Hybrid Analysis for JavaScript Security Assessment

With the proliferation of Web 2.0 technologies, functionality in web applications is increasingly moving from server-side to client-side code, primarily JavaScript. The dynamic and eventdriven nature of JavaScript code, which is often machine generated or obfuscated, combined with reliance on complex frameworks and asynchronous communication, makes it difficult to perform effective security auditing of client-side JavaScript using existing staticand dynamic-analysis techniques. We present a commercial-grade hybrid-analysis solution for automated security assessment of client-side JavaScript code. Our approach brings together the advantages of the white-box and black-box methodologies while overcoming their weaknesses. A black-box component interacts with the subject web application and collects pages that contain client-side JavaScript code. The pages are then analyzed using static taint analysis to detect security vulnerabilities. The black-box component provides URLs and other pieces of dynamic information that contribute toward specializing the static analysis, making it much more precise and effective than its baseline version, as we demonstrate empirically. General Terms Algorithms, Security, Verification.