Detecting server-side endpoints in web applications based on static analysis of client-side JavaScript code

D. A. Sigalov; A. A. Khashaev; D. Yu. Gamayunov

Geodesic

Parcourir par

Detecting server-side endpoints in web applications based on static analysis of client-side JavaScript code

D. A. Sigalov ; A. A. Khashaev ; D. Yu. Gamayunov

Prikladnaâ diskretnaâ matematika, no. 3 (2021), pp. 32-54

Voir la notice de l'article provenant de la source Math-Net.Ru

Résumé

The problem of server-side endpoint detection in the context of blackbox security analysis of dynamic web applications is considered. We propose a method to increase coverage of server-side endpoint detection using static analysis of client-side JavaScript code to find functions which generate HTTP requests to the server-side of the application and reconstruct parameters for those functions. In the context of application security testing, static analysis allows to find such functions even in dead or unreachable JavaScript code, which cannot be achieved by dynamic crawling or dynamic code analysis. Evaluation of the proposed method and its implementation has been done using synthetic web application with endpoints vulnerable to SQL injections, and the same application was used to compare the proposed method with existing solutions. Evaluation results show that adding JavaScript static analysis to traditional dynamic crawling of web applications may significantly improve server-side endpoint coverage in blackbox application security analysis.

Mots-clés : web applications
Keywords: static analysis, JavaScript.

@article{PDM_2021_3_a2,
     author = {D. A. Sigalov and A. A. Khashaev and D. Yu. Gamayunov},
     title = {Detecting server-side endpoints in web applications based on static analysis of client-side {JavaScript} code},
     journal = {Prikladna\^a diskretna\^a matematika},
     pages = {32--54},
     publisher = {mathdoc},
     number = {3},
     year = {2021},
     language = {ru},
     url = {http://geodesic.mathdoc.fr/item/PDM_2021_3_a2/}
}

TY  - JOUR
AU  - D. A. Sigalov
AU  - A. A. Khashaev
AU  - D. Yu. Gamayunov
TI  - Detecting server-side endpoints in web applications based on static analysis of client-side JavaScript code
JO  - Prikladnaâ diskretnaâ matematika
PY  - 2021
SP  - 32
EP  - 54
IS  - 3
PB  - mathdoc
UR  - http://geodesic.mathdoc.fr/item/PDM_2021_3_a2/
LA  - ru
ID  - PDM_2021_3_a2
ER  -

%0 Journal Article
%A D. A. Sigalov
%A A. A. Khashaev
%A D. Yu. Gamayunov
%T Detecting server-side endpoints in web applications based on static analysis of client-side JavaScript code
%J Prikladnaâ diskretnaâ matematika
%D 2021
%P 32-54
%N 3
%I mathdoc
%U http://geodesic.mathdoc.fr/item/PDM_2021_3_a2/
%G ru
%F PDM_2021_3_a2

D. A. Sigalov; A. A. Khashaev; D. Yu. Gamayunov. Detecting server-side endpoints in web applications based on static analysis of client-side JavaScript code. Prikladnaâ diskretnaâ matematika, no. 3 (2021), pp. 32-54. http://geodesic.mathdoc.fr/item/PDM_2021_3_a2/