research-article

A measurement study of insecure javascript practices on the web

Authors:

Haining WangAuthors Info & Claims

ACM Transactions on the Web (TWEB), Volume 7, Issue 2

Article No.: 7, Pages 1 - 39

https://doi.org/10.1145/2460383.2460386

Published: 29 May 2013 Publication History

Abstract

JavaScript is an interpreted programming language most often used for enhancing webpage interactivity and functionality. It has powerful capabilities to interact with webpage documents and browser windows, however, it has also opened the door for many browser-based security attacks. Insecure engineering practices of using JavaScript may not directly lead to security breaches, but they can create new attack vectors and greatly increase the risks of browser-based attacks. In this article, we present the first measurement study on insecure practices of using JavaScript on the Web. Our focus is on the insecure practices of JavaScript inclusion and dynamic generation, and we examine their severity and nature on 6,805 unique websites. Our measurement results reveal that insecure JavaScript practices are common at various websites: (1) at least 66.4% of the measured websites manifest the insecure practices of including JavaScript files from external domains into the top-level documents of their webpages; (2) over 44.4% of the measured websites use the dangerous eval() function to dynamically generate and execute JavaScript code on their webpages; and (3) in JavaScript dynamic generation, using the document.write() method and the innerHTML property is much more popular than using the relatively secure technique of creating script elements via DOM methods. Our analysis indicates that safe alternatives to these insecure practices exist in common cases and ought to be adopted by website developers and administrators for reducing potential security risks.

References

[1]

Ball, T. and Larus, J. R. 1994. Optimally profiling and tracing programs. ACM Trans. Program. Lang. Syst. 16, 4, 1319--1360.

Digital Library

[2]

Barth, A., Jackson, C., and Mitchell, J. C. 2008a. Robust defenses for cross-site request forgery. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). 75--88.

Digital Library

[3]

Barth, A., Jackson, C., and Mitchell, J. C. 2008b. Securing frame communication in browsers. In Proceedings of the 17^th USENIX Security Symposium. 17--30.

Digital Library

[4]

Baxter, I. D., Yahin, A., Moura, L., Santanna, M., and Bier, L. 1998. Clone detection using abstract syntax trees. In Proceedings of the International Conference on Software Maintenance.

Digital Library

[5]

Bortz, A., Boneh, D., and Nandy, P. 2007. Exposing private information by timing web applications. In Proceedings of the International Conference on World Wide Web (WWW). 621--628.

Digital Library

[6]

Canali, D., Cova, M., Vigna, G., and Kruegel, C. 2011. Prophiler: A fast filter for the large-scale detection of malicious web pages. In Proceedings of the International Conference on World Wide Web (WWW). 197--206.

Digital Library

[7]

Ceri, S., Fraternali, P., Bongio, A., Brambilla, M., Comai, S., and Matera, M. 2002. Designing Data-Intensive Web Applications. Morgan Kaufmann, San Fransisco, CA.

Digital Library

[8]

Cert. 2000. CERT advisory ca-2000-02 malicious html tags embedded in client web requests. http://www.cert.org/advisories/CA-2000-02.html.

[9]

Chen, S., Meseguer, J., Sasse, R., Wang, H. J., and Wang, Y.-M. 2007. A systematic approach to uncover gui logic flaws for web security. In Proceedings of the IEEE Symposium on Security and Privacy. 71--85.

Digital Library

[10]

Cova, M., Kruegel, C., and Vigna, G. 2010. Detection and analysis of drive-by-download attacks and malicious javascript code. In Proceedings of the International Confeence on World Wide Web (WWW). 281--290.

Digital Library

[11]

Curtsinger, C., Livshits, B., Zorn, B., and Seifert, C. 2011. Zozzle: Low-overhead mostly static javascript malware detection. In Proceedings of the USENIX Security Symposium.

Digital Library

[12]

Dhamija, R., Tygar, J. D., and Hearst, M. 2006. Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. 581--590.

Digital Library

[13]

Dom2Events. 2012. Document object model (dom) level 2 events. http://www.w3.org/TR/DOM-Level-2-Events/events.html.

[14]

Egele, M., Wurzinger, P., Kruegel, C., and Kirda, E. 2009. Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks. In Proceedings of the Annual Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA). 88--106.

Digital Library

[15]

Evalmdc. 2011. Eval-mdc. https://developer.mozilla.org/en/JavaScript/Reference/Global Objects/eval.

[16]

Falk, L., Prakash, A., and Borders, K. 2008. Analyzing websites for user-visible security design flaws. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS). 117--126.

Digital Library

[17]

Finifter, M., Weinberger, J., and Barth, A. 2010. Preventing capability leaks in secure javascript subsets. In Proceedings of the Network and Distributed System Security Symposium (NDSS).

[18]

Flanagan, D. 2006. JavaScript: The Definitive Guide. O'Reilly Media.

Digital Library

[19]

Florencio, D. and Herley, C. 2007. A large-scale study of web password habits. In Proceedings of the International Conference on World Wide Web (WWW). 657--666.

Digital Library

[20]

Fogie, S., Grossman, J., Hansen, R., Rager, A., and Petkov, P. D. 2007. XSS Exploits: Cross Site Scripting Attacks and Defense. Syngress.

Digital Library

[21]

Guarnieri, S. and Livshits, B. 2009. Gatekeeper: Mostly static enforcement of security and reliability policies for javascript code. In Proceedings of the USENIX Security Symposium.

Digital Library

[22]

Heilmann, C. 2011. Unobtrusive javascript. http://www.onlinetools.org/articles/unobtrusivejavascript/.

[23]

Hooimeijer, P., Livshits, B., Molnar, D., Saxena, P., and Veanes, M. 2011. Fast and precise sanitizer analysis with bek. In Proceedings of the USENIX Security Symposium.

Digital Library

[24]

Html5Comm. 2012. HTML5: Communication. http://www.w3.org/TR/html5/comms.html.

[25]

Html5Sandbox. 2012. HTML5 ^iframe sandbox. http://www.w3schools.com/html5/att iframe sandbox.asp.

[26]

Htmltimers. 2012. HTML timers. http://www.w3.org/TR/html5/timers.html.

[27]

Huang, Y.-W., Yu, F., Hang, C., Tsai, C.-H., Lee, D.-T., and Kuo, S.-Y. 2004. Securing web application code by static analysis and runtime protection. In Proceedings of the International Conference on World Wide Web (WWW). 40--52.

Digital Library

[28]

Jackson, C., Bortz, A., Boneh, D., and Mitchell, J. C. 2006. Protecting browser state from web privacy attacks. In Proceedings of the International Conference on World Wide Web (WWW). 737--744.

Digital Library

[29]

Jackson, C. and Wang, H. J. 2007. Subspace: Secure cross-domain communication for web mashups. In Proceedings of the International Conference on World Wide Web (WWW). 611--620.

Digital Library

[30]

Jakobsson, M. and Myers, S. 2006. Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft. Wiley-Interscience.

Digital Library

[31]

Jim, T., Swamy, N., and Hicks, M. 2007. Defeating script injection attacks with browser enforced embedded policies. In Proceedings of the International World Wide Web Conference (WWW). 601--610.

Digital Library

[32]

Jsapi. 2011. JSAPI reference-MDC. https://developer.mozilla.org/en/JSAPI Reference.

[33]

Json. 2011. JSON in javascript. http://www.json.org/js.html.

[34]

Jsprincipals. 2011. JSprincipals-MDC. http://developer.mozilla.org/en/JSPrincipals.

[35]

Kals, S., Kirda, E., Kruegel, C., and Jovanovic, N. 2006. SecuBat: A web vulnerability scanner. In Proceedings of the International Conference on World Wide Web (WWW). 247--256.

Digital Library

[36]

Kappel, G., Proll, B., Reich, S., and Retschitzegger, W. 2006. Web Engineering: The Discipline of Systematic Development of Web Applications. John Wiley and Sons.

Digital Library

[37]

Kiciman, E. and Livshits, V. B. 2010. AjaxScope: A platform for remotely monitoring the client-side behavior of web 2.0 applications. ACM Trans. Web 4, 4, 13:1--13:52.

Digital Library

[38]

Kirda, E., Jovanovic, N., Kruegel, C., and Vigna G. 2009. Client-side cross-site scripting protection. Comput. Secur. 28, 7, 592--604.

Digital Library

[39]

Komanduri, S., Shay, R., Kelley, P. G., Mazurek, M. L., Bauer, L., Christin, N., Cranor, L. F., and Egelman, S. 2011. Of passwords and people: Measuring the effect of password-composition policies. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. 2595--2604.

Digital Library

[40]

Krishnamurthy, B. and Wills, C. E. 2006. Cat and mouse: Content delivery tradeoffs in web access. In Proceedings of the International Conference on World Wide Web (WWW). 337--346.

Digital Library

[41]

Lam, V. T., Antonatos, S., Akritidis, P., and Anagnostakis, K. G. 2006. Puppetnets: Misusing web browsers as a distributed attack infrastructure. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). 221--234.

Digital Library

[42]

Livshits, B. and Cui, W. 2008. Spectator: Detection and containment of javascript worms. In Proceedings of the USENIX Annual Technical Conference.

Digital Library

[43]

Mendes, E. and Mosley, N. 2005. Web Engineering. Springer.

[44]

Meyerovich, L. and Livshits, B. 2010. ConScript: Specifying and enforcing fine-grained security policies for javascript in the browser. In Proceedings of the IEEE Symposium on Security and Privacy.

Digital Library

[45]

Moshchuk, A., Bragin, T., Gribble, S. D., and Levy, H. M. 2006. A crawler-based study of spyware in the web. In Proceedings of the Network and Distributed System Security Symposium (NDSS).

[46]

Msdn. 2011. MSDN: InnerHTML property. http://msdn.microsoft.com/en-us/library/ms533897(VS.85).aspx.

[47]

Murugesan, S. and Deshpande, Y. 2001. Web Engineering: Managing Diversity and Complexity of Web Application Development. Springer.

[48]

Mxr. 2012. Mozilla cross-reference: Firefox 2 source code. http://mxr.mozilla.org/firefox2/.

[49]

Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., and Vigna, G. 2012. You are what you include: Large-scale evaluation of remote javascript inclusions. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). 736--747.

Digital Library

[50]

Oda, T., Wurster, G., Van Oorschot, P., and Somayaji, A. 2008. SOMA: Mutual approval for included content in web pages. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). 89--98.

Digital Library

[51]

Powell, T. A., Jones, D. L., and Cutts, D. C. 1998. Web Site Engineering: Beyond Web Page Design. Prentice Hall.

Digital Library

[52]

Provos, N., Mavrommatis, P., Rajab, M. B., and Monrose, F. 2008. All your iframes point to us. In Proceedings of the USENIX Security Symposium. 1--15.

Digital Library

[53]

Ratanaworabhan, P., Livshits, B., and Zorn, B. G. 2010. JSMeter: Comparing the behavior of javascript benchmarks with real web applications. In Proceedings of the USENIX Conference on Web Application Development (WebApps).

Digital Library

[54]

Reis, C., Dunagan, J., Wang, H. J., Dubrovsky, O., and Esmeir, S. 2006. BrowserShield: Vulnerability-driven filtering of dynamic html. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI). 61--74.

Digital Library

[55]

Reis, D. C., Golgher, P. B., Silva, A. S., and Laender, A. F. 2004. Automatic web news extraction using tree edit distance. In Proceedings of the International Conference on World Wide Web (WWW). 502--511.

Digital Library

[56]

Richards, G., Gal, A., Eich, B., and Vitek, J. 2011a. Automated construction of javascript benchmarks. In Proceedings of the ACMSIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA). 677--694.

Digital Library

[57]

Richards, G., Hammer, C., Burg, B., and Vitek, J. 2011b. The eval that men do - a large-scale study of the use of eval in javascript applications. In Proceedings of the European Conference on Object-Oriented Programming (ECOOP). 52--78.

Digital Library

[58]

Richards, G., Lebresne, S., Burg, B., and Vitek, J. 2010. An analysis of the dynamic behavior of javascript programs. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI).

Digital Library

[59]

Rossi, G., Pastor, O., Schwabe, D., and Olsina, L. 2007. Web Engineering: Modelling and Implementing Web Applications. Springer.

Digital Library

[60]

Sans. 2007. SANS top-20 2007 security risks (2007 annual update). http://www.sans.org/top20/2007/.

[61]

Siliconforks. 2012. Parsing javascript with spidermonkey. http://siliconforks.com/doc/parsing-javascript-with-spidermonkey/.

[62]

Singh, K., Moshchuk, A., Wang, H. J., and Lee, W. 2010. On the incoherencies in web browser access control policies. In Proceedings of the IEEE Symposium on Security and Privacy.

Digital Library

[63]

Spidermonkey. 2012. Spidermonkey (javascript-c) engine. http://www.mozilla.org/js/spidermonkey/.

[64]

Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R. A., Kruegel, C., and Vigna, G. 2009. Your botnet is my botnet: Analysis of a botnet takeover. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). 635--647.

Digital Library

[65]

Suh, W. 2005. Web Engineering: Principles and Techniques. IGI Publishing.

Digital Library

[66]

Symantec. 2008. Symantec internet security threat report volume XIII: April, 2008. http://www.symantec.com/business/theme.jsp&qust;themeid=threatreport.

[67]

Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., and Vigna, G. 2007. Cross site scripting prevention with dynamic data tainting and static analysis. In Proceedings of the Network and Distributed System Security Symposium (NDSS).

[68]

W3cdom. 2011. W3C document object model. http://www.w3.org/DOM.

[69]

Wang, H. J., Fan, X., Howell, J., and Jackson, C. 2007. Protection and communication abstractions for web browsers in mashupos. In Proceedings of the ACM Symposium on Operating Systems Principles (SOSP). 1--16.

Digital Library

[70]

Wang, H. J., Grier, C., Moshchuk, A., King, S. T., Choudhury, P., and Venter, H. 2009. The multi-principal os construction of the gazelle web browser. In Proceedings of the USENIX Security Symposium. 417--432.

Digital Library

[71]

Wang, Y.-M., Beck, D., Jiang, X., Roussev, R., Verbowski, C., Chen, S., and King, S. T. 2006. Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In Proceedings of the Network and Distributed System Security Symposium (NDSS).

[72]

Wassermann, G. and Su, Z. 2008. Static detection of cross-site scripting vulnerabilities. In Proceedings of the International Conference on Software Engineering (ICSE). 171--180.

Digital Library

[73]

Welty, C. A. 1997. Augmenting abstract syntax trees for program understanding. In Proceedings of the International Conference on Automated Software Engineering.

Digital Library

[74]

Wikijs. 2011. Javascript. http://en.wikipedia.org/wiki/JavaScript.

[75]

Wikisop. 2011. Same origin policy. http://en.wikipedia.org/wiki/Same origin policy.

[76]

Wikixss. 2011. Cross-site scripting. http://en.wikipedia.org/wiki/Cross-site scripting.

[77]

Willison, S. 2005. 24 ways: Don't be eval(). http://24ways.org/2005/dont-be-eval.

[78]

Wot. 2012. Safe browsing tool—WOT (web of trust). http://www.mywot.com/.

[79]

Xhr. 2011. XMLHttpRequest. http://www.w3.org/TR/XMLHttpRequest/.

[80]

Yang, W. 1991. Identifying syntactic differences between two programs. Softw. Pract. Exper. 21, 7(1999), 739--755.

Digital Library

[81]

Yu, D., Chander, A., Islam, N., and Serikov, I. 2007. Javascript instrumentation for browser security. In Proceedings of the ACM Symposium on Principles of Programming Languages (POPL). 237--249.

Digital Library

[82]

Yue, C. 2012. Preventing the revealing of online passwords to inappropriate websites with login inspector. In Proceedings of the USENIX Large Installation System Administration Conference (LISA). 67--81.

Digital Library

[83]

Yue, C. and Wang, H. 2009. Characterizing insecure javascript practices on the web. In Proceedings of the International Conference on World Wide Web (WWW). 961--970.

Digital Library

[84]

Yue, C. and Wang, H. 2010. BogusBiter: A transparent protection against phishing attacks. ACM Trans. Internet Technol. 10, 2, 1--31.

Digital Library

[85]

Yue, C., Xie, M., and Wang, H. 2010. An automatic http cookie management system. J. Comput. Netw. 54, 13, 2182--2198.

Digital Library

[86]

Zalewski, M. 2012. Browser security handbook. http://code.google.com/p/browsersec/wiki/Main.

[87]

Zhai, Y. and Liu, B. 2005. Web data extraction based on partial tree alignment. In Proceedings of the International Conference on World Wide Web (WWW). 76--85.

Digital Library

[88]

Zhao, R. and Yue, C. 2013. All your browser-saved passwords could belong to us: A security analysis and a cloud-based new design. In Proceedings of the ACM Conference on Data and Application Security and Privacy (CODASPY).

Digital Library

Cited By

Zhao R(2024)Toward the flow-centric detection of browser fingerprintingComputers & Security10.1016/j.cose.2023.103642137(103642)Online publication date: Mar-2024
https://doi.org/10.1016/j.cose.2023.103642
Chavarriaga EJurado FRodríguez F(2023)An approach to build JSON-based Domain Specific Languages solutions for web applicationsJournal of Computer Languages10.1016/j.cola.2023.10120375(101203)Online publication date: Jun-2023
https://doi.org/10.1016/j.cola.2023.101203
Cassagne JMerlo EJourdan GOnut I(2023)Following the Obfuscation Trail: Identifying and Exploiting Obfuscation Signatures in Malicious CodeFoundations and Practice of Security10.1007/978-3-031-57537-2_20(321-338)Online publication date: 11-Dec-2023
https://dl.acm.org/doi/10.1007/978-3-031-57537-2_20
Show More Cited By

Index Terms

A measurement study of insecure javascript practices on the web

Recommendations

Characterizing insecure javascript practices on the web
WWW '09: Proceedings of the 18th international conference on World wide web

JavaScript is an interpreted programming language most often used for enhancing webpage interactivity and functionality. It has powerful capabilities to interact with webpage documents and browser windows, however, it has also opened the door for many ...
Drupal 6 JavaScript and jQuery
Django JavaScript Integration: AJAX and jQuery

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on the Web

ACM Transactions on the Web Volume 7, Issue 2

May 2013

244 pages

ISSN:1559-1131

EISSN:1559-114X

DOI:10.1145/2460383

Issue’s Table of Contents

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 29 May 2013

Accepted: 01 February 2013

Revised: 01 November 2012

Received: 01 February 2011

Published in TWEB Volume 7, Issue 2

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

15
Total Citations
View Citations
976
Total Downloads

Downloads (Last 12 months)26
Downloads (Last 6 weeks)3

Reflects downloads up to 27 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zhao R(2024)Toward the flow-centric detection of browser fingerprintingComputers & Security10.1016/j.cose.2023.103642137(103642)Online publication date: Mar-2024
https://doi.org/10.1016/j.cose.2023.103642
Chavarriaga EJurado FRodríguez F(2023)An approach to build JSON-based Domain Specific Languages solutions for web applicationsJournal of Computer Languages10.1016/j.cola.2023.10120375(101203)Online publication date: Jun-2023
https://doi.org/10.1016/j.cola.2023.101203
Cassagne JMerlo EJourdan GOnut I(2023)Following the Obfuscation Trail: Identifying and Exploiting Obfuscation Signatures in Malicious CodeFoundations and Practice of Security10.1007/978-3-031-57537-2_20(321-338)Online publication date: 11-Dec-2023
https://dl.acm.org/doi/10.1007/978-3-031-57537-2_20
Cohen DNaim OToch EBen-Gal I(2021)Website categorization via design attribute learningComputers & Security10.1016/j.cose.2021.102312107(102312)Online publication date: Aug-2021
https://doi.org/10.1016/j.cose.2021.102312
Han KHwang S(2020)Lightweight Detection Method of Obfuscated Landing Sites Based on the AST Structure and TokensApplied Sciences10.3390/app1017611610:17(6116)Online publication date: 3-Sep-2020
https://doi.org/10.3390/app10176116
Mitropoulos DLouridas PSalis VSpinellis DStorey MAdams BHaiduc S(2019)Time present and time pastProceedings of the 16th International Conference on Mining Software Repositories10.1109/MSR.2019.00029(126-137)Online publication date: 26-May-2019
https://dl.acm.org/doi/10.1109/MSR.2019.00029
Sood AZeadally SBansal R(2017)Cybercrime at a Scale: A Practical Study of Deployments of HTTP-Based Botnet Command and Control PanelsIEEE Communications Magazine10.1109/MCOM.2017.160096955:7(22-28)Online publication date: 2017
https://doi.org/10.1109/MCOM.2017.1600969
Zhao RJohn SKaras SBussell CRoberts JSix DGavett BYue C(2017)Design and evaluation of the highly insidious extreme phishing attacksComputers & Security10.1016/j.cose.2017.08.00870(634-647)Online publication date: Sep-2017
https://doi.org/10.1016/j.cose.2017.08.008
Chavarriaga EJurado FDez F(2017)An approach to build XML-based domain specific languages solutions for client-side web applicationsComputer Languages, Systems and Structures10.1016/j.cl.2017.04.00249:C(133-151)Online publication date: 1-Sep-2017
https://dl.acm.org/doi/10.1016/j.cl.2017.04.002
Luo ZFragoso Santos JAlmeida Matos ARezk T(2016)Mashic compiler: Mashup sandboxing based on inter-frame communicationJournal of Computer Security10.3233/JCS-16054224:1(91-136)Online publication date: 1-Mar-2016
https://doi.org/10.3233/JCS-160542
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents