The problem of server-side endpoint detection in the context of blackbox security analysis of dynamic web applications is considered. We propose a method to increase coverage of server-side endpoint detection using static analysis of client-side JavaScript code to find functions which generate HTTP requests to the server-side of the application and reconstruct parameters for those functions. In the context of application security testing, static analysis allows to find such functions even in dead or unreachable JavaScript code, which cannot be achieved by dynamic crawling or dynamic code analysis. Evaluation of the proposed method and its implementation has been done using synthetic web application with endpoints vulnerable to SQL injections, and the same application was used to compare the proposed method with existing solutions. Evaluation results show that adding JavaScript static analysis to traditional dynamic crawling of web applications may significantly improve server-side endpoint coverage in blackbox application security analysis.
Download file
Counter downloads: 248
- Title Detecting server-side endpoints in web applications based on static analysis of client-side JavaScript code
- Headline Detecting server-side endpoints in web applications based on static analysis of client-side JavaScript code
- Publesher
Tomsk State University
- Issue Prikladnaya Diskretnaya Matematika - Applied Discrete Mathematics 53
- Date:
- DOI 10.17223/20710410/53/3
Keywords
JavaScript, static analysis, web applicationsAuthors
References
https://www.hcltechsw.com/wps/portal/products/appscan/home - Официальный сайт сканера HCL AppScan Cloud.
https://detectify.com - Официальный сайт средства Detectify.
https://portswigger.net/burp/burp-scanner - Страница инструментального средства Burp Scanner на официальном сайте платформы Burp Suite.
https://www.slideshare.net/pdug_slides/pt-blackbox-scanner - Презентация с описанием возможностей средства PT BBS.
https://www.acunetix.com - Официальный сайт инструментального средства Acunetix.
Wittern E., Ying A. T. T., Zheng Y., et al. Statically checking web API requests in JavaScript // Proc. 39th Intern. Conf. Software Eng. 2017. P.244-254.
https://babeljs.io/- Описание и документация библиотеки Babel.
Ko Y., Lee H., Dolby J., and Ryu S. Practically tunable static analysis framework for large-scale JavaScript applications (T) // 30th IEEE/ACM Intern. Conf. ASE. 2015. P.541-551.
Antal G., Hegedus P., Toth Z., et al. Static javascript call graphs: A comparative study // IEEE 18th Intern. Conf. SCAM. 2018. P. 177-186.
Mesbah A., Deursen A. and Lenselink S. Crawling Ajax-based web applications through dynamic analysis of user interface state changes // ACM Trans. Web. 2012. V. 6. P. 3:1-3:30.
Choudhary S., Dincturk M., Mirtaheri S., et al. Crawling rich internet applications: the state of the art // Proc. Conf. of the Center for Advanced Studies on Collaborative Research, 2012. P. 146-160.
Doue A, Cavedon L., Kruegel C., and Vigna G. Enemy of the state: A state-aware black-box web vulnerability scanner // 21st USENIX Security Symp. 2012. P.523-538.
Doupd A. Advanced Automated Web Application Vulnerability Analysis. Diss. UC Santa Barbara, 2014.
Doupe A., Cova M., and Vigna G. Why Johnny can’t pentest: An analysis of black-box web vulnerability scanners // Proc. DIMVA 2010. Berlin; Heidelberg: Springer, 2010. P.111-131.
Ryu S., Park J., and Park J. Toward analysis and bug finding in JavaScript web applications in the wild // IEEE Software. 2018. V. 36. No. 3. P. 74-82.
Andreasen E. and M0ller A. Determinacy in static analysis of jQuery // ACM SIGPLAN Notices. 2014. V. 49. No. 10. P. 17-31.
Kwangwon S. and Sukyoung R. Analysis of JavaScript programs: Challenges and research trends // ACM Comput. Surveys. 2017. V. 50. No. 4. Article 59.
Andreasen E., Gong L., M0ller A., et al. A survey of dynamic analysis and test generation for JavaScript // ACM Comput. Surveys. 2017. V. 50. No. 5. Article 66.
https://jquery.com - Библиотека jQuery.
https://www.google.com/recaptcha/about/- Система защиты веб-сайтов от интернетботов reCAPTCHA.
https://www.alexa.com/topsites - Alexa Top 500 Global Sites. Обнаружение серверных точек взаимодействия на основе анализа JavaScript-кода 53
Richards G., Lebresne S., Burg B., and Vitek J. An analysis of the dynamic behavior of JavaScript programs // ACM SIGPLAN Notices. 2010. V. 45. No. 6. P. 1-12.
https://w3techs.com/technologies/overview/client_side_language - Статистика использования языков программирования на клиентской стороне веб-приложений по данным сайта w3techs.com.
Huang Y. W., Huang S. K., Lin T. P., and Tsai C. H. Web application security assessment by fault injection and behavior monitoring // Proc. WWW2003. Budapest, Hungary, May 21-25, 2003. P. 148-159.
Раздобаров А.В., Петухов А. А., Гамаюнов Д. Ю. Проблемы обнаружения уязвимостей в современных веб-приложениях // Проблемы информационной безопасности. Компьютерные системы. 2015. №4. С. 64-69.

Detecting server-side endpoints in web applications based on static analysis of client-side JavaScript code | Prikladnaya Diskretnaya Matematika - Applied Discrete Mathematics. 2021. № 53. DOI: 10.17223/20710410/53/3
Download full-text version
Counter downloads: 108