Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web

@article{Lauinger2017ThouSN,
  title={Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web},
  author={Tobias Lauinger and Abdelberi Chaabane and Sajjad Arshad and William K. Robertson and Christo Wilson and Engin Kirda},
  journal={ArXiv},
  year={2017},
  volume={abs/1811.00918}
}
Web developers routinely rely on third-party Java-Script libraries such as jQuery to enhance the functionality of their sites. [...] Key Result This demonstrates that not only website administrators, but also the dynamic architecture and developers of third-party services are to blame for the Web's poor state of library management. The results of our work underline the need for more thorough approaches to dependency management, code maintenance and third-party code inclusion on the Web.Expand
ScriptProtect: Mitigating Unsafe Third-Party JavaScript Practices
TLDR
ScriptProtect is proposed, a non-intrusive transparent protective measure to address security issues introduced by external script resources that effectively removes the root-cause of Client-Side XSS without affecting first-party code in this respective.
Extracting Taint Specifications for JavaScript Libraries
TLDR
This work proposes a technique for automatically extracting taint specifications for JavaScript libraries, based on a dynamic analysis that leverages the existing test suites of the libraries and their available clients in the npm repository, and shows that this approach is effective at inferring useful taint Specifications at scale.
Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers
TLDR
A large-scale study of ReDoS vulnerabilities in real-world web sites, identifying 25 previously unknown vulnerabilities in popular modules and test 2,846 of the most popular websites against them, finding that 339 of these web sites suffer from at least one ReDoS vulnerability.
Riding out DOMsday: Towards Detecting and Preventing DOM Cross-Site Scripting
TLDR
It is found that custom HTML templating designs—a design pattern that could prevent DOM XSS vulnerabilities analogous to parameterized SQL—can be buggy in practice, allowingDOM XSS attacks.
Assessing the Impact of Script Gadgets on CSP at Scale
The Web, as one of the core technologies of modern society, has profoundly changed the way we interact with people and data. One of the worst attacks on the Web is Cross-Site Scripting (XSS), in
On the Integrity of Cross-Origin JavaScripts
TLDR
According to the empirical results based on a ten day polling period of over 35 thousand scripts collected from popular websites, temporal integrity changes are relatively common and it is possible to statistically predict whether a temporal integrity change is likely to occur.
VisibleV8: In-browser Monitoring of JavaScript in the Wild
TLDR
VisibleV8 is a dynamic analysis framework hosted inside V8, the JS engine of the Chrome browser, that logs native function or property accesses during any JS execution and consistently outperforms equivalent inline instrumentation, and it intercepts accesses impossible to instrument inline.
Keep me Updated: An Empirical Study of Third-Party Library Updatability on Android
TLDR
This paper makes the first contribution towards solving the problem of library outdatedness on Android by conducting a large-scale library updatability analysis of 1,264,118 apps to show that 97.8% out of 16,837 actively used library versions with a known security vulnerability could be easily fixed through a drop-in replacement of the vulnerable library with the fixed version.
U Can't Debug This: Detecting JavaScript Anti-Debugging Techniques in the Wild
TLDR
This paper introduces 9 anti-debugging techniques and discusses their advantages and drawbacks, and conducts a large-scale study on 6 of them, finding that as many as 1 out of 550 websites contain severe anti- debugging measures, with multiple of these techniques active on the same site.
Detecting and understanding JavaScript global identifier conflicts on the web
TLDR
This research developed a browser-based analysis framework, JSObserver, to collect and analyze the write operations to global memory locations by JavaScript code, and revealed that JavaScript global identifier conflicts are prevalent and could cause behavior deviation at run time.
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 48 REFERENCES
A measurement study of insecure javascript practices on the web
TLDR
This article presents the first measurement study on insecure practices of using JavaScript on the Web, and indicates that safe alternatives to these insecure practices exist in common cases and ought to be adopted by website developers and administrators for reducing potential security risks.
You are what you include: large-scale evaluation of remote javascript inclusions
TLDR
A large-scale crawl of more than three million pages of the top 10,000 Alexa sites is reported, showing that in some cases, top Internet sites trust remote providers that could be successfully compromised by determined attackers and subsequently serve malicious JavaScript.
Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis
TLDR
The solution presented in this paper stops XSS attacks on the client side by tracking the flow of sensitive information inside the web browser and if sensitive information is about to be transferred to a third party, the user can decide if this should be permitted or not.
FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications
TLDR
This work provides empirical evidence that CSV vulnerabilities are not merely conceptual but are prevalent in today’s web applications, and proposes dynamic analysis techniques to systematically discover vulnerabilities of this class.
25 million flows later: large-scale detection of DOM-based XSS
TLDR
This paper presents a fully automated system to detect and validate DOM-based XSS vulnerabilities, consisting of a taint-aware JavaScript engine and corresponding DOM implementation as well as a context-sensitive exploit generation approach.
The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patching
TLDR
This first systematic study of patch deployment in client-side vulnerabilities from 10 popular client applications is presented, and several new threats presented by multiple installations of the same program and by shared libraries distributed with several applications are identified.
Reliable Third-Party Library Detection in Android and its Security Applications
TLDR
This paper proposes a library detection technique that is resilient against common code obfuscations and that is capable of pinpointing the exact library version used in apps, and is first to quantify the security impact of third-party libs on the Android ecosystem.
Lightweight Integrity Protection for Web Storage-driven Content Caching
The term Web storage summarizes a set of browserbased technologies that allow application-level persistent storage of key/values pairs on the client-side. These capabilities are frequently used for
Include Me Out: In-Browser Detection of Malicious Third-Party Content Inclusions
TLDR
Because of the often highly dynamic nature of these inclusions as well as the use of advanced cloaking techniques in contemporary malware, it is exceedingly difficult to preemptively recognize and block inclusions of malicious third-party content before it has the chance to attack the user’s system.
The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites
TLDR
This work collected postMessage receivers from the Alexa top 10,000 websites and found that many perform origin checks incorrectly or not at all, which results in exploitable vulnerabilities in 84 popular sites, including cross-site scripting and injection of arbitrary content into local storage.
...
1
2
3
4
5
...