Isolating JavaScript in Dynamic Code Environments Execution Environments for Cloud Applications – Spring 2011.

Slides:

Advertisements

Similar presentations

Advertisements

PHP for Server-Side Preprocessing Chapter 08. Overview and Objectives Present a brief history of the PHP language Discuss how PHP fits into the overall.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

Modern Web Application Frameworks CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

THE BROKEN WEB A Systematic Analysis of XSS Sanitization in Web Application Frameworks.

HTML 5 and CSS 3, Illustrated Complete Unit L: Programming Web Pages with JavaScript.

AJAX – The Future of Web Development? Anders Moberg David Mörtsell David Södermark.

SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.

XP Tutorial 1 New Perspectives on JavaScript, Comprehensive1 Introducing JavaScript Hiding Addresses from Spammers.

Finding Bugs in Web Applications Using Dynamic Test Generation and Explicit-State Model Checking -Shreyas Ravindra.

The PHP Story. PHP Story PHP is a programming language. Incorporate(join) sophisticated business logic. Widely used general purpose scripting language.

Overview of JSP Technology. The need of JSP With servlets, it is easy to – Read form data – Read HTTP request headers – Set HTTP status codes and response.

 Computer Information System Club focused on the understanding and applied learning of web development.  The club was founded in April 5,  We.

Architecture Of ASP.NET. What is ASP?  Server-side scripting technology.  Files containing HTML and scripting code.  Access via HTTP requests.  Scripting.

Dynamic Web Pages (Flash, JavaScript)

JavaScript, Fifth Edition Chapter 1 Introduction to JavaScript.

UNIT 3 DYNAMIC WEBSITES WITH CSS AND JAVASCRIPT. OBJECTIVES  CO4 Apply style to a website using CSS.  CO5 Describe the use of scripting when creating.

INTERNET APPLICATION DEVELOPMENT For More visit:

CNIT 133 Interactive Web Pags – JavaScript and AJAX JavaScript Environment.

Nael Alian Introduction to PHP

IST 210: PHP BASICS IST 210: Organization of Data IST210 1.

INTRODUCTION TO JAVASCRIPT AND DOM Internet Engineering Spring 2012.

1 JavaScript in Context. Server-Side Programming.

Extending HTML CPSC 120 Principles of Computer Science April 9, 2012.

Javascript II DOM & JSON. In an effort to create increasingly interactive experiences on the web, programmers wanted access to the functionality of browsers.

Introduction.  The scripting language most often used for client-side web development.  Influenced by many programming languages, easier for nonprogrammers.

Creating PHPs to Insert, Update, and Delete Data CS 320.

What is PHP? IDIA Fall 2014 Bridget M Blodgett.

Intro to PHP IST2101. Review: HTML & Tags 2IST210.

Introduction to PHP Advanced Database System Lab no.1.

Introduction to Web Programming. Introduction to PHP What is PHP? What is a PHP File? What is MySQL? Why PHP? Where to Start?

Where does PHP code get executed?. Where does JavaScript get executed?

ASP (Active Server Pages) by Bülent & Resul. Presentation Outline Introduction What is an ASP file? How does ASP work? What can ASP do? Differences Between.

1 JavaScript in Context. Server-Side Programming.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 JSP Application Models.

CIS 3.5 Lecture 2.3 "Introduction to JavaScript".

1) PHP – Personal Home Page Scripting Language 2) JavaScript.

Chap 2 – Getting Started COMP YL Professor Mattos.

INTRODUCTION JavaScript can make websites more interactive, interesting, and user-friendly.

The Web Wizard’s Guide To JavaScript Chapter 9 Applied Web Programming Techniques.

USING JAVASCRIPT TO SHOW AN ALERT Web Design Sec 6-2 Part or all of this lesson was adapted from the University of Washington’s “Web Design & Development.

JavaScript Dynamic Active Web Pages Client Side Scripting.

Creating PHP Pages Chapter 5 PHP Structure and Syntax.

ASSIGNMENT POINTS DUE DATE: Monday NOV 30 JAVASCRIPT, INPUT VALIDATION, REGEX See 2 nd slide for Form See 3 rd next slide for the required features.

Copyright © 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 14 Web Database Programming Using PHP.

JavaScript Introduction and Background. 2 Web languages Three formal languages HTML JavaScript CSS Three different tasks Document description Client-side.

Introduction to JavaScript MIS 3502, Spring 2016 Jeremy Shafer Department of MIS Fox School of Business Temple University 2/2/2016.

Dr. Abdullah Almutairi Spring PHP is a server scripting language, and a powerful tool for making dynamic and interactive Web pages. PHP is a widely-used,

1 CSC160 Chapter 1: Introduction to JavaScript Chapter 2: Placing JavaScript in an HTML File.

PHP Overview. What is PHP Widely available scripting language Free Alternative to Microsoft’s ASP Runs on the Web Server; not in the browser Example:

IST 210: PHP Basics IST 210: Organization of Data IST2101.

JavaScript Invented 1995 Steve, Tony & Sharon. A Scripting Language (A scripting language is a lightweight programming language that supports the writing.

PHP is a server scripting language, and a powerful tool for making dynamic and interactive Web pages. PHP is a widely-used, free, and efficient alternative.

Presenting By A-ONE INFOTECH.  A-one InfoTech is a professional web design company located in Chandigarh, India. We specialized in web design, web development,

Group 18: Chris Hood Brett Poche

Inquiring and analyzing options for creating a website

Introduction to Dynamic Web Programming

Introduction and Principles

* Lecture # 7 Instructor: Rida Noor Department of Computer Science

Programming Concepts and Languages

PHP + Oracle = Data-Driven Websites

Web Systems Development (CSC-215)

Conditionally Confirming a Submit

HYPERTEXT PREPROCESSOR BY : UMA KAKKAR

[Robert W. Sebesta, “Programming the World Wide Web

PHP an introduction.

Presentation transcript:

Isolating JavaScript in Dynamic Code Environments Execution Environments for Cloud Applications – Spring 2011

Background  Modern web applications involve combining client-side and server side technologies to generate dynamic content. (Example: PHP and JavaScript)  Different web frameworks handle different methods to do code mixing.  Identification of different levels of intermixing of programming languages is required.  Beneficial for XSS mitigation schemes, operations like code analysis, optimization and refactoring.

Key Points  Analyze the source code of web applications (phpBB, WordPress, phpMyAdmin and Drupal)  Identify the coding idioms for dynamic content generation and intermixing of languages (PHP, JavaScript)  Classify them into different classes.  Provide methods to reduce mixing in each of the classes.

Analysis Methodology  Each web application’s code is processed on a customized tool involving the below two parts. Part 1: Removal of PHP, HTML comments, HTML events such as onclick, onload. Part 2: Randomization Process by parser.  If parser fails to randomize the code, intermixing is confirmed.  All the scripts are processed in the tool and the failures are noted.

Analysis Results Table  The final column shows the number of scripts involving code mixing.  Total of 163 scripts out of 1000 are found to have intermixed code.

Classifying coding idioms  Manual investigation of 163 scripts done to identify five cases of coding idioms.  Case 1 : Partial injection of non-mixed JavaScript source using the PHP built-in function echo()

Classifying coding idioms  Case 2 : String concatenations Single and double quotes are part of complex string concatenation operations. The parser fails to randomize

Classifying coding idioms  Case 3 : The most frequent case of code intermixing Partial JavaScript code generation by PHP scripting blocks Parser fails to consume PHP code.

Classifying coding idioms  Case 4 : This case occurs only in phpBB JavaScript code generation by using frameworks’ meta languages Example

Classifying coding idioms  Case 5 : Markup injections Symbols like ‘&’ are processed as ‘&’ Example

Classification Results Table  Most of the scripts fall in the third case  The meta-language case, Case 4, occurs only in phpBB  Cases 1 and 5 are limited.  The dominant idioms are string concatenations, partial injection using PHP scripting blocks.

Mixing reduction  Done by altering the mixing code or extending the parser to support individual cases.  Case 1 : Alternate coding preferred The programmer can inject the JavaScript code in the PHP block.

Mixing reduction  Case 2 : Alternate coding preferred Mix reduction achieved by less use of quotes and concatenation parts Example

Mixing reduction  Case 3 : Alternate coding and parser extension is done Parser identifies the PHP block and consumes it first. In case of failure after the above step, alternate coding. Example

Mixing reduction  Case 4 : Parser extended if substitution is simple. Alternate coding is done if otherwise.  Case 5 : Parser is extended to recognize HTML entities (like &amp) and ignore them in syntax analysis.

Results after reduction  Parser extensions and code rewriting manages to strongly reduce intermixing.  Results show that the reduction process minimizes failing rates for Case 3 and Case 4.

Conclusion  Over half a million of LoCs were processed.  1000 scripts were identified of which 163 scripts had PHP intermixed with JavaScript.  163 scripts were manually investigated to create a classification scheme of five distinct classes.  Techniques to minimize reduction were proposed.

Questions?? Comments!!