skip to main content
research-article

A measurement study of insecure javascript practices on the web

Published:29 May 2013Publication History
Skip Abstract Section

Abstract

JavaScript is an interpreted programming language most often used for enhancing webpage interactivity and functionality. It has powerful capabilities to interact with webpage documents and browser windows, however, it has also opened the door for many browser-based security attacks. Insecure engineering practices of using JavaScript may not directly lead to security breaches, but they can create new attack vectors and greatly increase the risks of browser-based attacks. In this article, we present the first measurement study on insecure practices of using JavaScript on the Web. Our focus is on the insecure practices of JavaScript inclusion and dynamic generation, and we examine their severity and nature on 6,805 unique websites. Our measurement results reveal that insecure JavaScript practices are common at various websites: (1) at least 66.4% of the measured websites manifest the insecure practices of including JavaScript files from external domains into the top-level documents of their webpages; (2) over 44.4% of the measured websites use the dangerous eval() function to dynamically generate and execute JavaScript code on their webpages; and (3) in JavaScript dynamic generation, using the document.write() method and the innerHTML property is much more popular than using the relatively secure technique of creating script elements via DOM methods. Our analysis indicates that safe alternatives to these insecure practices exist in common cases and ought to be adopted by website developers and administrators for reducing potential security risks.

References

  1. Ball, T. and Larus, J. R. 1994. Optimally profiling and tracing programs. ACM Trans. Program. Lang. Syst. 16, 4, 1319--1360. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Barth, A., Jackson, C., and Mitchell, J. C. 2008a. Robust defenses for cross-site request forgery. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). 75--88. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Barth, A., Jackson, C., and Mitchell, J. C. 2008b. Securing frame communication in browsers. In Proceedings of the 17th USENIX Security Symposium. 17--30. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Baxter, I. D., Yahin, A., Moura, L., Santanna, M., and Bier, L. 1998. Clone detection using abstract syntax trees. In Proceedings of the International Conference on Software Maintenance. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Bortz, A., Boneh, D., and Nandy, P. 2007. Exposing private information by timing web applications. In Proceedings of the International Conference on World Wide Web (WWW). 621--628. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Canali, D., Cova, M., Vigna, G., and Kruegel, C. 2011. Prophiler: A fast filter for the large-scale detection of malicious web pages. In Proceedings of the International Conference on World Wide Web (WWW). 197--206. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Ceri, S., Fraternali, P., Bongio, A., Brambilla, M., Comai, S., and Matera, M. 2002. Designing Data-Intensive Web Applications. Morgan Kaufmann, San Fransisco, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Cert. 2000. CERT advisory ca-2000-02 malicious html tags embedded in client web requests. http://www.cert.org/advisories/CA-2000-02.html.Google ScholarGoogle Scholar
  9. Chen, S., Meseguer, J., Sasse, R., Wang, H. J., and Wang, Y.-M. 2007. A systematic approach to uncover gui logic flaws for web security. In Proceedings of the IEEE Symposium on Security and Privacy. 71--85. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Cova, M., Kruegel, C., and Vigna, G. 2010. Detection and analysis of drive-by-download attacks and malicious javascript code. In Proceedings of the International Confeence on World Wide Web (WWW). 281--290. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Curtsinger, C., Livshits, B., Zorn, B., and Seifert, C. 2011. Zozzle: Low-overhead mostly static javascript malware detection. In Proceedings of the USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Dhamija, R., Tygar, J. D., and Hearst, M. 2006. Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. 581--590. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Dom2Events. 2012. Document object model (dom) level 2 events. http://www.w3.org/TR/DOM-Level-2-Events/events.html.Google ScholarGoogle Scholar
  14. Egele, M., Wurzinger, P., Kruegel, C., and Kirda, E. 2009. Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks. In Proceedings of the Annual Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA). 88--106. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Evalmdc. 2011. Eval-mdc. https://developer.mozilla.org/en/JavaScript/Reference/Global Objects/eval.Google ScholarGoogle Scholar
  16. Falk, L., Prakash, A., and Borders, K. 2008. Analyzing websites for user-visible security design flaws. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS). 117--126. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Finifter, M., Weinberger, J., and Barth, A. 2010. Preventing capability leaks in secure javascript subsets. In Proceedings of the Network and Distributed System Security Symposium (NDSS).Google ScholarGoogle Scholar
  18. Flanagan, D. 2006. JavaScript: The Definitive Guide. O'Reilly Media. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Florencio, D. and Herley, C. 2007. A large-scale study of web password habits. In Proceedings of the International Conference on World Wide Web (WWW). 657--666. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Fogie, S., Grossman, J., Hansen, R., Rager, A., and Petkov, P. D. 2007. XSS Exploits: Cross Site Scripting Attacks and Defense. Syngress. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Guarnieri, S. and Livshits, B. 2009. Gatekeeper: Mostly static enforcement of security and reliability policies for javascript code. In Proceedings of the USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Heilmann, C. 2011. Unobtrusive javascript. http://www.onlinetools.org/articles/unobtrusivejavascript/.Google ScholarGoogle Scholar
  23. Hooimeijer, P., Livshits, B., Molnar, D., Saxena, P., and Veanes, M. 2011. Fast and precise sanitizer analysis with bek. In Proceedings of the USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Html5Comm. 2012. HTML5: Communication. http://www.w3.org/TR/html5/comms.html.Google ScholarGoogle Scholar
  25. Html5Sandbox. 2012. HTML5 iframe sandbox. http://www.w3schools.com/html5/att iframe sandbox.asp.Google ScholarGoogle Scholar
  26. Htmltimers. 2012. HTML timers. http://www.w3.org/TR/html5/timers.html.Google ScholarGoogle Scholar
  27. Huang, Y.-W., Yu, F., Hang, C., Tsai, C.-H., Lee, D.-T., and Kuo, S.-Y. 2004. Securing web application code by static analysis and runtime protection. In Proceedings of the International Conference on World Wide Web (WWW). 40--52. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Jackson, C., Bortz, A., Boneh, D., and Mitchell, J. C. 2006. Protecting browser state from web privacy attacks. In Proceedings of the International Conference on World Wide Web (WWW). 737--744. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Jackson, C. and Wang, H. J. 2007. Subspace: Secure cross-domain communication for web mashups. In Proceedings of the International Conference on World Wide Web (WWW). 611--620. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Jakobsson, M. and Myers, S. 2006. Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft. Wiley-Interscience. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Jim, T., Swamy, N., and Hicks, M. 2007. Defeating script injection attacks with browser enforced embedded policies. In Proceedings of the International World Wide Web Conference (WWW). 601--610. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Jsapi. 2011. JSAPI reference-MDC. https://developer.mozilla.org/en/JSAPI Reference.Google ScholarGoogle Scholar
  33. Json. 2011. JSON in javascript. http://www.json.org/js.html.Google ScholarGoogle Scholar
  34. Jsprincipals. 2011. JSprincipals-MDC. http://developer.mozilla.org/en/JSPrincipals.Google ScholarGoogle Scholar
  35. Kals, S., Kirda, E., Kruegel, C., and Jovanovic, N. 2006. SecuBat: A web vulnerability scanner. In Proceedings of the International Conference on World Wide Web (WWW). 247--256. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Kappel, G., Proll, B., Reich, S., and Retschitzegger, W. 2006. Web Engineering: The Discipline of Systematic Development of Web Applications. John Wiley and Sons. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Kiciman, E. and Livshits, V. B. 2010. AjaxScope: A platform for remotely monitoring the client-side behavior of web 2.0 applications. ACM Trans. Web 4, 4, 13:1--13:52. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Kirda, E., Jovanovic, N., Kruegel, C., and Vigna G. 2009. Client-side cross-site scripting protection. Comput. Secur. 28, 7, 592--604.Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Komanduri, S., Shay, R., Kelley, P. G., Mazurek, M. L., Bauer, L., Christin, N., Cranor, L. F., and Egelman, S. 2011. Of passwords and people: Measuring the effect of password-composition policies. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. 2595--2604. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Krishnamurthy, B. and Wills, C. E. 2006. Cat and mouse: Content delivery tradeoffs in web access. In Proceedings of the International Conference on World Wide Web (WWW). 337--346. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Lam, V. T., Antonatos, S., Akritidis, P., and Anagnostakis, K. G. 2006. Puppetnets: Misusing web browsers as a distributed attack infrastructure. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). 221--234. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Livshits, B. and Cui, W. 2008. Spectator: Detection and containment of javascript worms. In Proceedings of the USENIX Annual Technical Conference. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Mendes, E. and Mosley, N. 2005. Web Engineering. Springer.Google ScholarGoogle Scholar
  44. Meyerovich, L. and Livshits, B. 2010. ConScript: Specifying and enforcing fine-grained security policies for javascript in the browser. In Proceedings of the IEEE Symposium on Security and Privacy. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Moshchuk, A., Bragin, T., Gribble, S. D., and Levy, H. M. 2006. A crawler-based study of spyware in the web. In Proceedings of the Network and Distributed System Security Symposium (NDSS).Google ScholarGoogle Scholar
  46. Msdn. 2011. MSDN: InnerHTML property. http://msdn.microsoft.com/en-us/library/ms533897(VS.85).aspx.Google ScholarGoogle Scholar
  47. Murugesan, S. and Deshpande, Y. 2001. Web Engineering: Managing Diversity and Complexity of Web Application Development. Springer.Google ScholarGoogle ScholarCross RefCross Ref
  48. Mxr. 2012. Mozilla cross-reference: Firefox 2 source code. http://mxr.mozilla.org/firefox2/.Google ScholarGoogle Scholar
  49. Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., and Vigna, G. 2012. You are what you include: Large-scale evaluation of remote javascript inclusions. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). 736--747. Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. Oda, T., Wurster, G., Van Oorschot, P., and Somayaji, A. 2008. SOMA: Mutual approval for included content in web pages. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). 89--98. Google ScholarGoogle ScholarDigital LibraryDigital Library
  51. Powell, T. A., Jones, D. L., and Cutts, D. C. 1998. Web Site Engineering: Beyond Web Page Design. Prentice Hall. Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. Provos, N., Mavrommatis, P., Rajab, M. B., and Monrose, F. 2008. All your iframes point to us. In Proceedings of the USENIX Security Symposium. 1--15. Google ScholarGoogle ScholarDigital LibraryDigital Library
  53. Ratanaworabhan, P., Livshits, B., and Zorn, B. G. 2010. JSMeter: Comparing the behavior of javascript benchmarks with real web applications. In Proceedings of the USENIX Conference on Web Application Development (WebApps). Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. Reis, C., Dunagan, J., Wang, H. J., Dubrovsky, O., and Esmeir, S. 2006. BrowserShield: Vulnerability-driven filtering of dynamic html. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI). 61--74. Google ScholarGoogle ScholarDigital LibraryDigital Library
  55. Reis, D. C., Golgher, P. B., Silva, A. S., and Laender, A. F. 2004. Automatic web news extraction using tree edit distance. In Proceedings of the International Conference on World Wide Web (WWW). 502--511. Google ScholarGoogle ScholarDigital LibraryDigital Library
  56. Richards, G., Gal, A., Eich, B., and Vitek, J. 2011a. Automated construction of javascript benchmarks. In Proceedings of the ACMSIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA). 677--694. Google ScholarGoogle ScholarDigital LibraryDigital Library
  57. Richards, G., Hammer, C., Burg, B., and Vitek, J. 2011b. The eval that men do - a large-scale study of the use of eval in javascript applications. In Proceedings of the European Conference on Object-Oriented Programming (ECOOP). 52--78. Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. Richards, G., Lebresne, S., Burg, B., and Vitek, J. 2010. An analysis of the dynamic behavior of javascript programs. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI). Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. Rossi, G., Pastor, O., Schwabe, D., and Olsina, L. 2007. Web Engineering: Modelling and Implementing Web Applications. Springer. Google ScholarGoogle ScholarDigital LibraryDigital Library
  60. Sans. 2007. SANS top-20 2007 security risks (2007 annual update). http://www.sans.org/top20/2007/.Google ScholarGoogle Scholar
  61. Siliconforks. 2012. Parsing javascript with spidermonkey. http://siliconforks.com/doc/parsing-javascript-with-spidermonkey/.Google ScholarGoogle Scholar
  62. Singh, K., Moshchuk, A., Wang, H. J., and Lee, W. 2010. On the incoherencies in web browser access control policies. In Proceedings of the IEEE Symposium on Security and Privacy. Google ScholarGoogle ScholarDigital LibraryDigital Library
  63. Spidermonkey. 2012. Spidermonkey (javascript-c) engine. http://www.mozilla.org/js/spidermonkey/.Google ScholarGoogle Scholar
  64. Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R. A., Kruegel, C., and Vigna, G. 2009. Your botnet is my botnet: Analysis of a botnet takeover. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). 635--647. Google ScholarGoogle ScholarDigital LibraryDigital Library
  65. Suh, W. 2005. Web Engineering: Principles and Techniques. IGI Publishing. Google ScholarGoogle ScholarDigital LibraryDigital Library
  66. Symantec. 2008. Symantec internet security threat report volume XIII: April, 2008. http://www.symantec.com/business/theme.jsp&qust;themeid=threatreport.Google ScholarGoogle Scholar
  67. Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., and Vigna, G. 2007. Cross site scripting prevention with dynamic data tainting and static analysis. In Proceedings of the Network and Distributed System Security Symposium (NDSS).Google ScholarGoogle Scholar
  68. W3cdom. 2011. W3C document object model. http://www.w3.org/DOM.Google ScholarGoogle Scholar
  69. Wang, H. J., Fan, X., Howell, J., and Jackson, C. 2007. Protection and communication abstractions for web browsers in mashupos. In Proceedings of the ACM Symposium on Operating Systems Principles (SOSP). 1--16. Google ScholarGoogle ScholarDigital LibraryDigital Library
  70. Wang, H. J., Grier, C., Moshchuk, A., King, S. T., Choudhury, P., and Venter, H. 2009. The multi-principal os construction of the gazelle web browser. In Proceedings of the USENIX Security Symposium. 417--432. Google ScholarGoogle ScholarDigital LibraryDigital Library
  71. Wang, Y.-M., Beck, D., Jiang, X., Roussev, R., Verbowski, C., Chen, S., and King, S. T. 2006. Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In Proceedings of the Network and Distributed System Security Symposium (NDSS).Google ScholarGoogle Scholar
  72. Wassermann, G. and Su, Z. 2008. Static detection of cross-site scripting vulnerabilities. In Proceedings of the International Conference on Software Engineering (ICSE). 171--180. Google ScholarGoogle ScholarDigital LibraryDigital Library
  73. Welty, C. A. 1997. Augmenting abstract syntax trees for program understanding. In Proceedings of the International Conference on Automated Software Engineering. Google ScholarGoogle ScholarDigital LibraryDigital Library
  74. Wikijs. 2011. Javascript. http://en.wikipedia.org/wiki/JavaScript.Google ScholarGoogle Scholar
  75. Wikisop. 2011. Same origin policy. http://en.wikipedia.org/wiki/Same origin policy.Google ScholarGoogle Scholar
  76. Wikixss. 2011. Cross-site scripting. http://en.wikipedia.org/wiki/Cross-site scripting.Google ScholarGoogle Scholar
  77. Willison, S. 2005. 24 ways: Don't be eval(). http://24ways.org/2005/dont-be-eval.Google ScholarGoogle Scholar
  78. Wot. 2012. Safe browsing tool—WOT (web of trust). http://www.mywot.com/.Google ScholarGoogle Scholar
  79. Xhr. 2011. XMLHttpRequest. http://www.w3.org/TR/XMLHttpRequest/.Google ScholarGoogle Scholar
  80. Yang, W. 1991. Identifying syntactic differences between two programs. Softw. Pract. Exper. 21, 7(1999), 739--755. Google ScholarGoogle ScholarDigital LibraryDigital Library
  81. Yu, D., Chander, A., Islam, N., and Serikov, I. 2007. Javascript instrumentation for browser security. In Proceedings of the ACM Symposium on Principles of Programming Languages (POPL). 237--249. Google ScholarGoogle ScholarDigital LibraryDigital Library
  82. Yue, C. 2012. Preventing the revealing of online passwords to inappropriate websites with login inspector. In Proceedings of the USENIX Large Installation System Administration Conference (LISA). 67--81. Google ScholarGoogle ScholarDigital LibraryDigital Library
  83. Yue, C. and Wang, H. 2009. Characterizing insecure javascript practices on the web. In Proceedings of the International Conference on World Wide Web (WWW). 961--970. Google ScholarGoogle ScholarDigital LibraryDigital Library
  84. Yue, C. and Wang, H. 2010. BogusBiter: A transparent protection against phishing attacks. ACM Trans. Internet Technol. 10, 2, 1--31. Google ScholarGoogle ScholarDigital LibraryDigital Library
  85. Yue, C., Xie, M., and Wang, H. 2010. An automatic http cookie management system. J. Comput. Netw. 54, 13, 2182--2198. Google ScholarGoogle ScholarDigital LibraryDigital Library
  86. Zalewski, M. 2012. Browser security handbook. http://code.google.com/p/browsersec/wiki/Main.Google ScholarGoogle Scholar
  87. Zhai, Y. and Liu, B. 2005. Web data extraction based on partial tree alignment. In Proceedings of the International Conference on World Wide Web (WWW). 76--85. Google ScholarGoogle ScholarDigital LibraryDigital Library
  88. Zhao, R. and Yue, C. 2013. All your browser-saved passwords could belong to us: A security analysis and a cloud-based new design. In Proceedings of the ACM Conference on Data and Application Security and Privacy (CODASPY). Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. A measurement study of insecure javascript practices on the web

                Recommendations

                Comments

                Login options

                Check if you have access through your login credentials or your institution to get full access on this article.

                Sign in

                Full Access

                PDF Format

                View or Download as a PDF file.

                PDF

                eReader

                View online with eReader.

                eReader
                About Cookies On This Site

                We use cookies to ensure that we give you the best experience on our website.

                Learn more

                Got it!