JavaScript Vulnerability Detection Towards The Input Validation Mechanism On Browsers

With the development of browser-server interaction model on Internet, the browser part hasbeen taking the increasing responsibility of data processing. In this circumstance, webapplications come with the tide of fashion. The web applications are usually programmed in thescripting languages, most of which are included in JavaScript. They perform on the engine ofbrowsers so that they get limited capability of data handling.But the web applications can hardlyfollow the raise of data complexity. That causes the new type of vulnerability. It is given a nameas browser validation mechanism vulnerability to the type which can be caused by incompletecheck to the pages, scripts and objects executing on browser. The attack model is reflected is theDOM-based XSS attack, CSRF attack and data confusion attack etc. All the attack models arespreading their influence on Internet because of the new technology such as Mashup and Localdynamic update.In contrast, the research on browser validation mechanism vulnerability is nothighly taken. The existing test tools are also designed with inadequacies. To solve the problem,this thesis studies input validation mechanism and the input filtering process of web applications.On the foundation of this, the thesis proposes the vulnerability detection method based on dataand event space division, taint tracing and backtrack and string constraint solving. With themeans been proposed, a JavaScript vulnerability detection tool towards the input validationmechanism on browsers is constructed.Firstly，the thesis studies the input validation mechanism and canon on browser and scriptingengine. It is analyzed that the field of application, objects on purpose and mandatory level of theaccess control policy and object capability. With the research on analytical method which iswidely used on web applications, the thesis studies the cause of vulnerability. The attack triggersand characters are abstracted from the three kind of attack which are sources confusion, codeinjection, application command injection for further analysis.Secondly, the thesis gives the key point on the process of trigger the vulnerability so that theinput with threat can be generated. Certify the taint source and sink for preparation of a taintedtrace. The thesis formulate taint propagation and tracing roles on the statements of assignmentstatements, arithmetic and logical operations, process control, loop and structure call. On DOMconstruct, the tainted point test is proposed in the way of modeling DOM prototype chain andgiving test on object point. The thesis makes the risk assessment by taint backtrack. It alsoaccomplish the program slice division based on data flow statement.In the last step, the thesis proposed the string constraint solving methods based on theprogram slice which can inhibit the path explosion. The mapping from scripting language toimmediate code is built as well as the mapping from immediate code to a set of constraint. Astring equation is built to complete the conversion from string variable to regular expression.Connect the constraint in series, solve the atom constraint one by one in a recursion so that thefinal result can be generated to raise the test path coverage rate and improve the accuracy offeedback input. On the foundation of researches above, the thesis designs and constructs a JavaScriptvulnerability detection system for browser input validation mechanism JsDetect. The system isexamined with a set of examples. The result of these tests show the system is effective indetecting browser validation mechanism vulnerability in both high path coverage rate and lowfalse positive or false negative rate.