OOPSLA '87 Conference proceedings on Object-oriented programming systems, languages and applications
Identifying the semantic and textual differences between two versions of a program
PLDI '90 Proceedings of the ACM SIGPLAN 1990 conference on Programming language design and implementation
Lisp and Symbolic Computation
Infinitary control flow analysis: a collecting semantics for closure analysis
Proceedings of the 24th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Componential set-based analysis
ACM Transactions on Programming Languages and Systems (TOPLAS)
Detecting Manipulated Remote Call Streams
Proceedings of the 11th USENIX Security Symposium
BlueBoX: A policy-driven, host-based intrusion detection system
ACM Transactions on Information and System Security (TISSEC)
Anomaly Detection Using Call Stack Information
SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
A Sense of Self for Unix Processes
SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
Intrusion Detection via Static Analysis
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Verifying Interactive Web Programs
Proceedings of the 19th IEEE international conference on Automated software engineering
Identifying Cross Site Scripting Vulnerabilities in Web Applications
WSE '04 Proceedings of the Web Site Evolution, Sixth IEEE International Workshop
prefuse: a toolkit for interactive information visualization
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
The essence of command injection attacks in web applications
Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
System Call Monitoring Using Authenticated System Calls
IEEE Transactions on Dependable and Secure Computing
JavaScript instrumentation for browser security
Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Interprocedural analysis of asynchronous programs
Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Defeating script injection attacks with browser-enforced embedded policies
Proceedings of the 16th international conference on World Wide Web
BrowserShield: vulnerability-driven filtering of dynamic HTML
OSDI '06 Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation - Volume 7
Static detection of security vulnerabilities in scripting languages
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Challenging the anomaly detection paradigm: a provocative discussion
NSPW '06 Proceedings of the 2006 workshop on New security paradigms
AjaxScope: a platform for remotely monitoring the client-side behavior of web 2.0 applications
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Secure web applications via automatic partitioning
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Multi-module vulnerability analysis of web-based applications
Proceedings of the 14th ACM conference on Computer and communications security
Understanding precision in host based intrusion detection: formal analysis and practical models
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Using static program analysis to aid intrusion detection
DIMVA'06 Proceedings of the Third international conference on Detection of Intrusions and Malware & Vulnerability Assessment
Flapjax: a programming language for Ajax applications
Proceedings of the 24th ACM SIGPLAN conference on Object oriented programming systems languages and applications
Ripley: automatically securing web 2.0 applications through replicated execution
Proceedings of the 16th ACM conference on Computer and communications security
Object views: fine-grained sharing in browsers
Proceedings of the 19th international conference on World wide web
An analysis of the dynamic behavior of JavaScript programs
PLDI '10 Proceedings of the 2010 ACM SIGPLAN conference on Programming language design and implementation
Proceedings of the IEEE/ACM international conference on Automated software engineering
Symbolic security analysis of ruby-on-rails web applications
Proceedings of the 17th ACM conference on Computer and communications security
Alias analysis for optimization of dynamic languages
Proceedings of the 6th symposium on Dynamic languages
Enforcing request integrity in web applications
DBSec'10 Proceedings of the 24th annual IFIP WG 11.3 working conference on Data and applications security and privacy
Interprocedural analysis with lazy propagation
SAS'10 Proceedings of the 17th international conference on Static analysis
ECOOP'10 Proceedings of the 24th European conference on Object-oriented programming
Flexible in-lined reference monitor certification: challenges and future directions
Proceedings of the 5th ACM workshop on Programming languages meets program verification
Toward automated detection of logic vulnerabilities in web applications
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Statically locating web application bugs caused by asynchronous calls
Proceedings of the 20th international conference on World wide web
A framework for automated testing of javascript web applications
Proceedings of the 33rd International Conference on Software Engineering
Saving the world wide web from vulnerable JavaScript
Proceedings of the 2011 International Symposium on Software Testing and Analysis
Modeling the HTML DOM and browser API in static analysis of JavaScript web applications
Proceedings of the 19th ACM SIGSOFT symposium and the 13th European conference on Foundations of software engineering
Static detection of access control vulnerabilities in web applications
SEC'11 Proceedings of the 20th USENIX conference on Security
ADsafety: type-based verification of JavaScript Sandboxing
SEC'11 Proceedings of the 20th USENIX conference on Security
The eval that men do: A large-scale study of the use of eval in javascript applications
Proceedings of the 25th European conference on Object-oriented programming
A systematic analysis of XSS sanitization in web application frameworks
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
Server-side verification of client behavior in online games
ACM Transactions on Information and System Security (TISSEC)
Context-sensitive auto-sanitization in web templating languages using type qualifiers
Proceedings of the 18th ACM conference on Computer and communications security
Tool-supported refactoring for JavaScript
Proceedings of the 2011 ACM international conference on Object oriented programming systems languages and applications
Mitigating program security vulnerabilities: Approaches and challenges
ACM Computing Surveys (CSUR)
Reverse engineering of GWT applications
Proceedings of the 4th ACM SIGCHI symposium on Engineering interactive computing systems
Remedying the eval that men do
Proceedings of the 2012 International Symposium on Software Testing and Analysis
JSART: javascript assertion-based regression testing
ICWE'12 Proceedings of the 12th international conference on Web Engineering
Enhancing javascript with transactions
ECOOP'12 Proceedings of the 26th European conference on Object-Oriented Programming
Eval begone!: semi-automated removal of eval from javascript programs
Proceedings of the ACM international conference on Object oriented programming systems languages and applications
TamperProof: a server-agnostic defense for parameter tampering attacks on web applications
Proceedings of the third ACM conference on Data and application security and privacy
Control-Flow integrity in web applications
ESSoS'13 Proceedings of the 5th international conference on Engineering Secure Software and Systems
Combining static and dynamic analysis for the reverse engineering of web applications
Proceedings of the 5th ACM SIGCHI symposium on Engineering interactive computing systems
Practical blended taint analysis for JavaScript
Proceedings of the 2013 International Symposium on Software Testing and Analysis
All about the with statement in JavaScript: removing with statements in JavaScript applications
Proceedings of the 9th symposium on Dynamic languages
Type refinement for static analysis of JavaScript
Proceedings of the 9th symposium on Dynamic languages
Flexible access control for javascript
Proceedings of the 2013 ACM SIGPLAN international conference on Object oriented programming systems languages & applications
25 million flows later: large-scale detection of DOM-based XSS
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
A survey on server-side approaches to securing web applications
ACM Computing Surveys (CSUR)
Automated detection of parameter tampering opportunities and vulnerabilities in web applications
Journal of Computer Security
| Hi-index | 0.00 |
We present a static control-flow analysis for JavaScript programs running in a web browser. Our analysis tackles numerous challenges posed by modern web applications including asynchronous communication, frameworks, and dynamic code generation. We use our analysis to extract a model of expected client behavior as seen from the server, and build an intrusion-prevention proxy for the server: the proxy intercepts client requests and disables those that do not meet the expected behavior. We insert random asynchronous requests to foil mimicry attacks. Finally, we evaluate our technique against several real applications and show that it protects against an attack in a widely-used web application.