Detecting server-side endpoints in web applications based on static analysis of client-side JavaScript code

D. A. Sigalov; A. A. Khashaev; D. Yu. Gamayunov

Geodesic

Parcourir par

Detecting server-side endpoints in web applications based on static analysis of client-side JavaScript code

D. A. Sigalov ; A. A. Khashaev ; D. Yu. Gamayunov

Prikladnaâ diskretnaâ matematika, no. 3 (2021), pp. 32-54.

Voir la notice de l'article provenant de la source Math-Net.Ru

Résumé

The problem of server-side endpoint detection in the context of blackbox security analysis of dynamic web applications is considered. We propose a method to increase coverage of server-side endpoint detection using static analysis of client-side JavaScript code to find functions which generate HTTP requests to the server-side of the application and reconstruct parameters for those functions. In the context of application security testing, static analysis allows to find such functions even in dead or unreachable JavaScript code, which cannot be achieved by dynamic crawling or dynamic code analysis. Evaluation of the proposed method and its implementation has been done using synthetic web application with endpoints vulnerable to SQL injections, and the same application was used to compare the proposed method with existing solutions. Evaluation results show that adding JavaScript static analysis to traditional dynamic crawling of web applications may significantly improve server-side endpoint coverage in blackbox application security analysis.

Mots-clés : web applications
Keywords: static analysis, JavaScript.

@article{PDM_2021_3_a2,
     author = {D. A. Sigalov and A. A. Khashaev and D. Yu. Gamayunov},
     title = {Detecting server-side endpoints in web applications based on static analysis of client-side {JavaScript} code},
     journal = {Prikladna\^a diskretna\^a matematika},
     pages = {32--54},
     publisher = {mathdoc},
     number = {3},
     year = {2021},
     language = {ru},
     url = {http://geodesic.mathdoc.fr/item/PDM_2021_3_a2/}
}

TY  - JOUR
AU  - D. A. Sigalov
AU  - A. A. Khashaev
AU  - D. Yu. Gamayunov
TI  - Detecting server-side endpoints in web applications based on static analysis of client-side JavaScript code
JO  - Prikladnaâ diskretnaâ matematika
PY  - 2021
SP  - 32
EP  - 54
IS  - 3
PB  - mathdoc
UR  - http://geodesic.mathdoc.fr/item/PDM_2021_3_a2/
LA  - ru
ID  - PDM_2021_3_a2
ER  -

%0 Journal Article
%A D. A. Sigalov
%A A. A. Khashaev
%A D. Yu. Gamayunov
%T Detecting server-side endpoints in web applications based on static analysis of client-side JavaScript code
%J Prikladnaâ diskretnaâ matematika
%D 2021
%P 32-54
%N 3
%I mathdoc
%U http://geodesic.mathdoc.fr/item/PDM_2021_3_a2/
%G ru
%F PDM_2021_3_a2

D. A. Sigalov; A. A. Khashaev; D. Yu. Gamayunov. Detecting server-side endpoints in web applications based on static analysis of client-side JavaScript code. Prikladnaâ diskretnaâ matematika, no. 3 (2021), pp. 32-54. http://geodesic.mathdoc.fr/item/PDM_2021_3_a2/

Bibliographie
Cité par

[1] Huang Y. W., Huang S. K., Lin T. P., Tsai C. H., “Web application security assessment by fault injection and behavior monitoring”, Proc. WWW2003 (Budapest, Hungary, May 21–25, 2003), 148–159 | Zbl

[2] Razdobarov A. V., Petukhov A. A., Gamayunov D. Yu., “Problems overview for modern web applications vulnerabilities discovery”, Problemy Informatsionnoy Bezopasnosti. Komp'yuternye Sistemy, 2015, no. 4, 64–69 (in Russian)

[3] Usage statistics of client-side programming languages for websites

[4] Richards G., Lebresne S., Burg B., Vitek J., “An analysis of the dynamic behavior of JavaScript programs”, ACM SIGPLAN Notices, 45:6 (2010), 1–12 | DOI

[5] Alexa Top 500 Global Sites, https://www.alexa.com/topsites

[6] jQuery

[7] reCAPTCHA

[8] Kwangwon S., Sukyoung R., “Analysis of JavaScript programs: Challenges and research trends”, ACM Comput. Surveys, 50:4 (2017), 59

[9] Andreasen E., Gong L., Møller A., et al., “A survey of dynamic analysis and test generation for JavaScript”, ACM Comput. Surveys, 50:5 (2017), 66 | DOI

[10] Ryu S., Park J., Park J., “Toward analysis and bug finding in JavaScript web applications in the wild”, IEEE Software, 36:3 (2018), 74–82 | DOI

[11] Andreasen E., Møller A., “Determinacy in static analysis of jQuery”, ACM SIGPLAN Notices, 49:10 (2014), 17–31 | DOI

[12] Doupé A., Cova M., Vigna G., “Why Johnny can't pentest: An analysis of black-box web vulnerability scanners”, Proc. DIMVA 2010, Springer, Berlin–Heidelberg, 2010, 111–131

[13] Doué A., Cavedon L., Kruegel C., Vigna G., “Enemy of the state: A state-aware black-box web vulnerability scanner”, 21st USENIX Security Symp., 2012, 523–538

[14] Doupé A., Advanced Automated Web Application Vulnerability Analysis, Diss., UC Santa Barbara, 2014

[15] Choudhary S., Dincturk M., Mirtaheri S., et al., “Crawling rich internet applications: the state of the art”, Proc. Conf. of the Center for Advanced Studies on Collaborative Research, 2012, 146–160

[16] Mesbah A., Deursen A., Lenselink S., “Crawling Ajax-based web applications through dynamic analysis of user interface state changes”, ACM Trans. Web, 6 (2012), 3:1–3:30 | DOI

[17] Antal G., Hegedüs P., Toth Z., et al., “Static javascript call graphs: A comparative study”, IEEE 18th Intern. Conf. SCAM, 2018, 177–186

[18] Ko Y., Lee H., Dolby J., Ryu S., “Practically tunable static analysis framework for large-scale JavaScript applications (T)”, 30th IEEE/ACM Intern. Conf. ASE, 2015, 541–551

[19] Wittern E., Ying A. T. T., Zheng Y., et al., “Statically checking web API requests in JavaScript”, Proc. 39th Intern. Conf. Software Eng., 2017, 244–254

[20] Babel

[21] PT BBS Slides

[22] Acunetix

[23] Detectify

[24] Burp Scanner

[25] HCL AppScan Cloud