MATCH (w { Code: 'window' })<-[:AST_parentOf{RelationType: 'object'}]-(p { Type: 'MemberExpression' })-[:AST_parentOf{RelationType: 'property'}]->(l { Code: 'location' }), (p)<-[:AST_parentOf{RelationType: 'object'}]-(gp { Type: 'MemberExpression' })-[:AST_parentOf{RelationType: 'property'}]->(h { Code: 'hash' }), (gp)<-[:AST_parentOf { RelationType: 'left' }]-(t { Type: 'AssignmentExpression' })-[:AST_parentOf{RelationType: 'right'}]->(v), (t)<-[:AST_parentOf { RelationType: 'expression' }]-(topsource { Type: 'ExpressionStatement' }), (n { Type: 'Identifier' })<-[:AST_parentOf { RelationType: 'property' }]-(parent)<-[:AST_parentOf*1..3]-(topsink)

A Graph-based Security Analysis Framework for Client-side JavaScript at Scale

Get Started Now!

Overview

JAW is a static-dynamic, scalable framework to analyze JavaScript programs for the detection of client-side vulnerabilities

Features:

  • Chromium-based crawler(s) enhanced with DevTools Protocol and Browser Extensions APIs
    • Can collect webpages, scripts, events, DOM snapshots, network messages, web storage values, and cookies
  • Implementation of hybrid Code Property Graphs (HPGs) for JavaScript
  • Interactive detection or automatic exploration of vulnerable program behaviours
    • Declarative Cypher queries
    • ORM support with Python
  • Self-contained, built-in queries to detect client-side CSRF, Request Hijacking and DOM Clobbering vulnerabilities.
  • Design and perform custom security-related program analyses:
    • Data flow analysis between pre-defined JavaScript sources and sinks
    • Control flow and reachability analysis
    • Resolution of DOM query selectors leveraging DOM snapshots
    • Pattern matching via the Abstract Syntax Tree (AST)

How It Works?

  • JAW is based on property graphs and the neo4j graph database.
  • It creates a graph database for the input program, and queries it for security testing.
  • JAW can test both full-fledged web applications and individual JavaScript programs.

Feature 1: Testing Web Applications

$ python3 -m run_pipeline -h

usage: run_pipeline.py [-h] [--conf FILE] [--site SITE] [--list LIST] [--from FROM] [--to TO]

This script runs the tool pipeline.

optional arguments:
  -h, --help            show this help message and exit
  --conf FILE, -C FILE  pipeline configuration file. (default: config.yaml)
  --site SITE, -S SITE  website to test; overrides config file (default: None)
  --list LIST, -L LIST  site list to test; overrides config file (default: None)
  --from FROM, -F FROM  the first entry to consider when a site list is provided; overrides config file (default: -1)
  --to TO, -T TO        the last entry to consider when a site list is provided; overrides config file (default: -1)

Feature 2: Testing JavaScript Files

$ python3 -m analyses.example.example_analysis --input=$(pwd)/data/test_program/test.js

To write custom queries, learn more about the data model of the constructed property graph, including the nodes, edges , and the syntax tree.

Publications

JAW has been developed over the course of the following publications:

1. Client-side CSRF @USENIX Security'21 [ Paper ]

BibTex
@inproceedings {JAW,
  title = {JAW: Studying Client-side CSRF with Hybrid Property Graphs and Declarative Traversals},
  author= {Soheil Khodayari and Giancarlo Pellegrino},
  booktitle = {30th {USENIX} Security Symposium ({USENIX} Security 21)},
  year = {2021},
  address = {Vancouver, B.C.},
  publisher = {{USENIX} Association},
  month = aug,
}
Copied!

2. DOM Clobbering @IEEE SP'23 [ Paper ] [ Website ]

BibTex
@inproceedings {SKhodayariSP23TheThing,
  author = {Soheil Khodayari and Giancarlo Pellegrino},
  title = {It's (DOM) Clobbering Time: Attack Techniques, Prevalence, and Defenses},
  booktitle = {Proceedings of the 44th IEEE Symposium on Security and Privacy},
  year = {2023},
}
Copied!

3. Request Hijacking @IEEE SP'24 [ Paper ]

BibTex
@inproceedings {SKhodayariSP24Sheriff,
  author = {Soheil Khodayari, Thomas Barber, and Giancarlo Pellegrino},
  title = {The Great Request Robbery: An Empirical Study of Client-side Request Hijacking Vulnerabilities on the Web},
  booktitle = {To appear at proceedings of the 45th IEEE Symposium on Security and Privacy},
  year = {2024},
}
Copied!