Dynamic taint tracking in JavaScript using revised code

doi:10.16511/j.cnki.qhdxxb.2016.21.063

Download: PDF(1470 KB)
Export: BibTeX | EndNote | Reference Manager | ProCite | RefWorks

Abstract The rapid development of the web has led to increasing use of JavaScript, especially in websites requiring rapid responses between the web server and the client, which has led to many security problems. This paper presents a dynamic taint tracking method based on a revised JavaScript code. The revised code can mark and track sensitive data transmission paths during JavaScript execution and warn the user of possible leakage of the marked sensitive data. This implementation is independent of the JavaScript engine and can be used in a variety of browsers. Tests show that this method can effectively track sensitive data and detect abnormal behavior.

Keywords sensitive data dynamic taint tracking JavaScript

ZTFLH:

TP393.08

Issue Date: 15 September 2016

	Service

	E-mail this article
	E-mail Alert
	RSS
	Articles by authors

	WANG Weiping
	BAI Junyang
	ZHANG Yuchan
	WANG Jianxin

Cite this article:

WANG Weiping,BAI Junyang,ZHANG Yuchan, et al. Dynamic taint tracking in JavaScript using revised code[J]. Journal of Tsinghua University(Science and Technology), 2016, 56(9): 956-962,968.

URL:

http://jst.tsinghuajournals.com/EN/10.16511/j.cnki.qhdxxb.2016.21.063 OR http://jst.tsinghuajournals.com/EN/Y2016/V56/I9/956

[1] OWASP. Cross-site scripting (XSS).(2014-04-22).[2015-04-07]. https://www.owasp.org/index.php/XSS.
[2] Meyerovich L A, Livshits B. Conscript: Specifying and enforcing fine-grained security policies for JavaScript in the browser [C]//Proceedings of the 31st IEEE Symposium on Security and Privacy (SP). Piscataway, NJ, USA: IEEE Press, 2010: 481-496.
[3] Weinberger J, Barth A, Song D. Towards client-side HTML security policies [C]//Proceedings of the 6th USENIX Conference on Hot Topics in Security. Berkeley, CA, USA: USENIX Association, 2011.
[4] Saxena P, Molnar D, Livshits B. SCRIPTGARD: Automatic context-sensitive sanitization for large-scale legacy web applications [C]//Proceedings of the 18th ACM Conference on Computer and Communications Security. New York, NY, USA: ACM, 2011: 601-614.
[5] Vogt P, Nentwich F, Jovanovic N, et al. Cross site scripting prevention with dynamic data tainting and static analysis [C]//Proceedings of the 14th Annual Network and Distributed System Security Symposium. San Diego, CA, USA: Internet Society, 2007.
[6] Minded Security. DOMinatorPro: Securing next generation of Web applications. (2012-09-30).[2015-04-07]. https://dominator.mindedsecurity.com.
[7] Lekies S, Stock B, Johns M. 25 million flows later: Large-scale detection of DOM-based XSS [C]//Proceedings of the 20th ACM Conference on Computer and Communications Security. New York, NY, USA: ACM, 2013: 1193-1204.
[8] Saxena P, Hanna S, Poosankam P, et al. FLAX: Systematic discovery of client-side validation vulnerabilities in rich Web applications [C]//Proceedings of the 17th Annual Network and Distributed System Security Symposium. San Diego, CA, USA: Internet Society, 2010.
[9] Phung P H, Sands D, Chudnov A. Lightweight self- protecting JavaScript [C]//Proceedings of the 4th International Symposium on Information, Computer, and Communications Security. New York, NY, USA: ACM, 2009: 47-60.
[10] International Secure Systems Lab. NoMoXSS. (2006-3-29).[2015-04-07]. http://seclab.tuwien.ac.at/projects/jstaint/files/testing.zi