Identifying syntactic differences between two programs
Software—Practice & Experience
Optimally profiling and tracing programs
ACM Transactions on Programming Languages and Systems (TOPLAS)
Web site engineering: beyond Web page design
Web site engineering: beyond Web page design
Designing Data-Intensive Web Applications
Designing Data-Intensive Web Applications
Augmenting abstract syntax trees for program understanding
ASE '97 Proceedings of the 12th international conference on Automated software engineering (formerly: KBSE)
Clone Detection Using Abstract Syntax Trees
ICSM '98 Proceedings of the International Conference on Software Maintenance
Securing web application code by static analysis and runtime protection
Proceedings of the 13th international conference on World Wide Web
Automatic web news extraction using tree edit distance
Proceedings of the 13th international conference on World Wide Web
Web Engineering: Principles And Techniques
Web Engineering: Principles And Techniques
Web data extraction based on partial tree alignment
WWW '05 Proceedings of the 14th international conference on World Wide Web
Web Engineering
SecuBat: a web vulnerability scanner
Proceedings of the 15th international conference on World Wide Web
Cat and mouse: content delivery tradeoffs in web access
Proceedings of the 15th international conference on World Wide Web
Protecting browser state from web privacy attacks
Proceedings of the 15th international conference on World Wide Web
Puppetnets: misusing web browsers as a distributed attack infrastructure
Proceedings of the 13th ACM conference on Computer and communications security
JavaScript instrumentation for browser security
Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
JavaScript: The Definitive Guide
JavaScript: The Definitive Guide
Defeating script injection attacks with browser-enforced embedded policies
Proceedings of the 16th international conference on World Wide Web
Exposing private information by timing web applications
Proceedings of the 16th international conference on World Wide Web
Automatic Cookie Usage Setting with CookiePicker
DSN '07 Proceedings of the 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks
A Systematic Approach to Uncover Security Flaws in GUI Logic
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
BrowserShield: vulnerability-driven filtering of dynamic HTML
OSDI '06 Proceedings of the 7th symposium on Operating systems design and implementation
Web Engineering: Modelling and Implementing Web Applications (Human-Computer Interaction Series)
Web Engineering: Modelling and Implementing Web Applications (Human-Computer Interaction Series)
Static detection of cross-site scripting vulnerabilities
Proceedings of the 30th international conference on Software engineering
Spectator: detection and containment of JavaScript worms
ATC'08 USENIX 2008 Annual Technical Conference on Annual Technical Conference
Analyzing websites for user-visible security design flaws
Proceedings of the 4th symposium on Usable privacy and security
Robust defenses for cross-site request forgery
Proceedings of the 15th ACM conference on Computer and communications security
SOMA: mutual approval for included content in web pages
Proceedings of the 15th ACM conference on Computer and communications security
SS'08 Proceedings of the 17th conference on Security symposium
An analysis of the dynamic behavior of JavaScript programs
PLDI '10 Proceedings of the 2010 ACM SIGPLAN conference on Programming language design and implementation
AjaxScope: A Platform for Remotely Monitoring the Client-Side Behavior of Web 2.0 Applications
ACM Transactions on the Web (TWEB)
Proceedings of the 17th ACM conference on Computer and communications security
Statically locating web application bugs caused by asynchronous calls
Proceedings of the 20th international conference on World wide web
ADsafety: type-based verification of JavaScript Sandboxing
SEC'11 Proceedings of the 20th USENIX conference on Security
The eval that men do: A large-scale study of the use of eval in javascript applications
Proceedings of the 25th European conference on Object-oriented programming
ToMaTo: a trustworthy code mashup development tool
Proceedings of the 5th International Workshop on Web APIs and Service Mashups
Type systems directed programming language evolution: overview and research trends
Proceedings of the 50th Annual Southeast Regional Conference
Comparative evaluation of javascript frameworks
Proceedings of the 21st international conference companion on World Wide Web
An approach for identifying JavaScript-loaded advertisements through static program analysis
Proceedings of the 2012 ACM workshop on Privacy in the electronic society
You are what you include: large-scale evaluation of remote javascript inclusions
Proceedings of the 2012 ACM conference on Computer and communications security
Proceedings of the 3rd annual conference on Systems, programming, and applications: software for humanity
JSand: complete client-side sandboxing of third-party JavaScript without browser modifications
Proceedings of the 28th Annual Computer Security Applications Conference
JStill: mostly static detection of obfuscated malicious JavaScript code
Proceedings of the third ACM conference on Data and application security and privacy
A measurement study of insecure javascript practices on the web
ACM Transactions on the Web (TWEB)
Analyzing and defending against web-based malware
ACM Computing Surveys (CSUR)
25 million flows later: large-scale detection of DOM-based XSS
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Anatomy of drive-by download attack
AISC '13 Proceedings of the Eleventh Australasian Information Security Conference - Volume 138
Hidden-Web induced by client-side scripting: an empirical study
ICWE'13 Proceedings of the 13th international conference on Web Engineering
Hi-index | 0.00 |
JavaScript is an interpreted programming language most often used for enhancing webpage interactivity and functionality. It has powerful capabilities to interact with webpage documents and browser windows, however, it has also opened the door for many browser-based security attacks. Insecure engineering practices of using JavaScript may not directly lead to security breaches, but they can create new attack vectors and greatly increase the risks of browser-based attacks. In this paper, we present the first measurement study on insecure practices of using JavaScript on the Web. Our focus is on the insecure practices of JavaScript inclusion and dynamic generation, and we examine their severity and nature on 6,805 unique websites. Our measurement results reveal that insecure JavaScript practices are common at various websites: (1) at least 66.4% of the measured websites manifest the insecure practices of including JavaScript files from external domains into the top-level documents of their webpages; (2) over 44.4% of the measured websites use the dangerous eval() function to dynamically generate and execute JavaScript code on their webpages; and (3) in JavaScript dynamic generation, using the document.write() method and the innerHTML property is much more popular than using the relatively secure technique of creating script elements via DOM methods. Our analysis indicates that safe alternatives to these insecure practices exist in common cases and ought to be adopted by website developers and administrators for reducing potential security risks.