Static Analysis for JavaScript Security

by Daniel S
As discussed in class, JavaScript is a client-side scripting language for Web-application clients. The article presents ACTARUS, which is used for detecting security issues in JavaScript programs.  ACTARUS is a novel taint-analysis algorithm. The article also discusses different types of security vulnerabilities in today’s Web-applications, such as injection. Injection occurs when an attacked successfully sends untrusted data to an interpreter, causing the interpreter to execute unintended commands. Another seuriy vulnerability is cross-site scripting (XSS), which is where an attacker injects a malicious script into people’s web browsers, which will cause an execution of some sort. Document Object Model (or DOM)-based XSS is an exploit with JavaScript code. Lastly, the article discusses unvalidated redirects and forwards as an form of security breach. This exploit causes the user to be redirected to unintended Web sites, perform unauthorized AJAX requests, and connect to servers using ports or protocols.

I choose this article for two reasons. First, it went into detail about what was discussed in class, JavaScript. Secondly, I took this article in consideration because it talked about security concerns with JavaScript. Unfortunately though, this article was over my head, and I didn’t really understand a lot that was discussed about. I found myself googling what ACTARUS is, along with DOM-based XSS. I would recommend this article to others if they were interested in either JavaScript and security concerns with JavaScript.

Source: Guarnieri, S., Dolby, J., Pistoia, M., Teilhet, S., Tripp, O., & Berg, R. (2011, July). Saving the World Wide Web from Vulnerable JavaScript. ACM Digital Library. Retrieved April 28, 2012, from http://0-delivery.acm.org.opac.library.csupomona.edu/10.1145/2010000/2001442/p177-guarnieri.pdf?ip=134.71.59.187&acc=ACTIVE%20SERVICE&CFID=99838758&CFTOKEN=39163740&__acm__=1335645498_b65f3049c3369778fb8a6240527bb904

6 thoughts on “Static Analysis for JavaScript Security”

  1. Your article was pretty interesting, so what happens when a malicious data is sent to another users computer and is performs unintended tasks? Does it harm the computer in anyway? Is there a possibility that a virus can be downloaded from “Injection?” In general I think everyone should be careful with any kind of website they visit, because unless a user is willing to scan every website to see if it legit it would be hard to stay clear from security issues.

  2. Nice read, did your article go into detail at all about how the ACTARUS program goes about detecting malicious activity? That was what the article I read was about so it would be cool to see how they compare.

  3. Just want to thank you for this brief and to the point write up. Very informative I should say.

  4. This article sounds cool. It does sound interesting for those interested in internet security. For a fact I know that there are at least three people in our class whom are taking forensics. Does ACTARUS make it easier to prevent malicious activity rather than detecting it? Any ways that was a good article.

  5. Good article. I did not know that a attacker can inject to web browser. I believe secure website is very important. Thank you for posting this article

  6. that was a good article and something good to know becuase there are many webpages that we visit each and every day but we sometimes do not even think about the security on the pages. It sounds like something as us as webdevelopers for this class should be aware of but the article was good to read and i think it was a great find.

Comments are closed.