JavaScript Instrumentation in Practice
نویسندگان
چکیده
JavaScript provides useful client-side computation facilities, enabling richer and more dynamic web applications. Unfortunately, the power and ubiquity of JavaScript has also been exploited to launch various browser-based attacks. Our previous work proposed a theoretical framework applying policy-based code instrumentation to JavaScript. This paper further reports our experience carrying out the theory in practice. Specifically, we discuss how the instrumentation is performed on various JavaScript and HTML syntactic constructs, present a new policy construction method for facilitating the creation and compilation of security policies, and document various practical difficulties arose during our prototyping. Our prototype currently works with several different web browsers, including Safari Mobile running on iPhones. We report our results based on experiments using representative real-world web applications. Although discussing a particular prototype, we believe the techniques therein will also be useful to other studies on JavaScript security.
منابع مشابه
Debugging Cross-Platform Mobile Apps without Tool Break
Besides its use in the web, the JavaScript programming language has become the basis of some of today’s most important mobile cross-platform development tools. To enable and simplify debugging in such environments, this paper presents a novel method for debugging interpreted JavaScript code. The described method uses source code instrumentation to transform existing JavaScript programs in a way...
متن کاملHarnessing Performance for Flexibility in Instrumenting a Virtual Machine for JavaScript through Metacircularity
The limited reflexion features of the JavaScript (JS) language [5] on object operations and function calls has forced researchers, on tasks requiring run-time instrumentation, either to laboriously instrument production VMs or come up with ad hoc source-to-source translation schemes for each problem at hand. This paper shows that, by systematizing the second approach, it is possible to provide ...
متن کاملA Near Real-Time Reporting System for Enterprises Using JavaScript Instrumentation with Inter-colo Event Replication
Yahoo! is on track to realize its goal of real-time enterpriselevel reporting. Accessing real-time reports allows executives and decision makers to program content and advertising in a way that benefits both the business and the end user. This paper describes our legacy architecture, as well as a new, low latency pipeline. In particular, we show that by using a combination of novel JavaScript i...
متن کاملZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities
Modern web applications are increasingly moving program code to the client in the form of JavaScript. With the growing adoption of HTML5APIs such as postMessage, client-side validation (CSV) vulnerabilities are consequently becoming increasingly important to address as well. However, while detecting and preventing attacks against web applications is a well-studied topic on the server, considera...
متن کاملInformation Flow Control in WebKit's JavaScript Bytecode
Websites today routinely combine JavaScript from multiple sources, both trusted and untrusted. Hence, JavaScript security is of paramount importance. A specific interesting problem is information flow control (IFC) for JavaScript. In this paper, we develop, formalize and implement a dynamic IFC mechanism for the JavaScript engine of a production Web browser (specifically, Safari’s WebKit engine...
متن کامل