Poster: Finding Javascript name conflicts on the web

Zhang, Mingxue1; Meng, Wei1; Wang, Yi2

10.1145/3319535.3363268

2019

1543-7221

26th ACM SIGSAC Conference on Computer and Communications Security, CCS 2019

2609-2611

London, United kingdom

1515 BROADWAY, NEW YORK, NY 10036-9998 USA

Association for Computing Machinery

Including JavaScript code from many different hosts is a popular practice in developing web applications. For example, to include a social plugin like the Facebook Like button, a web developer needs to only include a script from facebook.net in her/his web page. However, in a web browser, all the identifiers (i.e., variable names and function names) in scripts loaded in the same frame share a single global namespace. Therefore, a script can overwrite any of the global variables and/or global functions defined in another script, causing unexpected behavior. In this work, we develop a browser-based dynamic analysis framework, that monitors and records any writes to JavaScript global variables and global functions. Our tool is able to cover all the code executed in the run time. We detected 778 conflicts across the Alexa top 1K websites. Our results show that global name conflicts can indeed expose web applications to security risks.
© 2019 Association for Computing Machinery.

JavaScript Name conflicts Web applications

其他

英语

EI ; CPCI-S

Research Grants Council, University Grants Committee[CUHK 24209418]

Computer Science ; Telecommunications

Computer Science, Information Systems ; Computer Science, Theory & Methods ; Telecommunications

WOS:000509760700173

20195007799424

Codes (symbols) ; Websites

Computer Programming Languages:723.1.1 ; Data Processing and Image Processing:723.2

EV Compendex

1.Chinese University of Hong Kong, Hong Kong
2.Southern University of Science and Technology, China

Zhang, Mingxue,Meng, Wei,Wang, Yi. Poster: Finding Javascript name conflicts on the web[C]. 1515 BROADWAY, NEW YORK, NY 10036-9998 USA:Association for Computing Machinery,2019:2609-2611.