SungGyeong Bae
Sukyoung Ryu
ABSTRACT
The evolution of Web 2.0 technologies makes web applications prevalent in various platforms including mobile devices and smart TVs. While one of the driving technologies of web applications is JavaScript, the extremely dynamic features of JavaScript make it very difficult to define and detect errors in JavaScript applications. The problem becomes more important and complicated for JavaScript web applications which may lead to severe security vulnerabilities. To help developers write safe JavaScript web applications using vendor-specific Web APIs, vendors specify their APIs often in Web IDL, which enables both API writers and users to communicate better by understanding the expected behaviors of the Web APIs. In this paper, we present SAFEWAPI, a tool to analyze Web APIs and JavaScript web applications that use the Web APIs and to detect possible misuses of Web APIs by the web applications. Even though the JavaScript language semantics allows to call a function defined with some parameters without any arguments, platform developers may require application writers to provide the exact number of arguments. Because the library functions in Web APIs expose their intended semantics clearly to web application developers unlike pure JavaScript functions, we can detect wrong uses of Web APIs precisely. For representative misuses of Web APIs defined by software quality assurance engineers, our SAFEWAPI detects such misuses in real-world JavaScript web applications.
- Caja. http://code.google.com/p/google-caja.Google Scholar
- ECMAScript Language Specification. Edition 5.1. http://www.ecma-international.org/ publications/standards/Ecma-262.htm.Google Scholar
- HTML5. http://www.w3.org/TR/html5/.Google Scholar
- SAFE: Scalable Analysis Framework for ECMAScript. http://safe.kaist.ac.kr.Google Scholar
- Samsung Smart TV apps developer forum. http://www. samsungdforum.com/.Google Scholar
- Samsung web API on developer site. http: //developer.samsung.com/samsung-web-api.Google Scholar
- Web IDL. http://www.w3.org/TR/WebIDL.Google Scholar
- ActionScript.org. ActionScript. http://www. actionscript.org.Google Scholar
- C. Anderson, P. Giannini, and S. Drossopoulou. Towards type inference for JavaScript. In Proceedings of the 19th European Conference on Object-Oriented Programming, 2005. Google ScholarDigital Library
- J. Ashkenas. CoffeeScript. http://coffeescript. org.Google Scholar
- R. Chugh, J. A. Meister, R. Jhala, and S. Lerner. Staged information flow for JavaScript. In Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation, 2009. Google ScholarDigital Library
- D. Crockford. ADsafe. http://www.adsafe.org.Google Scholar
- D. Crockford. JSLint. http://www.jslint.com.Google Scholar
- L. Foundation. Tizen. http://tizen.org.Google Scholar
- A. Guha, S. Krishnamurthi, and T. Jim. Using static analysis for Ajax intrusion detection. In Proceedings of the 18th International Conference on World Wide Web, 2009. Google ScholarDigital Library
- A. Guha, B. Lerner, J. G. Politz, and S. Krishnamurthi. Web API verification: Results and challenges. In Analysis of Security APIs, 2012.Google Scholar
- P. Heidegger and P. Thiemann. Recency types for analyzing scripting languages. In Proceedings of the 24th European Conference on Object-Oriented Programming, 2010. Google ScholarDigital Library
- S. H. Jensen, A. Møller, and P. Thiemann. Type analysis for JavaScript. In Proceedings of the 16th International Symposium on Static Analysis, 2009. Google ScholarDigital Library
- S. H. Jensen, A. Møller, and P. Thiemann. Interprocedural analysis with lazy propagation. In Proceedings of the 17th International Symposium on Static Analysis, 2010. Google ScholarDigital Library
- H. Lee, S. Won, J. Jin, J. Cho, and S. Ryu. SAFE: Formal specification and implementation of a scalable analysis framework for ECMAScript. In Proceedings of the 2012 International Workshop on Foundations of Object-Oriented Languages, 2012.Google Scholar
- S. Maffeis, J. C. Mitchell, and A. Taly. Isolating JavaScript with filters, rewriting, and wrappers. In 14th European Symposium on Research in Computer Security, 2009. Google ScholarDigital Library
- S. Maffeis, J. C. Mitchell, and A. Taly. Object capabilities and isolation of untrusted web applications. In IEEE Symposium on Security and Privacy, 2010. Google ScholarDigital Library
- Microsoft. TypeScript. http://www. typescriptlang.org.Google Scholar
- Mozilla.org. Firefox OS. http://www.mozilla.org/ en-US/firefox/os/.Google Scholar
- F. Ocariza, K. Bajaj, K. Pattabiraman, and A. Mesbah. An empirical study of client-side JavaScript bugs. In Proceedings of the 7th IEEE International Symposium on Empirical Software Engineering, 2013.Google ScholarCross Ref
- J. G. Politz, S. A. Eliopoulos, A. Guha, and S. Krishnamurthi. ADsafety: type-based verification of JavaScript sandboxing. In Proceedings of the 20th USENIX conference on Security, 2011. Google ScholarDigital Library
Index Terms
- SAFEWAPI: web API misuse detector for web applications
Recommendations
Journey to find bugs in JavaScript web applications in the wild
ICFP '16Analyzing real-world JavaScript web applications is a challenging task. On top of understanding the semantics of JavaScript, it requires modeling of web documents, platform objects, and interactions between them. Not only the JavaScript language itself ...
Intelligent crawling of web applications for web archiving
WWW '12 Companion: Proceedings of the 21st International Conference on World Wide WebThe steady growth of the World Wide Web raises challenges regarding the preservation of meaningful Web data. Tools used currently by Web archivists blindly crawl and store Web pages found while crawling, disregarding the kind of Web site currently ...
Comments