In a few weeks, our team is going to publish a new research whitepaper, which explores the prevalence of client-side JavaScript vulnerabilities such as DOM-based XSS, in real world web applications. For this research, we used a new IBM technology called JavaScript Security Analyzer (JSA), which performs static taint analysis on JavaScript code that was collected from web pages extracted by an automated deep web crawl process. JSA is included in Rational AppScan Standard Edition v8.0, which was recently launched.
Here’s a short summary which explains how JSA works:
JSA goes over all URLs visited by AppScan’s web crawler, one by one. For each URL, JSA saves the entire HTTP response stream. JSA then looks for JavaScript entry points in the current visited URL, and applies a set of JavaScript-specific taint analysis rules. These rules include specifications of source, sink, and sanitizer functions. JSA reports on data flows from source to sink that do not go through a sanitizer. JSA reports on six different issue types: DOM-based XSS, JavaScript Code Injection, JavaScript Open-Redirect, CSRF Bypass, Dual Session Issues, Port Manipulations, Protocol Manipulations.
Issues reported by JSA appear in AppScan Standard Edition. Trace information for each issue is displayed in the issue information pane in AppScan (see image below)
In essence, JSA enjoys the best of both dynamic and static analysis, amalgamating the two approaches, in order to assess JavaScript code in its natural environment accurately.
Stay tuned for the upcoming whitepaper, and in the meanwhile, you can download and enjoy JSA in AppScan Standard Edition v8.0:
http://www-01.ibm.com/software/awdtools/appscan/standard/
Here’s a list of all the new features in AppScan Standard Edition v8.0:
Comments