ScriptProtect

Musch, Marius; Steffens, Marius; Roth, Sebastian; Stock, Ben; Johns, Martin

doi:10.1145/3321705.3329841

Cited by 12 publications

(1 citation statement)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The great majority of these tools is, however, aimed at PHP-based web applications. Most of the existing tools for JavaScript are aimed at client-side JavaScript code and its specific vulnerabilities: for instance, DOM-based XSS [88], [89], unrestricted inclusion of third-party cross-origin scripts [90], and potentially malicious flows via client-side persistent storage [8].…”

Section: Related Workmentioning

confidence: 99%

Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node.js Packages

et al. 2023

View full text Add to dashboard Cite

With the emergence of the Node.js ecosystem, JavaScript has become a widely used programming language for implementing server-side web applications. In this article, we present the first empirical study of static code analysis tools for detecting vulnerabilities in Node.js code. To conduct a comprehensive tool evaluation, we created the largest known curated dataset of Node.js code vulnerabilities. We characterized and annotated a set of 957 vulnerabilities by analyzing information contained in npm advisory reports. We tested nine different tools and found that many important vulnerabilities appearing in the OWASP top-10 are not detected by any tool. The three best performing tools combined only detect up to 57.6% of all vulnerabilities in the dataset, but at a very low precision of 0.11%. Our curated dataset offers a new benchmark to help characterize existing Node.js code vulnerabilities and foster the development of better vulnerability detection tools for Node.js code.

show abstract

Section: Related Workmentioning

confidence: 99%

Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node.js Packages

et al. 2023

View full text Add to dashboard Cite

show abstract

MyWebGuard: Toward a User-Oriented Tool for Security and Privacy Protection on the Web

Hiremath

Armentrout

et al. 2019

Future Data and Security Engineering

View full text Add to dashboard Cite

A User-Oriented Approach and Tool for Security and Privacy Protection on the Web

et al. 2020

View full text Add to dashboard Cite

We introduce a novel approach to protecting the privacy of web users. We propose to monitor the behaviors of JavaScript code within a web origin based on the source of the code, i.e., code origin, to detect and prevent malicious actions that would compromise users' privacy. Our code-origin policy enforcement approach not only advances the conventional same-origin policy standard but also goes beyond the "all-or-nothing" contemporary ad-blockers and tracker-blockers. In particular, our monitoring mechanism does not rely on browsers' network request interception and blocking as in existing blockers. In contrast, we monitor the code that reads or sends user data sent out of the browser to enforce fine-grained and context-aware policies based on the origin of the code. We implement a proof-of-concept prototype and perform practical evaluations to demonstrate the effectiveness of our approach. Our experimental results evidence that the proposed method can detect and prevent data leakage channels not captured by the leading tools such as Ghostery and uBlock Origin. We show that our prototype is compatible with major browsers and popular real-world websites with promising runtime performance. Although implemented as a browser extension, our approach is browser-agnostic and can be integrated into the core of a browser as it is based on standard JavaScript.

show abstract

ScriptProtect

Cited by 12 publications

References 20 publications

Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node.js Packages

Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node.js Packages

MyWebGuard: Toward a User-Oriented Tool for Security and Privacy Protection on the Web

A User-Oriented Approach and Tool for Security and Privacy Protection on the Web

Contact Info

Product

Resources

About