History of programming languages I
Using static analysis for Ajax intrusion detection
Proceedings of the 18th international conference on World wide web
Characterizing insecure javascript practices on the web
Proceedings of the 18th international conference on World wide web
Points-to analysis for JavaScript
Proceedings of the 2009 ACM symposium on Applied Computing
Staged information flow for javascript
Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation
Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks
DIMVA '09 Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment
SAS '09 Proceedings of the 16th International Symposium on Static Analysis
Electronic Notes in Theoretical Computer Science (ENTCS)
Precise analysis of string expressions
SAS'03 Proceedings of the 10th international conference on Static analysis
An analysis of the dynamic behavior of JavaScript programs
PLDI '10 Proceedings of the 2010 ACM SIGPLAN conference on Programming language design and implementation
Isolating JavaScript with filters, rewriting, and wrappers
ESORICS'09 Proceedings of the 14th European conference on Research in computer security
GATEKEEPER: mostly static enforcement of security and reliability policies for javascript code
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Evaluating the dynamic behaviour of Python applications
ACSC '09 Proceedings of the Thirty-Second Australasian Conference on Computer Science - Volume 91
JSMeter: comparing the behavior of JavaScript benchmarks with real web applications
WebApps'10 Proceedings of the 2010 USENIX conference on Web application development
An empirical study of privacy-violating information flows in JavaScript web applications
Proceedings of the 17th ACM conference on Computer and communications security
Cujo: efficient detection and prevention of drive-by-download attacks
Proceedings of the 26th Annual Computer Security Applications Conference
APLAS'05 Proceedings of the Third Asian conference on Programming Languages and Systems
Towards a type system for analyzing javascript programs
ESOP'05 Proceedings of the 14th European conference on Programming Languages and Systems
Modeling the HTML DOM and browser API in static analysis of JavaScript web applications
Proceedings of the 19th ACM SIGSOFT symposium and the 13th European conference on Foundations of software engineering
Bootstrapping a self-hosted research virtual machine for JavaScript: an experience report
Proceedings of the 7th symposium on Dynamic languages
Automated construction of JavaScript benchmarks
Proceedings of the 2011 ACM international conference on Object oriented programming systems languages and applications
Towards a program logic for JavaScript
POPL '12 Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
ProFoUnd: program-analysis-based form understanding
Proceedings of the 21st international conference companion on World Wide Web
Fast and precise hybrid type inference for JavaScript
Proceedings of the 33rd ACM SIGPLAN conference on Programming Language Design and Implementation
Refactoring tools for dynamic languages
Proceedings of the Fifth Workshop on Refactoring Tools
Remedying the eval that men do
Proceedings of the 2012 International Symposium on Software Testing and Analysis
An evaluation of the Google Chrome extension security architecture
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Secure multi-execution through static program transformation
FMOODS'12/FORTE'12 Proceedings of the 14th joint IFIP WG 6.1 international conference and Proceedings of the 32nd IFIP WG 6.1 international conference on Formal Techniques for Distributed Systems
An approach for identifying JavaScript-loaded advertisements through static program analysis
Proceedings of the 2012 ACM workshop on Privacy in the electronic society
You are what you include: large-scale evaluation of remote javascript inclusions
Proceedings of the 2012 ACM conference on Computer and communications security
Self-optimizing AST interpreters
Proceedings of the 8th symposium on Dynamic languages
Proceedings of the ACM international conference on Object oriented programming systems languages and applications
Eval begone!: semi-automated removal of eval from javascript programs
Proceedings of the ACM international conference on Object oriented programming systems languages and applications
Proceedings of the 3rd annual conference on Systems, programming, and applications: software for humanity
Rewriting javascript module system
Proceedings of the 12th annual international conference companion on Aspect-oriented software development
A measurement study of insecure javascript practices on the web
ACM Transactions on the Web (TWEB)
Proceedings of the 34th ACM SIGPLAN conference on Programming language design and implementation
An empirical study of PHP feature usage: a static analysis perspective
Proceedings of the 2013 International Symposium on Software Testing and Analysis
Practical blended taint analysis for JavaScript
Proceedings of the 2013 International Symposium on Software Testing and Analysis
Boa: a language and infrastructure for analyzing ultra-large-scale software repositories
Proceedings of the 2013 International Conference on Software Engineering
Practical static analysis of JavaScript applications in the presence of frameworks and libraries
Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering
Typed syntactic meta-programming
Proceedings of the 18th ACM SIGPLAN international conference on Functional programming
All about the with statement in JavaScript: removing with statements in JavaScript applications
Proceedings of the 9th symposium on Dynamic languages
Empirical analysis of programming language adoption
Proceedings of the 2013 ACM SIGPLAN international conference on Object oriented programming systems languages & applications
Flexible access control for javascript
Proceedings of the 2013 ACM SIGPLAN international conference on Object oriented programming systems languages & applications
Proceedings of the 2013 ACM international symposium on New ideas, new paradigms, and reflections on programming & software
25 million flows later: large-scale detection of DOM-based XSS
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
AppMobiCloud: improving mobile web applications by mobile-cloud convergence
Proceedings of the 5th Asia-Pacific Symposium on Internetware
A trusted mechanised JavaScript specification
Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
Efficient and effective realtime prediction of drive-by download attacks
Journal of Network and Computer Applications
How (and why) developers use the dynamic features of programming languages: the case of smalltalk
Empirical Software Engineering
| Hi-index | 0.00 |
Transforming text into executable code with a function such as Java-Script's eval endows programmers with the ability to extend applications, at any time, and in almost any way they choose. But, this expressive power comes at a price: reasoning about the dynamic behavior of programs that use this feature becomes challenging. Any ahead-of-time analysis, to remain sound, is forced to make pessimistic assumptions about the impact of dynamically created code. This pessimism affects the optimizations that can be applied to programs and significantly limits the kinds of errors that can be caught statically and the security guarantees that can be enforced. A better understanding of how eval is used could lead to increased performance and security. This paper presents a large-scale study of the use of eval in JavaScript-based web applications. We have recorded the behavior of 337 MB of strings given as arguments to 550,358 calls to the eval function exercised in over 10,000 web sites. We provide statistics on the nature and content of strings used in eval expressions, as well as their provenance and data obtained by observing their dynamic behavior.