research-article

Characterizing insecure javascript practices on the web

Authors:

Haining WangAuthors Info & Claims

WWW '09: Proceedings of the 18th international conference on World wide web

Pages 961 - 970

https://doi.org/10.1145/1526709.1526838

Published: 20 April 2009 Publication History

Abstract

JavaScript is an interpreted programming language most often used for enhancing webpage interactivity and functionality. It has powerful capabilities to interact with webpage documents and browser windows, however, it has also opened the door for many browser-based security attacks. Insecure engineering practices of using JavaScript may not directly lead to security breaches, but they can create new attack vectors and greatly increase the risks of browser-based attacks. In this paper, we present the first measurement study on insecure practices of using JavaScript on the Web. Our focus is on the insecure practices of JavaScript inclusion and dynamic generation, and we examine their severity and nature on 6,805 unique websites. Our measurement results reveal that insecure JavaScript practices are common at various websites: (1) at least 66.4% of the measured websites manifest the insecure practices of including JavaScript files from external domains into the top-level documents of their webpages; (2) over 44.4% of the measured websites use the dangerous eval() function to dynamically generate and execute JavaScript code on their webpages; and (3) in JavaScript dynamic generation, using the document.write() method and the innerHTML property is much more popular than using the relatively secure technique of creating script elements via DOM methods. Our analysis indicates that safe alternatives to these insecure practices exist in common cases and ought to be adopted by website developers and administrators for reducing potential security risks.

References

[1]

T. Ball and J. R. Larus. Optimally profiling and tracing programs. ACM Trans. Program. Lang. Syst., 16(4):1319--1360, 1994.

Digital Library

[2]

A. Barth, C. Jackson, and J. C. Mitchell. Robust defenses for cross-site request forgery. In Proc. of the CCS, pages 75--88, 2008.

Digital Library

[3]

I. D. Baxter, A. Yahin, L. Moura, M. Sant'Anna, and L. Bier. Clone detection using abstract syntax trees. In Proc. of the ICSM, pages 368--377, 1998.

Digital Library

[4]

A. Bortz, D. Boneh, and P. Nandy. Exposing private information by timing web applications. In Proc. of the WWW, pages 621--628, 2007.

Digital Library

[5]

S. Ceri, P. Fraternali, A. Bongio, M. Brambilla, S. Comai, and M. Matera. Designing Data-Intensive Web Applications. Morgan Kaufmann, ISBN 1-55860-843-5, 2002.

Digital Library

[6]

S. Chen, J. Meseguer, R. Sasse, H. J. Wang, and Y.-M. Wang. A systematic approach to uncover security flaws in gui logic. In Proc. of the S&P, pages 71--85, 2007.

Digital Library

[7]

W. S. (Editor). Web Engineering: Principles And Techniques. IGI Publishing, ISBN 1-591-40433-9, 2005.

Digital Library

[8]

L. Falk, A. Prakash, and K. Borders. Analyzing websites for user-visible security design flaws. In Proceedings of SOUPS, pages 117--126, 2008.

Digital Library

[9]

D. Flanagan. JavaScript: The Definitive Guide. O'Reilly Media, ISBN 0-596-10199-6, 2006.

Digital Library

[10]

S. Fogie, J. Grossman, R. Hansen, A. Rager, and P. D. Petkov. XSS Exploits: Cross Site Scripting Attacks and Defense. Syngress, ISBN 1-597-49154-3, 2007.

[11]

Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In Proc. of the WWW, pages 40--52, 2004.

Digital Library

[12]

C. Jackson, A. Bortz, D. Boneh, and J. C. Mitchell. Protecting browser state from web privacy attacks. In Proc. of the WWW, pages 737--744, 2006.

Digital Library

[13]

T. Jim, N. Swamy, and M. Hicks. Defeating script injection attacks with browser-enforced embedded policies. In Proc. of the WWW, pages 601--610, 2007.

Digital Library

[14]

S. Kals, E. Kirda, C. Kruegel, and N. Jovanovic. Secubat: a web vulnerability scanner. In Proc. of the WWW, pages 247--256, 2006.

Digital Library

[15]

G. Kappel, B. Proll, S. Reich, and W. R. (Eds.). Web Engineering: The Discipline of Systematic Development of Web Applications. John Wiley & Sons, ISBN 0-470-01554-3, 2006.

Digital Library

[16]

B. Krishnamurthy and C. E. Wills. Cat and mouse: content delivery tradeoffs in web access. In Proc. of the WWW, pages 337--346, 2006.

Digital Library

[17]

V. T. Lam, S. Antonatos, P. Akritidis, and K. G. Anagnostakis. Puppetnets: misusing web browsers as a distributed attack infrastructure. In Proc. of the CCS, pages 221--234, 2006.

Digital Library

[18]

B. Livshits and W. Cui. Spectator: detection and containment of javascript worms. In Proc. of the USENIX Annual Technical Conference, pages 335--348, 2008.

Digital Library

[19]

E. Mendes and N. M. (Eds.). Web Engineering. Springer, ISBN 3-540-28196-7, 2005.

[20]

A. Moshchuk, T. Bragin, S. D. Gribble, and H. M. Levy. A crawler-based study of spyware in the web. In Proc. of the NDSS, 2006.

[21]

S. Murugesan and Y. D. (Eds.). Web Engineering : Managing Diversity and Complexity of Web Application Development. Springer, ISBN 3-540-42130-0, 2001.

[22]

T. Oda, G. Wurster, P. V. Oorschot, and A. Somayaji. Soma: Mutual approval for included content in web pages. In Proc. of the CCS, pages 89--98, 2008.

Digital Library

[23]

T. A. Powell, D. L. Jones, and D. C. Cutts. Web Site Engineering: Beyond Web Page Design. Prentice Hall, ISBN: 0-13650-920-7, 1998.

Digital Library

[24]

N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose. All your iframes point to us. In Proc. of the USENIX Security Symposium, 2008.

Digital Library

[25]

C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and S. Esmeir. Browsershield: vulnerability-driven filtering of dynamic html. In Proc. of the OSDI, pages 61--74, 2006.

Digital Library

[26]

D. C. Reis, P. B. Golgher, A. S. Silva, and A. F. Laender. Automatic web news extraction using tree edit distance. In Proc. of the WWW, pages 502--511, 2004.

Digital Library

[27]

G. Rossi, O. Pastor, D. Schwabe, and L. O. (Eds.). Web Engineering: Modelling and Implementing Web Applications. Springer, ISBN: 1-84628-922-X, 2007.

Digital Library

[28]

Y.-M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen, and S. T. King. Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In Proc. of the NDSS, 2006.

[29]

G. Wassermann and Z. Su. Static detection of cross-site scripting vulnerabilities. In Proc. of the ICSE, pages 171--180, 2008.

Digital Library

[30]

C. A. Welty. Augmenting abstract syntax trees for program understanding. In Proc. of the ASE, pages 126--133, 1997.

Digital Library

[31]

W. Yang. Identifying syntactic differences between two programs. Softw. Pract. Exper., 21(7):739--755, 1991.

Digital Library

[32]

D. Yu, A. Chander, N. Islam, and I. Serikov. Javascript instrumentation for browser security. In Proc. of the POPL, pages 237--249, 2007.

Digital Library

[33]

C. Yue, M. Xie, and H. Wang. Automatic cookie usage setting with cookiepicker. In Proc. of the DSN, pages 460--470, 2007.

Digital Library

[34]

Y. Zhai and B. Liu. Web data extraction based on partial tree alignment. In Proc. of the WWW, pages 76--85, 2005.

Digital Library

[35]

24 ways: Don't be eval(). http://24ways.org/2005/dont-be-eval.

[36]

Alexa Top Sites. http://www.alexa.com/browse?CategoryID=1.

[37]

CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests. http://www.cert.org/advisories/CA-2000-02.html.

[38]

Cross-site scripting. http://en.wikipedia.org/wiki/Cross-site_scripting.

[39]

eval -- MDC. http://developer.mozilla.org/en/ Core_JavaScript_1.5_Reference/Global_Functions/eval.

[40]

JavaScript. http://en.wikipedia.org/wiki/JavaScript.

[41]

JSAPI reference -- MDC. http://developer.mozilla.org/en/JSAPI_Reference.

[42]

JSON in JavaScript. http://www.json.org/js.html.

[43]

JSPrincipals -- MDC. http://developer.mozilla.org/en/JSPrincipals.

[44]

MSDN: innerHTML property. http://msdn.microsoft.com /en-us/library/ms533897(VS.85).aspx.

[45]

Same origin policy. http://en.wikipedia.org/wiki/Same_origin_policy.

[46]

SANS Top-20 2007 Security Risks (2007 Annual Update). http://www.sans.org/top20/2007/.

[47]

SpiderMonkey (JavaScript-C) Engine. http://www.mozilla.org/js/spidermonkey/.

[48]

Symantec Internet security threat report volume XIII: April, 2008. http://www.symantec.com/ business/theme.jsp?themeid=threatreport.

[49]

Unobtrusive Javascript. http://www.onlinetools.org/articles/unobtrusivejavascript/.

[50]

XMLHttpRequest. http://www.w3.org/TR/XMLHttpRequest/.

Cited By

Suchaiya SRuanmanee SPachanatip NNiramitranon JJaikaeo C(2024)Integration Model for Face Registration Checkpoint2024 21st International Joint Conference on Computer Science and Software Engineering (JCSSE)10.1109/JCSSE61278.2024.10613670(432-439)Online publication date: 19-Jun-2024
https://doi.org/10.1109/JCSSE61278.2024.10613670
Lim KKwon YKim DMontpetit MLeivadeas AUhlig SJaved M(2023)A Longitudinal Study of Vulnerable Client-side Resources and Web Developers' Updating BehaviorsProceedings of the 2023 ACM on Internet Measurement Conference10.1145/3618257.3624804(162-180)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1145/3618257.3624804
Zhang ZZhang ZLian KYang GZhang LZhang YYang MLin ZLiao X(2023)TrustedDomain Compromise Attack in App-in-app EcosystemsProceedings of the 2023 ACM Workshop on Secure and Trustworthy Superapps10.1145/3605762.3624430(51-57)Online publication date: 26-Nov-2023
https://dl.acm.org/doi/10.1145/3605762.3624430
Show More Cited By

Index Terms

Characterizing insecure javascript practices on the web

Recommendations

A measurement study of insecure javascript practices on the web

JavaScript is an interpreted programming language most often used for enhancing webpage interactivity and functionality. It has powerful capabilities to interact with webpage documents and browser windows, however, it has also opened the door for many ...
Drupal 6 JavaScript and jQuery
JavaScript Frameworks for Modern Web Dev

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WWW '09: Proceedings of the 18th international conference on World wide web

April 2009

1280 pages

ISBN:9781605584874

DOI:10.1145/1526709

General Chairs:
Juan Quemada
DIT-UPM
,
Gonzalo León
DIT-UPM
,
Program Chairs:
Yoelle Maarek
Google Inc., Israel
,
Wolfgang Nejdl
L3S and Hannover University

Copyright © 2009 IW3C2 org.

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 20 April 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

WWW '09

Sponsor:

WWW '09: The 18th International World Wide Web Conference

April 20 - 24, 2009

Madrid, Spain

Acceptance Rates

Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

68
Total Citations
View Citations
1,614
Total Downloads

Downloads (Last 12 months)48
Downloads (Last 6 weeks)4

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Suchaiya SRuanmanee SPachanatip NNiramitranon JJaikaeo C(2024)Integration Model for Face Registration Checkpoint2024 21st International Joint Conference on Computer Science and Software Engineering (JCSSE)10.1109/JCSSE61278.2024.10613670(432-439)Online publication date: 19-Jun-2024
https://doi.org/10.1109/JCSSE61278.2024.10613670
Lim KKwon YKim DMontpetit MLeivadeas AUhlig SJaved M(2023)A Longitudinal Study of Vulnerable Client-side Resources and Web Developers' Updating BehaviorsProceedings of the 2023 ACM on Internet Measurement Conference10.1145/3618257.3624804(162-180)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1145/3618257.3624804
Zhang ZZhang ZLian KYang GZhang LZhang YYang MLin ZLiao X(2023)TrustedDomain Compromise Attack in App-in-app EcosystemsProceedings of the 2023 ACM Workshop on Secure and Trustworthy Superapps10.1145/3605762.3624430(51-57)Online publication date: 26-Nov-2023
https://dl.acm.org/doi/10.1145/3605762.3624430
Bekos PPapadopoulos PMarkatos EKourtellis N(2023)The Hitchhiker’s Guide to Facebook Web Tracking with Invisible Pixels and Click IDsProceedings of the ACM Web Conference 202310.1145/3543507.3583311(2132-2143)Online publication date: 30-Apr-2023
https://dl.acm.org/doi/10.1145/3543507.3583311
Chaqfeh MHaseeb MHashmi WInshuti PRamesh MVarvello MSubramanian LZaffar FZaki Y(2022)To Block or Not to Block: Accelerating Mobile Web Pages On-The-Fly Through JavaScript ClassificationProceedings of the 2022 International Conference on Information and Communication Technologies and Development10.1145/3572334.3572397(1-12)Online publication date: 27-Jun-2022
https://dl.acm.org/doi/10.1145/3572334.3572397
Sprecher SKerschbaumer CKirda E(2022)SoK: All or Nothing - A Postmortem of Solutions to the Third-Party Script Inclusion Permission Model and a Path Forward2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP53844.2022.00021(206-222)Online publication date: Jun-2022
https://doi.org/10.1109/EuroSP53844.2022.00021
Chen QIlia PPolychronakis MKapravelos A(2021)Cookie Swap Party: Abusing First-Party Cookies for Web TrackingProceedings of the Web Conference 202110.1145/3442381.3449837(2117-2129)Online publication date: 19-Apr-2021
https://dl.acm.org/doi/10.1145/3442381.3449837
De Macedo JAbreu RPereira RSaraiva J(2021)On the Runtime and Energy Performance of WebAssembly: Is WebAssembly superior to JavaScript yet?2021 36th IEEE/ACM International Conference on Automated Software Engineering Workshops (ASEW)10.1109/ASEW52652.2021.00056(255-262)Online publication date: Nov-2021
https://doi.org/10.1109/ASEW52652.2021.00056
Aqeel WChandrasekaran BFeldmann AMaggs B(2020)On Landing and Internal Web PagesProceedings of the ACM Internet Measurement Conference10.1145/3419394.3423626(680-695)Online publication date: 27-Oct-2020
https://dl.acm.org/doi/10.1145/3419394.3423626
Jung KGascon‐Samson JGoyal SRezaiean‐Asel APattabiraman K(2020)ThingsMigrate: Platform‐independent migration of stateful JavaScript Internet of Things applicationsSoftware: Practice and Experience10.1002/spe.293651:1(117-155)Online publication date: 5-Dec-2020
https://doi.org/10.1002/spe.2936
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten