JAW

Overview

JAW is a static-dynamic, scalable framework to analyze JavaScript programs for the detection of client-side vulnerabilities

Features:

Chromium-based crawler(s) enhanced with DevTools Protocol and Browser Extensions APIs

Can collect webpages, scripts, events, DOM snapshots, network messages, web storage values, and cookies

Implementation of hybrid Code Property Graphs (HPGs) for JavaScript
Interactive detection or automatic exploration of vulnerable program behaviours

Declarative Cypher queries
ORM support with Python

Self-contained, built-in queries to detect client-side CSRF, Request Hijacking and DOM Clobbering vulnerabilities.
Design and perform custom security-related program analyses:
- Data flow analysis between pre-defined JavaScript sources and sinks
- Control flow and reachability analysis
- Resolution of DOM query selectors leveraging DOM snapshots
- Pattern matching via the Abstract Syntax Tree (AST)

How It Works?

JAW is based on property graphs and the neo4j graph database.
It creates a graph database for the input program, and queries it for security testing.
JAW can test both full-fledged web applications and individual JavaScript programs.

Feature 1: Testing Web Applications

$ python3 -m run_pipeline -h

usage: run_pipeline.py [-h] [--conf FILE] [--site SITE] [--list LIST] [--from FROM] [--to TO]

This script runs the tool pipeline.

optional arguments:
  -h, --help            show this help message and exit
  --conf FILE, -C FILE  pipeline configuration file. (default: config.yaml)
  --site SITE, -S SITE  website to test; overrides config file (default: None)
  --list LIST, -L LIST  site list to test; overrides config file (default: None)
  --from FROM, -F FROM  the first entry to consider when a site list is provided; overrides config file (default: -1)
  --to TO, -T TO        the last entry to consider when a site list is provided; overrides config file (default: -1)

Feature 2: Testing JavaScript Files

$ python3 -m analyses.example.example_analysis --input=$(pwd)/data/test_program/test.js

To write custom queries, learn more about the data model of the constructed property graph, including the nodes, edges , and the syntax tree.

Publications

JAW has been developed over the course of the following publications:

1. Client-side CSRF @USENIX Security'21 [ Paper ]

BibTex

@inproceedings {JAW,
  title = {JAW: Studying Client-side CSRF with Hybrid Property Graphs and Declarative Traversals},
  author= {Soheil Khodayari and Giancarlo Pellegrino},
  booktitle = {30th {USENIX} Security Symposium ({USENIX} Security 21)},
  year = {2021},
  address = {Vancouver, B.C.},
  publisher = {{USENIX} Association},
  month = aug,
}

Copied!

2. DOM Clobbering @IEEE SP'23 [ Paper ] [ Website ]

BibTex

@inproceedings {SKhodayariSP23TheThing,
  author = {Soheil Khodayari and Giancarlo Pellegrino},
  title = {It's (DOM) Clobbering Time: Attack Techniques, Prevalence, and Defenses},
  booktitle = {Proceedings of the 44th IEEE Symposium on Security and Privacy},
  year = {2023},
}

Copied!

3. Request Hijacking @IEEE SP'24 [ Paper ]

BibTex

@inproceedings {SKhodayariSP24Sheriff,
  author = {Soheil Khodayari, Thomas Barber, and Giancarlo Pellegrino},
  title = {The Great Request Robbery: An Empirical Study of Client-side Request Hijacking Vulnerabilities on the Web},
  booktitle = {To appear at proceedings of the 45th IEEE Symposium on Security and Privacy},
  year = {2024},
}

Copied!

J A W

A Graph-based Security Analysis Framework for Client-side JavaScript at Scale

Overview

How It Works?

Feature 1: Testing Web Applications

Feature 2: Testing JavaScript Files

Publications