Identifying syntactic differences between two programs
Software—Practice & Experience
Optimally profiling and tracing programs
ACM Transactions on Programming Languages and Systems (TOPLAS)
Web site engineering: beyond Web page design
Web site engineering: beyond Web page design
Designing Data-Intensive Web Applications
Designing Data-Intensive Web Applications
Augmenting abstract syntax trees for program understanding
ASE '97 Proceedings of the 12th international conference on Automated software engineering (formerly: KBSE)
Clone Detection Using Abstract Syntax Trees
ICSM '98 Proceedings of the International Conference on Software Maintenance
Securing web application code by static analysis and runtime protection
Proceedings of the 13th international conference on World Wide Web
Automatic web news extraction using tree edit distance
Proceedings of the 13th international conference on World Wide Web
Web Engineering: Principles And Techniques
Web Engineering: Principles And Techniques
Web data extraction based on partial tree alignment
WWW '05 Proceedings of the 14th international conference on World Wide Web
Web Engineering
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
SecuBat: a web vulnerability scanner
Proceedings of the 15th international conference on World Wide Web
Cat and mouse: content delivery tradeoffs in web access
Proceedings of the 15th international conference on World Wide Web
Protecting browser state from web privacy attacks
Proceedings of the 15th international conference on World Wide Web
Puppetnets: misusing web browsers as a distributed attack infrastructure
Proceedings of the 13th ACM conference on Computer and communications security
JavaScript instrumentation for browser security
Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft
Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft
JavaScript: The Definitive Guide
JavaScript: The Definitive Guide
Defeating script injection attacks with browser-enforced embedded policies
Proceedings of the 16th international conference on World Wide Web
Subspace: secure cross-domain communication for web mashups
Proceedings of the 16th international conference on World Wide Web
Exposing private information by timing web applications
Proceedings of the 16th international conference on World Wide Web
A large-scale study of web password habits
Proceedings of the 16th international conference on World Wide Web
A Systematic Approach to Uncover Security Flaws in GUI Logic
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Protection and communication abstractions for web browsers in MashupOS
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
BrowserShield: vulnerability-driven filtering of dynamic HTML
OSDI '06 Proceedings of the 7th symposium on Operating systems design and implementation
Web Engineering: Modelling and Implementing Web Applications (Human-Computer Interaction Series)
Web Engineering: Modelling and Implementing Web Applications (Human-Computer Interaction Series)
Static detection of cross-site scripting vulnerabilities
Proceedings of the 30th international conference on Software engineering
Spectator: detection and containment of JavaScript worms
ATC'08 USENIX 2008 Annual Technical Conference on Annual Technical Conference
Analyzing websites for user-visible security design flaws
Proceedings of the 4th symposium on Usable privacy and security
Robust defenses for cross-site request forgery
Proceedings of the 15th ACM conference on Computer and communications security
SOMA: mutual approval for included content in web pages
Proceedings of the 15th ACM conference on Computer and communications security
SS'08 Proceedings of the 17th conference on Security symposium
Securing frame communication in browsers
SS'08 Proceedings of the 17th conference on Security symposium
Characterizing insecure javascript practices on the web
Proceedings of the 18th international conference on World wide web
XSS Attacks: Cross Site Scripting Exploits and Defense
XSS Attacks: Cross Site Scripting Exploits and Defense
Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks
DIMVA '09 Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Your botnet is my botnet: analysis of a botnet takeover
Proceedings of the 16th ACM conference on Computer and communications security
BogusBiter: A transparent protection against phishing attacks
ACM Transactions on Internet Technology (TOIT)
Detection and analysis of drive-by-download attacks and malicious JavaScript code
Proceedings of the 19th international conference on World wide web
An analysis of the dynamic behavior of JavaScript programs
PLDI '10 Proceedings of the 2010 ACM SIGPLAN conference on Programming language design and implementation
An automatic HTTP cookie management system
Computer Networks: The International Journal of Computer and Telecommunications Networking
AjaxScope: A Platform for Remotely Monitoring the Client-Side Behavior of Web 2.0 Applications
ACM Transactions on the Web (TWEB)
On the Incoherencies in Web Browser Access Control Policies
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
GATEKEEPER: mostly static enforcement of security and reliability policies for javascript code
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
The multi-principal OS construction of the gazelle web browser
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
JSMeter: comparing the behavior of JavaScript benchmarks with real web applications
WebApps'10 Proceedings of the 2010 USENIX conference on Web application development
Prophiler: a fast filter for the large-scale detection of malicious web pages
Proceedings of the 20th international conference on World wide web
Of passwords and people: measuring the effect of password-composition policies
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Fast and precise sanitizer analysis with BEK
SEC'11 Proceedings of the 20th USENIX conference on Security
ZOZZLE: fast and precise in-browser JavaScript malware detection
SEC'11 Proceedings of the 20th USENIX conference on Security
The eval that men do: A large-scale study of the use of eval in javascript applications
Proceedings of the 25th European conference on Object-oriented programming
Automated construction of JavaScript benchmarks
Proceedings of the 2011 ACM international conference on Object oriented programming systems languages and applications
You are what you include: large-scale evaluation of remote javascript inclusions
Proceedings of the 2012 ACM conference on Computer and communications security
Preventing the revealing of online passwords to inappropriate websites with logininspector
lisa'12 Proceedings of the 26th international conference on Large Installation System Administration: strategies, tools, and techniques
Proceedings of the third ACM conference on Data and application security and privacy
Hi-index | 0.00 |
JavaScript is an interpreted programming language most often used for enhancing webpage interactivity and functionality. It has powerful capabilities to interact with webpage documents and browser windows, however, it has also opened the door for many browser-based security attacks. Insecure engineering practices of using JavaScript may not directly lead to security breaches, but they can create new attack vectors and greatly increase the risks of browser-based attacks. In this article, we present the first measurement study on insecure practices of using JavaScript on the Web. Our focus is on the insecure practices of JavaScript inclusion and dynamic generation, and we examine their severity and nature on 6,805 unique websites. Our measurement results reveal that insecure JavaScript practices are common at various websites: (1) at least 66.4% of the measured websites manifest the insecure practices of including JavaScript files from external domains into the top-level documents of their webpages; (2) over 44.4% of the measured websites use the dangerous eval() function to dynamically generate and execute JavaScript code on their webpages; and (3) in JavaScript dynamic generation, using the document.write() method and the innerHTML property is much more popular than using the relatively secure technique of creating script elements via DOM methods. Our analysis indicates that safe alternatives to these insecure practices exist in common cases and ought to be adopted by website developers and administrators for reducing potential security risks.