Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web

  title={Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web},
  author={Tobias Lauinger and Abdelberi Chaabane and Sajjad Arshad and William K. Robertson and Christo Wilson and Engin Kirda},
Web developers routinely rely on third-party Java-Script libraries such as jQuery to enhance the functionality of their sites. [] Key Result This demonstrates that not only website administrators, but also the dynamic architecture and developers of third-party services are to blame for the Web's poor state of library management. The results of our work underline the need for more thorough approaches to dependency management, code maintenance and third-party code inclusion on the Web.

ScriptProtect: Mitigating Unsafe Third-Party JavaScript Practices

ScriptProtect is proposed, a non-intrusive transparent protective measure to address security issues introduced by external script resources that effectively removes the root-cause of Client-Side XSS without affecting first-party code in this respective.

Extracting Taint Specifications for JavaScript Libraries

This work proposes a technique for automatically extracting taint specifications for JavaScript libraries, based on a dynamic analysis that leverages the existing test suites of the libraries and their available clients in the npm repository, and shows that this approach is effective at inferring useful taint Specifications at scale.

Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers

A large-scale study of ReDoS vulnerabilities in real-world web sites, identifying 25 previously unknown vulnerabilities in popular modules and test 2,846 of the most popular websites against them, finding that 339 of these web sites suffer from at least one ReDoS vulnerability.

Riding out DOMsday: Towards Detecting and Preventing DOM Cross-Site Scripting

It is found that custom HTML templating designs—a design pattern that could prevent DOM XSS vulnerabilities analogous to parameterized SQL—can be buggy in practice, allowingDOM XSS attacks.

Assessing the Impact of Script Gadgets on CSP at Scale

Is securely deploying CSP even possible without a priori knowledge of all files hosted on even a partially trusted origin?

On the Integrity of Cross-Origin JavaScripts

According to the empirical results based on a ten day polling period of over 35 thousand scripts collected from popular websites, temporal integrity changes are relatively common and it is possible to statistically predict whether a temporal integrity change is likely to occur.

VisibleV8: In-browser Monitoring of JavaScript in the Wild

VisibleV8 is a dynamic analysis framework hosted inside V8, the JS engine of the Chrome browser, that logs native function or property accesses during any JS execution and consistently outperforms equivalent inline instrumentation, and it intercepts accesses impossible to instrument inline.

JSISOLATE: lightweight in-browser JavaScript isolation

A lightweight browser-based framework that provides an isolated and reliable JavaScript execution environment, JSIsolate, that injects scripts into different isolated environments based on their dependency relationship and executes scripts with independent functionalities in different contexts, effectively preventing them from interfering with each other.

Keep me Updated: An Empirical Study of Third-Party Library Updatability on Android

This paper makes the first contribution towards solving the problem of library outdatedness on Android by conducting a large-scale library updatability analysis of 1,264,118 apps to show that 97.8% out of 16,837 actively used library versions with a known security vulnerability could be easily fixed through a drop-in replacement of the vulnerable library with the fixed version.

U Can't Debug This: Detecting JavaScript Anti-Debugging Techniques in the Wild

This paper introduces 9 anti-debugging techniques and discusses their advantages and drawbacks, and conducts a large-scale study on 6 of them, finding that as many as 1 out of 550 websites contain severe anti- debugging measures, with multiple of these techniques active on the same site.



A measurement study of insecure javascript practices on the web

This article presents the first measurement study on insecure practices of using JavaScript on the Web, and indicates that safe alternatives to these insecure practices exist in common cases and ought to be adopted by website developers and administrators for reducing potential security risks.

You are what you include: large-scale evaluation of remote javascript inclusions

A large-scale crawl of more than three million pages of the top 10,000 Alexa sites is reported, showing that in some cases, top Internet sites trust remote providers that could be successfully compromised by determined attackers and subsequently serve malicious JavaScript.

Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis

The solution presented in this paper stops XSS attacks on the client side by tracking the flow of sensitive information inside the web browser and if sensitive information is about to be transferred to a third party, the user can decide if this should be permitted or not.

FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications

This work provides empirical evidence that CSV vulnerabilities are not merely conceptual but are prevalent in today’s web applications, and proposes dynamic analysis techniques to systematically discover vulnerabilities of this class.

25 million flows later: large-scale detection of DOM-based XSS

This paper presents a fully automated system to detect and validate DOM-based XSS vulnerabilities, consisting of a taint-aware JavaScript engine and corresponding DOM implementation as well as a context-sensitive exploit generation approach.

The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patching

This first systematic study of patch deployment in client-side vulnerabilities from 10 popular client applications is presented, and several new threats presented by multiple installations of the same program and by shared libraries distributed with several applications are identified.

Reliable Third-Party Library Detection in Android and its Security Applications

This paper proposes a library detection technique that is resilient against common code obfuscations and that is capable of pinpointing the exact library version used in apps, and is first to quantify the security impact of third-party libs on the Android ecosystem.

Lightweight Integrity Protection for Web Storage-driven Content Caching

This paper presents three possible attack scenarios that showcase how an attacker is able to inject code into web storage and proposes a lightweight integrity protecting mechanism that allows developers to store markup and code fragments in Web storage without risking a potential compromise.

Include Me Out: In-Browser Detection of Malicious Third-Party Content Inclusions

Because of the often highly dynamic nature of these inclusions as well as the use of advanced cloaking techniques in contemporary malware, it is exceedingly difficult to preemptively recognize and block inclusions of malicious third-party content before it has the chance to attack the user’s system.

The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites

This work collected postMessage receivers from the Alexa top 10,000 websites and found that many perform origin checks incorrectly or not at all, which results in exploitable vulnerabilities in 84 popular sites, including cross-site scripting and injection of arbitrary content into local storage.