A measurement study of insecure javascript practices on the web
作者: Chuan Yue , Haining Wang
关键词: Computer science 、 JavaScript 、 Web engineering 、 World Wide Web 、 Interpreted language 、 Rich Internet application 、 Web page 、 Unobtrusive JavaScript 、 Same-origin policy 、 Computer security 、 Interactivity
摘要: JavaScript is an interpreted programming language most often used for enhancing webpage interactivity and functionality. It has powerful capabilities to interact with documents browser windows, however, it also opened the door many browser-based security attacks. Insecure engineering practices of using may not directly lead breaches, but they can create new attack vectors greatly increase risks In this article, we present first measurement study on insecure Web. Our focus inclusion dynamic generation, examine their severity nature 6,805 unique websites. results reveal that are common at various websites: (1) least 66.4p measured websites manifest including files from external domains into top-level webpages; (2) over 44.4p use dangerous eval() function dynamically generate execute code (3) in document.write() method innerHTML property much more popular than relatively secure technique creating script elements via DOM methods. analysis indicates safe alternatives these exist cases ought be adopted by website developers administrators reducing potential risks.
acm.org
udel.edu 
sci-hub.se 参考文章(70)
Paruj Ratanaworabhan, Benjamin Livshits, Benjamin G. Zorn, JSMeter: comparing the behavior of JavaScript benchmarks with real web applications usenix conference on web application development. pp. 3- 3 ,(2010)
Daniel Schwabe, Luis Olsina, Gustavo Rossi, Oscar Pastor, Web Engineering: Modelling and Implementing Web Applications (Human-Computer Interaction Series) ,(2007)
Charlie Curtsinger, Benjamin Livshits, Benjamin Zorn, Christian Seifert, ZOZZLE: fast and precise in-browser JavaScript malware detection usenix security symposium. pp. 3- 3 ,(2011)
Web Engineering: Principles And Techniques IGI Global. ,(2005) , 10.4018/978-1-59140-432-3
Seth Fogie, Anton Rager, Robert Hansen, Petko D. Petkov, Jeremiah Grossman, XSS Attacks: Cross Site Scripting Exploits and Defense ,(2007)
Gerti Kappel, Web engineering : the discipline of systematic development of web applications John Wiley & Sons. ,(2006)
Engin Kirda, Christopher Krügel, Nenad Jovanovic, Giovanni Vigna, Philipp Vogt, Florian Nentwich, Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. network and distributed system security symposium. ,(2007)
Benjamin Zorn, Charles Curtsinger Benjamin Livshits, Christian Seifert, Zozzle: Low-overhead Mostly Static JavaScript Malware Detection ,(2010)
Web Engineering: Managing Diversity and Complexity in Web Application Development Springer-Verlag GmbH. ,(2001) , 10.1007/3-540-45144-7
Dominique C. Cutts, David L. Jones, Thomas A. Powell, Web Site Engineering: Beyond Web Page Design ,(1998)