jÄk: Using Dynamic Analysis to Crawl and Test Modern Web Applications

Pellegrino, Giancarlo and Tschürtz, Constantin and Bodden, Eric and Rossow, Christian
(2015) jÄk: Using Dynamic Analysis to Crawl and Test Modern Web Applications.
In: Research in Attacks, Intrusions, and Defenses - 18th International Symposium, RAID 2015, Kyoto, Japan, November 2-4, 2015, Proceedings.
Conference: RAID The International Symposium on Research in Attacks, Intrusions and Defenses (was International Symposium on Recent Advances in Intrusion Detection)

[img]
Preview
 Text
jAEk_raid2015.pdf
Download (367kB) | Preview

Abstract

Web application scanners are popular tools to perform black box testing and are widely used to discover bugs in websites. For them to work effectively, they either rely on a set of URLs that they can test, or use their own implementation of a crawler that discovers new parts of a web application. Traditional crawlers would extract new URLs by parsing HTML documents and applying static regular expressions. While this approach can extract URLs in classic web applications, it fails to explore large parts of modern JavaScript-based applications. In this paper, we present a novel technique to explore web applications based on the dynamic analysis of the client-side JavaScript program. We use dynamic analysis to hook JavaScript APIs, which enables us to detect the registration of events, the use of network communication APIs, and dynamically-generated URLs or user forms. We then propose to use a navigation graph to perform further crawling. Based on this new crawling technique, we present j¨Ak, a web application scanner. We compare jÄk against four existing web-application scanners on 13 web applications. The experiments show that our approach can explore a surface of the web applications that is 86% larger than with existing approaches.

Item Type: Conference or Workshop Item (A Paper) (Paper)
Additional Information: pub_id: 1021 Bibtex: DBLP:conf/raid/PellegrinoTBR15 URL date: None
Uncontrolled Keywords: security testing,web security
Divisions: Christian Rossow (System Security Group, SysSec)
Conference: RAID The International Symposium on Research in Attacks, Intrusions and Defenses (was International Symposium on Recent Advances in Intrusion Detection)
Depositing User: Sebastian Weisgerber
Date Deposited: 26 Jul 2017 10:30
Last Modified: 18 Jul 2019 12:12
Primary Research Area: NRA5: Empirical & Behavioral Security
URI: https://publications.cispa.saarland/id/eprint/538

Actions

Actions (login required)

View Item View Item
CISPA is powered by EPrints 3 which is developed by the School of Electronics and Computer Science at the University of Southampton. More information and software credits.