Abstract
JavaScript is an interpreted programming language most often used for enhancing webpage interactivity and functionality. It has powerful capabilities to interact with webpage documents and browser windows, however, it has also opened the door for many browser-based security attacks. Insecure engineering practices of using JavaScript may not directly lead to security breaches, but they can create new attack vectors and greatly increase the risks of browser-based attacks. In this article, we present the first measurement study on insecure practices of using JavaScript on the Web. Our focus is on the insecure practices of JavaScript inclusion and dynamic generation, and we examine their severity and nature on 6,805 unique websites. Our measurement results reveal that insecure JavaScript practices are common at various websites: (1) at least 66.4% of the measured websites manifest the insecure practices of including JavaScript files from external domains into the top-level documents of their webpages; (2) over 44.4% of the measured websites use the dangerous eval() function to dynamically generate and execute JavaScript code on their webpages; and (3) in JavaScript dynamic generation, using the document.write() method and the innerHTML property is much more popular than using the relatively secure technique of creating script elements via DOM methods. Our analysis indicates that safe alternatives to these insecure practices exist in common cases and ought to be adopted by website developers and administrators for reducing potential security risks.
- Ball, T. and Larus, J. R. 1994. Optimally profiling and tracing programs. ACM Trans. Program. Lang. Syst. 16, 4, 1319--1360. Google Scholar
Digital Library
- Barth, A., Jackson, C., and Mitchell, J. C. 2008a. Robust defenses for cross-site request forgery. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). 75--88. Google Scholar
Digital Library
- Barth, A., Jackson, C., and Mitchell, J. C. 2008b. Securing frame communication in browsers. In Proceedings of the 17th USENIX Security Symposium. 17--30. Google Scholar
Digital Library
- Baxter, I. D., Yahin, A., Moura, L., Santanna, M., and Bier, L. 1998. Clone detection using abstract syntax trees. In Proceedings of the International Conference on Software Maintenance. Google Scholar
Digital Library
- Bortz, A., Boneh, D., and Nandy, P. 2007. Exposing private information by timing web applications. In Proceedings of the International Conference on World Wide Web (WWW). 621--628. Google Scholar
Digital Library
- Canali, D., Cova, M., Vigna, G., and Kruegel, C. 2011. Prophiler: A fast filter for the large-scale detection of malicious web pages. In Proceedings of the International Conference on World Wide Web (WWW). 197--206. Google Scholar
Digital Library
- Ceri, S., Fraternali, P., Bongio, A., Brambilla, M., Comai, S., and Matera, M. 2002. Designing Data-Intensive Web Applications. Morgan Kaufmann, San Fransisco, CA. Google Scholar
Digital Library
- Cert. 2000. CERT advisory ca-2000-02 malicious html tags embedded in client web requests. http://www.cert.org/advisories/CA-2000-02.html.Google Scholar
- Chen, S., Meseguer, J., Sasse, R., Wang, H. J., and Wang, Y.-M. 2007. A systematic approach to uncover gui logic flaws for web security. In Proceedings of the IEEE Symposium on Security and Privacy. 71--85. Google Scholar
Digital Library
- Cova, M., Kruegel, C., and Vigna, G. 2010. Detection and analysis of drive-by-download attacks and malicious javascript code. In Proceedings of the International Confeence on World Wide Web (WWW). 281--290. Google Scholar
Digital Library
- Curtsinger, C., Livshits, B., Zorn, B., and Seifert, C. 2011. Zozzle: Low-overhead mostly static javascript malware detection. In Proceedings of the USENIX Security Symposium. Google Scholar
Digital Library
- Dhamija, R., Tygar, J. D., and Hearst, M. 2006. Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. 581--590. Google Scholar
Digital Library
- Dom2Events. 2012. Document object model (dom) level 2 events. http://www.w3.org/TR/DOM-Level-2-Events/events.html.Google Scholar
- Egele, M., Wurzinger, P., Kruegel, C., and Kirda, E. 2009. Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks. In Proceedings of the Annual Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA). 88--106. Google Scholar
Digital Library
- Evalmdc. 2011. Eval-mdc. https://developer.mozilla.org/en/JavaScript/Reference/Global Objects/eval.Google Scholar
- Falk, L., Prakash, A., and Borders, K. 2008. Analyzing websites for user-visible security design flaws. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS). 117--126. Google Scholar
Digital Library
- Finifter, M., Weinberger, J., and Barth, A. 2010. Preventing capability leaks in secure javascript subsets. In Proceedings of the Network and Distributed System Security Symposium (NDSS).Google Scholar
- Flanagan, D. 2006. JavaScript: The Definitive Guide. O'Reilly Media. Google Scholar
Digital Library
- Florencio, D. and Herley, C. 2007. A large-scale study of web password habits. In Proceedings of the International Conference on World Wide Web (WWW). 657--666. Google Scholar
Digital Library
- Fogie, S., Grossman, J., Hansen, R., Rager, A., and Petkov, P. D. 2007. XSS Exploits: Cross Site Scripting Attacks and Defense. Syngress. Google Scholar
Digital Library
- Guarnieri, S. and Livshits, B. 2009. Gatekeeper: Mostly static enforcement of security and reliability policies for javascript code. In Proceedings of the USENIX Security Symposium. Google Scholar
Digital Library
- Heilmann, C. 2011. Unobtrusive javascript. http://www.onlinetools.org/articles/unobtrusivejavascript/.Google Scholar
- Hooimeijer, P., Livshits, B., Molnar, D., Saxena, P., and Veanes, M. 2011. Fast and precise sanitizer analysis with bek. In Proceedings of the USENIX Security Symposium. Google Scholar
Digital Library
- Html5Comm. 2012. HTML5: Communication. http://www.w3.org/TR/html5/comms.html.Google Scholar
- Html5Sandbox. 2012. HTML5 iframe sandbox. http://www.w3schools.com/html5/att iframe sandbox.asp.Google Scholar
- Htmltimers. 2012. HTML timers. http://www.w3.org/TR/html5/timers.html.Google Scholar
- Huang, Y.-W., Yu, F., Hang, C., Tsai, C.-H., Lee, D.-T., and Kuo, S.-Y. 2004. Securing web application code by static analysis and runtime protection. In Proceedings of the International Conference on World Wide Web (WWW). 40--52. Google Scholar
Digital Library
- Jackson, C., Bortz, A., Boneh, D., and Mitchell, J. C. 2006. Protecting browser state from web privacy attacks. In Proceedings of the International Conference on World Wide Web (WWW). 737--744. Google Scholar
Digital Library
- Jackson, C. and Wang, H. J. 2007. Subspace: Secure cross-domain communication for web mashups. In Proceedings of the International Conference on World Wide Web (WWW). 611--620. Google Scholar
Digital Library
- Jakobsson, M. and Myers, S. 2006. Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft. Wiley-Interscience. Google Scholar
Digital Library
- Jim, T., Swamy, N., and Hicks, M. 2007. Defeating script injection attacks with browser enforced embedded policies. In Proceedings of the International World Wide Web Conference (WWW). 601--610. Google Scholar
Digital Library
- Jsapi. 2011. JSAPI reference-MDC. https://developer.mozilla.org/en/JSAPI Reference.Google Scholar
- Json. 2011. JSON in javascript. http://www.json.org/js.html.Google Scholar
- Jsprincipals. 2011. JSprincipals-MDC. http://developer.mozilla.org/en/JSPrincipals.Google Scholar
- Kals, S., Kirda, E., Kruegel, C., and Jovanovic, N. 2006. SecuBat: A web vulnerability scanner. In Proceedings of the International Conference on World Wide Web (WWW). 247--256. Google Scholar
Digital Library
- Kappel, G., Proll, B., Reich, S., and Retschitzegger, W. 2006. Web Engineering: The Discipline of Systematic Development of Web Applications. John Wiley and Sons. Google Scholar
Digital Library
- Kiciman, E. and Livshits, V. B. 2010. AjaxScope: A platform for remotely monitoring the client-side behavior of web 2.0 applications. ACM Trans. Web 4, 4, 13:1--13:52. Google Scholar
Digital Library
- Kirda, E., Jovanovic, N., Kruegel, C., and Vigna G. 2009. Client-side cross-site scripting protection. Comput. Secur. 28, 7, 592--604.Google Scholar
Digital Library
- Komanduri, S., Shay, R., Kelley, P. G., Mazurek, M. L., Bauer, L., Christin, N., Cranor, L. F., and Egelman, S. 2011. Of passwords and people: Measuring the effect of password-composition policies. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. 2595--2604. Google Scholar
Digital Library
- Krishnamurthy, B. and Wills, C. E. 2006. Cat and mouse: Content delivery tradeoffs in web access. In Proceedings of the International Conference on World Wide Web (WWW). 337--346. Google Scholar
Digital Library
- Lam, V. T., Antonatos, S., Akritidis, P., and Anagnostakis, K. G. 2006. Puppetnets: Misusing web browsers as a distributed attack infrastructure. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). 221--234. Google Scholar
Digital Library
- Livshits, B. and Cui, W. 2008. Spectator: Detection and containment of javascript worms. In Proceedings of the USENIX Annual Technical Conference. Google Scholar
Digital Library
- Mendes, E. and Mosley, N. 2005. Web Engineering. Springer.Google Scholar
- Meyerovich, L. and Livshits, B. 2010. ConScript: Specifying and enforcing fine-grained security policies for javascript in the browser. In Proceedings of the IEEE Symposium on Security and Privacy. Google Scholar
Digital Library
- Moshchuk, A., Bragin, T., Gribble, S. D., and Levy, H. M. 2006. A crawler-based study of spyware in the web. In Proceedings of the Network and Distributed System Security Symposium (NDSS).Google Scholar
- Msdn. 2011. MSDN: InnerHTML property. http://msdn.microsoft.com/en-us/library/ms533897(VS.85).aspx.Google Scholar
- Murugesan, S. and Deshpande, Y. 2001. Web Engineering: Managing Diversity and Complexity of Web Application Development. Springer.Google Scholar
Cross Ref
- Mxr. 2012. Mozilla cross-reference: Firefox 2 source code. http://mxr.mozilla.org/firefox2/.Google Scholar
- Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., and Vigna, G. 2012. You are what you include: Large-scale evaluation of remote javascript inclusions. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). 736--747. Google Scholar
Digital Library
- Oda, T., Wurster, G., Van Oorschot, P., and Somayaji, A. 2008. SOMA: Mutual approval for included content in web pages. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). 89--98. Google Scholar
Digital Library
- Powell, T. A., Jones, D. L., and Cutts, D. C. 1998. Web Site Engineering: Beyond Web Page Design. Prentice Hall. Google Scholar
Digital Library
- Provos, N., Mavrommatis, P., Rajab, M. B., and Monrose, F. 2008. All your iframes point to us. In Proceedings of the USENIX Security Symposium. 1--15. Google Scholar
Digital Library
- Ratanaworabhan, P., Livshits, B., and Zorn, B. G. 2010. JSMeter: Comparing the behavior of javascript benchmarks with real web applications. In Proceedings of the USENIX Conference on Web Application Development (WebApps). Google Scholar
Digital Library
- Reis, C., Dunagan, J., Wang, H. J., Dubrovsky, O., and Esmeir, S. 2006. BrowserShield: Vulnerability-driven filtering of dynamic html. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI). 61--74. Google Scholar
Digital Library
- Reis, D. C., Golgher, P. B., Silva, A. S., and Laender, A. F. 2004. Automatic web news extraction using tree edit distance. In Proceedings of the International Conference on World Wide Web (WWW). 502--511. Google Scholar
Digital Library
- Richards, G., Gal, A., Eich, B., and Vitek, J. 2011a. Automated construction of javascript benchmarks. In Proceedings of the ACMSIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA). 677--694. Google Scholar
Digital Library
- Richards, G., Hammer, C., Burg, B., and Vitek, J. 2011b. The eval that men do - a large-scale study of the use of eval in javascript applications. In Proceedings of the European Conference on Object-Oriented Programming (ECOOP). 52--78. Google Scholar
Digital Library
- Richards, G., Lebresne, S., Burg, B., and Vitek, J. 2010. An analysis of the dynamic behavior of javascript programs. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI). Google Scholar
Digital Library
- Rossi, G., Pastor, O., Schwabe, D., and Olsina, L. 2007. Web Engineering: Modelling and Implementing Web Applications. Springer. Google Scholar
Digital Library
- Sans. 2007. SANS top-20 2007 security risks (2007 annual update). http://www.sans.org/top20/2007/.Google Scholar
- Siliconforks. 2012. Parsing javascript with spidermonkey. http://siliconforks.com/doc/parsing-javascript-with-spidermonkey/.Google Scholar
- Singh, K., Moshchuk, A., Wang, H. J., and Lee, W. 2010. On the incoherencies in web browser access control policies. In Proceedings of the IEEE Symposium on Security and Privacy. Google Scholar
Digital Library
- Spidermonkey. 2012. Spidermonkey (javascript-c) engine. http://www.mozilla.org/js/spidermonkey/.Google Scholar
- Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R. A., Kruegel, C., and Vigna, G. 2009. Your botnet is my botnet: Analysis of a botnet takeover. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). 635--647. Google Scholar
Digital Library
- Suh, W. 2005. Web Engineering: Principles and Techniques. IGI Publishing. Google Scholar
Digital Library
- Symantec. 2008. Symantec internet security threat report volume XIII: April, 2008. http://www.symantec.com/business/theme.jsp&qust;themeid=threatreport.Google Scholar
- Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., and Vigna, G. 2007. Cross site scripting prevention with dynamic data tainting and static analysis. In Proceedings of the Network and Distributed System Security Symposium (NDSS).Google Scholar
- W3cdom. 2011. W3C document object model. http://www.w3.org/DOM.Google Scholar
- Wang, H. J., Fan, X., Howell, J., and Jackson, C. 2007. Protection and communication abstractions for web browsers in mashupos. In Proceedings of the ACM Symposium on Operating Systems Principles (SOSP). 1--16. Google Scholar
Digital Library
- Wang, H. J., Grier, C., Moshchuk, A., King, S. T., Choudhury, P., and Venter, H. 2009. The multi-principal os construction of the gazelle web browser. In Proceedings of the USENIX Security Symposium. 417--432. Google Scholar
Digital Library
- Wang, Y.-M., Beck, D., Jiang, X., Roussev, R., Verbowski, C., Chen, S., and King, S. T. 2006. Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In Proceedings of the Network and Distributed System Security Symposium (NDSS).Google Scholar
- Wassermann, G. and Su, Z. 2008. Static detection of cross-site scripting vulnerabilities. In Proceedings of the International Conference on Software Engineering (ICSE). 171--180. Google Scholar
Digital Library
- Welty, C. A. 1997. Augmenting abstract syntax trees for program understanding. In Proceedings of the International Conference on Automated Software Engineering. Google Scholar
Digital Library
- Wikijs. 2011. Javascript. http://en.wikipedia.org/wiki/JavaScript.Google Scholar
- Wikisop. 2011. Same origin policy. http://en.wikipedia.org/wiki/Same origin policy.Google Scholar
- Wikixss. 2011. Cross-site scripting. http://en.wikipedia.org/wiki/Cross-site scripting.Google Scholar
- Willison, S. 2005. 24 ways: Don't be eval(). http://24ways.org/2005/dont-be-eval.Google Scholar
- Wot. 2012. Safe browsing tool—WOT (web of trust). http://www.mywot.com/.Google Scholar
- Xhr. 2011. XMLHttpRequest. http://www.w3.org/TR/XMLHttpRequest/.Google Scholar
- Yang, W. 1991. Identifying syntactic differences between two programs. Softw. Pract. Exper. 21, 7(1999), 739--755. Google Scholar
Digital Library
- Yu, D., Chander, A., Islam, N., and Serikov, I. 2007. Javascript instrumentation for browser security. In Proceedings of the ACM Symposium on Principles of Programming Languages (POPL). 237--249. Google Scholar
Digital Library
- Yue, C. 2012. Preventing the revealing of online passwords to inappropriate websites with login inspector. In Proceedings of the USENIX Large Installation System Administration Conference (LISA). 67--81. Google Scholar
Digital Library
- Yue, C. and Wang, H. 2009. Characterizing insecure javascript practices on the web. In Proceedings of the International Conference on World Wide Web (WWW). 961--970. Google Scholar
Digital Library
- Yue, C. and Wang, H. 2010. BogusBiter: A transparent protection against phishing attacks. ACM Trans. Internet Technol. 10, 2, 1--31. Google Scholar
Digital Library
- Yue, C., Xie, M., and Wang, H. 2010. An automatic http cookie management system. J. Comput. Netw. 54, 13, 2182--2198. Google Scholar
Digital Library
- Zalewski, M. 2012. Browser security handbook. http://code.google.com/p/browsersec/wiki/Main.Google Scholar
- Zhai, Y. and Liu, B. 2005. Web data extraction based on partial tree alignment. In Proceedings of the International Conference on World Wide Web (WWW). 76--85. Google Scholar
Digital Library
- Zhao, R. and Yue, C. 2013. All your browser-saved passwords could belong to us: A security analysis and a cloud-based new design. In Proceedings of the ACM Conference on Data and Application Security and Privacy (CODASPY). Google Scholar
Digital Library
Index Terms
A measurement study of insecure javascript practices on the web
Recommendations
Characterizing insecure javascript practices on the web
WWW '09: Proceedings of the 18th international conference on World wide webJavaScript is an interpreted programming language most often used for enhancing webpage interactivity and functionality. It has powerful capabilities to interact with webpage documents and browser windows, however, it has also opened the door for many ...






Comments