research-article

Modeling the HTML DOM and browser API in static analysis of JavaScript web applications

Authors:

Simon Holm Jensen,

Anders MøllerAuthors Info & Claims

ESEC/FSE '11: Proceedings of the 19th ACM SIGSOFT symposium and the 13th European conference on Foundations of software engineering

Pages 59 - 69

https://doi.org/10.1145/2025113.2025125

Published: 09 September 2011 Publication History

Abstract

Developers of JavaScript web applications have little tool support for catching errors early in development. In comparison, an abundance of tools exist for statically typed languages, including sophisticated integrated development environments and specialized static analyses. Transferring such technologies to the domain of JavaScript web applications is challenging. In this paper, we discuss the challenges, which include the dynamic aspects of JavaScript and the complex interactions between JavaScript, HTML, and the browser. From this, we present the first static analysis that is capable of reasoning about the flow of control and data in modern JavaScript applications that interact with the HTML DOM and browser API.

One application of such a static analysis is to detect type-related and dataflow-related programming errors. We report on experiments with a range of modern web applications, including Chrome Experiments and IE Test Drive applications, to measure the precision and performance of the technique. The experiments indicate that the analysis is able to show absence of errors related to missing object properties and to identify dead and unreachable code. By measuring the precision of the types inferred for object properties, the analysis is precise enough to show that most expressions have unique types. By also producing precise call graphs, the analysis additionally shows that most invocations in the programs are monomorphic. We furthermore study the usefulness of the analysis to detect spelling errors in the code. Despite the encouraging results, not all problems are solved and some of the experiments indicate a potential for improvement, which allows us to identify central remaining challenges and outline directions for future work.

References

[1]

C. Anderson, P. Giannini, and S. Drossopoulou. Towards type inference for JavaScript. In Proc. 19th European Conference on Object-Oriented Programming, ECOOP '05, volume 3586 of LNCS. Springer-Verlag, July 2005.

Digital Library

[2]

G. Balakrishnan and T. W. Reps. Recency-abstraction for heap-allocated storage. In Proc. 13th International Static Analysis Symposium, SAS '06, volume 4134 of LNCS. Springer-Verlag, August 2006.

Digital Library

[3]

R. Chugh, J. A. Meister, R. Jhala, and S. Lerner. Staged information flow for JavaScript. In Proc. ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '09, June 2009.

Digital Library

[4]

ECMA. ECMAScript Language Specification, 3rd edition. ECMA-262.

[5]

S. Fink and J. Dolby. WALA -- The T.J. Watson Libraries for Analysis. \biburlhttp://wala.sourceforge.net/.

[6]

S. Guarnieri and B. Livshits. Gulfstream: Staged static analysis for streaming JavaScript applications. In Proc. USENIX Conference on Web Application Development, WebApps '10, June 2010.

Digital Library

[7]

S. Guarnieri and V. B. Livshits. Gatekeeper: Mostly static enforcement of security and reliability policies for JavaScript code. In Proc. 18th USENIX Security Symposium, Security '09, August 2009.

Digital Library

[8]

A. Guha, S. Krishnamurthi, and T. Jim. Using static analysis for Ajax intrusion detection. In Proc. 18th International Conference on World Wide Web, WWW '09, May 2009.

Digital Library

[9]

A. Guha, C. Saftoiu, and S. Krishnamurthi. Typing local control and state using flow analysis. In Proc. Programming Languages and Systems, 20th European Symposium on Programming, ESOP '11, LNCS. Springer-Verlag, March/April 2011.

Digital Library

[10]

D. Jang and K.-M. Choe. Points-to analysis for JavaScript. In Proc. 24th Annual ACM Symposium on Applied Computing, SAC '09, Programming Language Track, March 2009.

Digital Library

[11]

S. H. Jensen, A. Møller, and P. Thiemann. Type analysis for JavaScript. In Proc. 16th International Static Analysis Symposium, SAS '09, volume 5673 of LNCS, pages 238--255. Springer-Verlag, August 2009.

Digital Library

[12]

S. H. Jensen, A. Møller, and P. Thiemann. Interprocedural analysis with lazy propagation. In Proc. 17th International Static Analysis Symposium, SAS '10, volume 6337 of LNCS, pages 238--256. Springer-Verlag, September 2010.

Digital Library

[13]

J. B. Kam and J. D. Ullman. Monotone data flow analysis frameworks. Acta Informatica, 7:305--317, 1977. Springer-Verlag.

Digital Library

[14]

R. Kromann-Larsen and R. Simonsen. Statisk analyse af JavaScript: Indledende arbejde. Master's thesis, Department of Computer Science, Aarhus University, 2007. (In Danish).

[15]

F. Logozzo and H. Venter. RATA: Rapid atomic type analysis by abstract interpretation - application to JavaScript optimization. In Proc. 19th International Conference on Compiler Construction, CC '10, volume 6011 of LNCS. Springer-Verlag, March 2010.

Digital Library

[16]

S. Maffeis, J. C. Mitchell, and A. Taly. An operational semantics for JavaScript. In Proc. 6th Asian Symposium on Programming Languages and Systems, APLAS '08, volume 5356 of LNCS. Springer-Verlag, December 2008.

Digital Library

[17]

G. Richards, C. Hammer, B. Burg, and J. Vitek. The eval that men do -- a large-scale study of the use of eval in JavaScript applications. In Proc. 25th European Conference on Object-Oriented Programming, ECOOP '11, LNCS. Springer-Verlag, July 2011.

Digital Library

[18]

G. Richards, S. Lebresne, B. Burg, and J. Vitek. An analysis of the dynamic behavior of Javascript programs. In Proc. ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '10, June 2010.

Digital Library

[19]

P. Thiemann. Towards a type system for analyzing JavaScript programs. In Proc. Programming Languages and Systems, 14th European Symposium on Programming, ESOP '05, April 2005.

Digital Library

[20]

P. Thiemann. A type safe DOM API. In Proc. 10th International Workshop on Database Programming Languages, DBPL '05, volume 3774 of LNCS. Springer-Verlag, 2005.

Digital Library

Cited By

Guo ZKang MVenkatakrishnan VGjomemo RCao YLuo BLiao XXu JKirda ELie D(2024)ReactAppScan: Mining React Application Vulnerabilities via Component GraphProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670331(585-599)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670331
Zhang ZHou QYing LDiao WGu YLi RGuo SDuan HLuo BLiao XXu JKirda ELie D(2024)MiniCAT: Understanding and Detecting Cross-Page Request Forgery Vulnerabilities in Mini-ProgramsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670294(525-539)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670294
Wang YFan MLiu JTao JJin WWang HXiong QLiu T(2024)Do as You Say: Consistency Detection of Data Practice in Program Code and Privacy Policy in Mini-AppIEEE Transactions on Software Engineering10.1109/TSE.2024.347928850:12(3225-3248)Online publication date: 1-Dec-2024
https://dl.acm.org/doi/10.1109/TSE.2024.3479288
Show More Cited By

Index Terms

Modeling the HTML DOM and browser API in static analysis of JavaScript web applications
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging

Recommendations

Interprocedural pointer alias analysis

We present practical approximation methods for computing and representing interprocedural aliases for a program written in a language that includes pointers, reference parameters, and recursion. We present the following contributions: (1) a framework ...
Points-to analysis for JavaScript
SAC '09: Proceedings of the 2009 ACM symposium on Applied Computing

JavaScript is widely used by web developers and the complexity of JavaScript programs has increased over the last year. Therefore, the need for program analysis for JavaScript is evident. Points-to analysis for JavaScript is to determine the set of ...
Static analysis for detecting taint-style vulnerabilities in web applications

The number and the importance of web applications have increased rapidly over the last years. At the same time, the quantity and impact of security vulnerabilities in such applications have grown as well. Since manual code reviews are time-consuming, ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ESEC/FSE '11: Proceedings of the 19th ACM SIGSOFT symposium and the 13th European conference on Foundations of software engineering

September 2011

548 pages

ISBN:9781450304436

DOI:10.1145/2025113

General Chair:
Tibor Gyimóthy
University of Szeged, Hungary
,
Program Chair:
Andreas Zeller
Saarland University, Germany

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 September 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ESEC/FSE'11

Sponsor:

SIGSOFT

ESEC/FSE'11: Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering

September 5 - 9, 2011

Szeged, Hungary

Acceptance Rates

Overall Acceptance Rate 17 of 128 submissions, 13%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

104
Total Citations
View Citations
1,240
Total Downloads

Downloads (Last 12 months)63
Downloads (Last 6 weeks)2

Reflects downloads up to 28 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Guo ZKang MVenkatakrishnan VGjomemo RCao YLuo BLiao XXu JKirda ELie D(2024)ReactAppScan: Mining React Application Vulnerabilities via Component GraphProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670331(585-599)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670331
Zhang ZHou QYing LDiao WGu YLi RGuo SDuan HLuo BLiao XXu JKirda ELie D(2024)MiniCAT: Understanding and Detecting Cross-Page Request Forgery Vulnerabilities in Mini-ProgramsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670294(525-539)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670294
Wang YFan MLiu JTao JJin WWang HXiong QLiu T(2024)Do as You Say: Consistency Detection of Data Practice in Program Code and Privacy Policy in Mini-AppIEEE Transactions on Software Engineering10.1109/TSE.2024.347928850:12(3225-3248)Online publication date: 1-Dec-2024
https://dl.acm.org/doi/10.1109/TSE.2024.3479288
Khodayari SBarber TPellegrino G(2024)The Great Request Robbery: An Empirical Study of Client-side Request Hijacking Vulnerabilities on the Web2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00098(166-184)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00098
Yu JLi SZhu JCao YMeng WJensen CCremers CKirda E(2023)CoCo: Efficient Browser Extension Vulnerability Detection via Coverage-guided, Concurrent Abstract InterpretationProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616584(2441-2455)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616584
Meng SWang LWang SWang KXiao XBai GWang H(2023)Wemint:Tainting Sensitive Data Leaks in WeChat Mini-Programs2023 38th IEEE/ACM International Conference on Automated Software Engineering (ASE)10.1109/ASE56229.2023.00151(1403-1415)Online publication date: 11-Sep-2023
https://doi.org/10.1109/ASE56229.2023.00151
Liu XZiarek L(2023)PTDETECTOR: An Automated JavaScript Front-end Library Detector2023 38th IEEE/ACM International Conference on Automated Software Engineering (ASE)10.1109/ASE56229.2023.00049(649-660)Online publication date: 11-Sep-2023
https://doi.org/10.1109/ASE56229.2023.00049
Nabil RRupai ABarid MSami AHossain M(2022)An Intelligent Examination Monitoring Tool for Online Student EvaluationMalaysian Journal of Science and Advanced Technology10.56532/mjsat.v2i3.62(122-130)Online publication date: 16-Aug-2022
https://doi.org/10.56532/mjsat.v2i3.62
Pylianidis CSnow VOverweg HOsinga SKean JAthanasiadis I(2022)Simulation-assisted machine learning for operational digital twinsEnvironmental Modelling & Software10.1016/j.envsoft.2021.105274148:COnline publication date: 1-Feb-2022
https://dl.acm.org/doi/10.1016/j.envsoft.2021.105274
Freitas HMendes CIlic A(2022)Performance optimization of the MGB hydrological model for multi-core and GPU architecturesEnvironmental Modelling & Software10.1016/j.envsoft.2021.105271148:COnline publication date: 1-Feb-2022
https://dl.acm.org/doi/10.1016/j.envsoft.2021.105271
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten