Static Analysis for JavaScript Security{6}


As discussed in class, JavaScript is a client-side scripting language for Web-application clients. The article presents ACTARUS, which is used for detecting security issues in JavaScript programs.  ACTARUS is a novel taint-analysis algorithm. The article also discusses different types of security vulnerabilities in today’s Web-applications, such as injection. Injection occurs when an attacked successfully sends untrusted data to an interpreter, causing the interpreter to execute unintended commands. Another seuriy vulnerability is cross-site scripting (XSS), which is where an attacker injects a malicious script into people’s web browsers, which will cause an execution of some sort. Document Object Model (or DOM)-based XSS is an exploit with JavaScript code. Lastly, the article discusses unvalidated redirects and forwards as an form of security breach. This exploit causes the user to be redirected to unintended Web sites, perform unauthorized AJAX requests, and connect to servers using ports or protocols.

I choose this article for two reasons. First, it went into detail about what was discussed in class, JavaScript. Secondly, I took this article in consideration because it talked about security concerns with JavaScript. Unfortunately though, this article was over my head, and I didn’t really understand a lot that was discussed about. I found myself googling what ACTARUS is, along with DOM-based XSS. I would recommend this article to others if they were interested in either JavaScript and security concerns with JavaScript.

Source: Guarnieri, S., Dolby, J., Pistoia, M., Teilhet, S., Tripp, O., & Berg, R. (2011, July). Saving the World Wide Web from Vulnerable JavaScript. ACM Digital Library. Retrieved April 28, 2012, from http://0-delivery.acm.org.opac.library.csupomona.edu/10.1145/2010000/2001442/p177-guarnieri.pdf?ip=134.71.59.187&acc=ACTIVE%20SERVICE&CFID=99838758&CFTOKEN=39163740&__acm__=1335645498_b65f3049c3369778fb8a6240527bb904