefan Kals , Engin Kirda , Christopher Kruegel , Nenad Jovanovic, SecuBat: a web vulnerability scanner, Proceedings of the 15th international conference on World Wide Web, May 23-26, 2006, Edinburgh, Scotland  [doi>10.1145/1135777.1135817]
 
15
Gerti Kappel, Web Engineering, John Wiley & Sons, 2006
16
Balachander Krishnamurthy , Craig E. Wills, Cat and mouse: content delivery tradeoffs in web access, Proceedings of the 15th international conference on World Wide Web, May 23-26, 2006, Edinburgh, Scotland  [doi>10.1145/1135777.1135829]
17
V. T. Lam , S. Antonatos , P. Akritidis , K. G. Anagnostakis, Puppetnets: misusing web browsers as a distributed attack infrastructure, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA  [doi>10.1145/1180405.1180434]
 
18
Benjamin Livshits , Weidong Cui, Spectator: detection and containment of JavaScript worms, USENIX 2008 Annual Technical Conference on Annual Technical Conference, p.335-348, June 22-27, 2008, Boston, Massachusetts
 
19
E. Mendes and N. M. (Eds.). Web Engineering. Springer, ISBN 3-540-28196-7, 2005.
 
20
A. Moshchuk, T. Bragin, S. D. Gribble, and H. M. Levy. A crawler-based study of spyware in the web. In Proc. of the NDSS, 2006.
 
21
S. Murugesan and Y. D. (Eds.). Web Engineering : Managing Diversity and Complexity of Web Application Development. Springer, ISBN 3-540-42130-0, 2001.
22
Terri Oda , Glenn Wurster , P. C. van Oorschot , Anil Somayaji, SOMA: mutual approval for included content in web pages, Proceedings of the 15th ACM conference on Computer and communications security, October 27-31, 2008, Alexandria, Virginia, USA  [doi>10.1145/1455770.1455783]
 
23
Thomas A. Powell , David L. Jones , Dominique C. Cutts, Web site engineering: beyond Web page design, Prentice-Hall, Inc., Upper Saddle River, NJ, 1998
 
24
Niels Provos , Panayiotis Mavrommatis , Moheeb Abu Rajab , Fabian Monrose, All your iFRAMEs point to Us, Proceedings of the 17th conference on Security symposium, p.1-15, July 28-August 01, 2008, San Jose, CA
 
25
Charles Reis , John Dunagan , Helen J. Wang , Opher Dubrovsky , Saher Esmeir, BrowserShield: vulnerability-driven filtering of dynamic HTML, Proceedings of the 7th symposium on Operating systems design and implementation, November 06-08, 2006, Seattle, Washington
26
D. C. Reis , P. B. Golgher , A. S. Silva , A. F. Laender, Automatic web news extraction using tree edit distance, Proceedings of the 13th international conference on World Wide Web, May 17-20, 2004, New York, NY, USA  [doi>10.1145/988672.988740]
 
27
Gustavo Rossi , Oscar Pastor , Daniel Schwabe , Luis Olsina, Web Engineering: Modelling and Implementing Web Applications (Human-Computer Interaction Series), 2007
 
28
Y.-M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen, and S. T. King. Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In Proc. of the NDSS, 2006.
29
Gary Wassermann , Zhendong Su, Static detection of cross-site scripting vulnerabilities, Proceedings of the 30th international conference on Software engineering, May 10-18, 2008, Leipzig, Germany  [doi>10.1145/1368088.1368112]
 
30
C. A. Welty, Augmenting abstract syntax trees for program understanding, Proceedings of the 12th international conference on Automated software engineering (formerly: KBSE), p.126, November 02-05, 1997
 
31
Wuu Yang, Identifying syntactic differences between two programs, Software—Practice & Experience, v.21 n.7, p.739-755, June 1991  [doi>10.1002/spe.4380210706]
32
Dachuan Yu , Ajay Chander , Nayeem Islam , Igor Serikov, JavaScript instrumentation for browser security, Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages, January 17-19, 2007, Nice, France
 
33
Chuan Yue , Mengjun Xie , Haining Wang, Automatic Cookie Usage Setting with CookiePicker, Proceedings of the 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, p.460-470, June 25-28, 2007  [doi>10.1109/DSN.2007.21]
34
Yanhong Zhai , Bing Liu, Web data extraction based on partial tree alignment, Proceedings of the 14th international conference on World Wide Web, May 10-14, 2005, Chiba, Japan  [doi>10.1145/1060745.1060761]
 
35
24 ways: Don't be eval(). http://24ways.org/2005/dont-be-eval.
 
36
Alexa Top Sites. http://www.alexa.com/browse?CategoryID=1.
 
37
CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests. http://www.cert.org/advisories/CA-2000-02.html.
 
38
Cross-site scripting. http://en.wikipedia.org/wiki/Cross-site_scripting.
 
39
eval -- MDC. http://developer.mozilla.org/en/ Core_JavaScript_1.5_Reference/Global_Functions/eval.
 
40
JavaScript. http://en.wikipedia.org/wiki/JavaScript.
 
41
JSAPI reference -- MDC. http://developer.mozilla.org/en/JSAPI_Reference.
 
42
JSON in JavaScript. http://www.json.org/js.html.
 
43
JSPrincipals -- MDC. http://developer.mozilla.org/en/JSPrincipals.
 
44
MSDN: innerHTML property. http://msdn.microsoft.com /en-us/library/ms533897(VS.85).aspx.
 
45
Same origin policy. http://en.wikipedia.org/wiki/Same_origin_policy.
 
46
SANS Top-20 2007 Security Risks (2007 Annual Update). http://www.sans.org/top20/2007/.
 
47
SpiderMonkey (JavaScript-C) Engine. http://www.mozilla.org/js/spidermonkey/.
 
48
Symantec Internet security threat report volume XIII: April, 2008. http://www.symantec.com/ business/theme.jsp?themeid=threatreport.
 
49
Unobtrusive Javascript. http://www.onlinetools.org/articles/unobtrusivejavascript/.
 
50
XMLHttpRequest. http://www.w3.org/TR/XMLHttpRequest/.

INDEX TERMS

Primary Classification:
  H. Information Systems
  H.3 INFORMATION STORAGE AND RETRIEVAL
      H.3.5 On-line Information Services
          Subjects: Web-based services

Additional Classification:
  I. Computing Methodologies
  I.7 DOCUMENT AND TEXT PROCESSING
      I.7.2 Document Preparation
          Subjects: Scripting languages

  K. Computing Milieux
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
      K.6.5 Security and Protection (D.4.6, K.4.2)
          Subjects: Unauthorized access (e.g., hacking, phreaking)


General Terms:
Experimentation, Languages, Measurement, Security


Keywords:
AST tree matching, execution-based measurement, javascript, same origin policy, security, web engineering

Collaborative Colleagues:
Chuan Yue: colleagues
Haining Wang: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player