TU Darmstadt / ULB / TUbiblio

jÄk: Using Dynamic Analysis to Crawl and Test Modern Web Applications

Pellegrino, Giancarlo and Tschürtz, Constantin and Bodden, Eric and Rossow, Christian
Bos, Herbert and Monrose, Fabian and Blanc, Gregory (eds.) (2015):
jÄk: Using Dynamic Analysis to Crawl and Test Modern Web Applications.
In: Research in Attacks, Intrusions, and Defenses. 18th International Symposium, RAID 2015, Kyoto, Japan,November 2-4, 2015. Proceedings., Springer Cham, Kyoto, Japan, In: Lecture Notes in Computer Science 9404, ISBN 978-3-319-26361-8,
DOI: 10.1007/978-3-319-26362-5, [Conference or Workshop Item]

Abstract

Web application scanners are popular tools to perform black box testing and are widely used to discover bugs in websites. For them to work effectively, they either rely on a set of URLs that they can test, or use their own implementation of a crawler that discovers new parts of a web application. Traditional crawlers would extract new URLs by parsing HTML documents and applying static regular expressions. While this approach can extract URLs in classic web applications, it fails to explore large parts of modern JavaScript-based applications.

In this paper, we present a novel technique to explore web applications based on the dynamic analysis of the client-side JavaScript program. We use dynamic analysis to hook JavaScript APIs, which enables us to detect the registration of events, the use of network communication APIs, and dynamically-generated URLs or user forms. We then propose to use a navigation graph to perform further crawling. Based on this new crawling technique, we present jÄk, a web application scanner. We compare jÄk against four existing web-application scanners on 13 web applications. The experiments show that our approach can explore a surface of the web applications that is 86 % larger than with existing approaches.

Item Type: Conference or Workshop Item
Erschienen: 2015
Editors: Bos, Herbert and Monrose, Fabian and Blanc, Gregory
Creators: Pellegrino, Giancarlo and Tschürtz, Constantin and Bodden, Eric and Rossow, Christian
Title: jÄk: Using Dynamic Analysis to Crawl and Test Modern Web Applications
Language: German
Abstract:

Web application scanners are popular tools to perform black box testing and are widely used to discover bugs in websites. For them to work effectively, they either rely on a set of URLs that they can test, or use their own implementation of a crawler that discovers new parts of a web application. Traditional crawlers would extract new URLs by parsing HTML documents and applying static regular expressions. While this approach can extract URLs in classic web applications, it fails to explore large parts of modern JavaScript-based applications.

In this paper, we present a novel technique to explore web applications based on the dynamic analysis of the client-side JavaScript program. We use dynamic analysis to hook JavaScript APIs, which enables us to detect the registration of events, the use of network communication APIs, and dynamically-generated URLs or user forms. We then propose to use a navigation graph to perform further crawling. Based on this new crawling technique, we present jÄk, a web application scanner. We compare jÄk against four existing web-application scanners on 13 web applications. The experiments show that our approach can explore a surface of the web applications that is 86 % larger than with existing approaches.

Title of Book: Research in Attacks, Intrusions, and Defenses. 18th International Symposium, RAID 2015, Kyoto, Japan,November 2-4, 2015. Proceedings.
Series Name: Lecture Notes in Computer Science 9404
Publisher: Springer Cham
ISBN: 978-3-319-26361-8
Uncontrolled Keywords: computer and communication networks data security industry sectors security and privacy telecommunications anomaly detection automata theory botnet tracking electronics intrusion detection systems keylogger malware analysis mobile security network securit
Divisions: Profile Areas
Profile Areas > Cybersecurity (CYSEC)
Event Location: Kyoto, Japan
Date Deposited: 17 Aug 2017 15:15
DOI: 10.1007/978-3-319-26362-5
Identification Number: TUD-CS-2015-12091
Export:

Optionen (nur für Redakteure)

View Item View Item