STATIC CODE ANALYSIS TOOL TO DETECT VULNERABILITIES IN JAVASCRIPT-BASED APPLICATION
Nowadays, web-based applications have many variations in the scope and offered features. An example of web-based applications is JavaScript-based application. However, as web-based applications grow, the potential of vulnerabilities emerging inside the applications will also grow. One of the ways th...
Saved in:
| Main Author: | |
|---|---|
| Format: | Final Project |
| Language: | Indonesia |
| Online Access: | https://digilib.itb.ac.id/gdl/view/75244 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Institut Teknologi Bandung |
| Language: | Indonesia |
| Summary: | Nowadays, web-based applications have many variations in the scope and offered features. An example of web-based applications is JavaScript-based application. However, as web-based applications grow, the potential of vulnerabilities emerging inside the applications will also grow. One of the ways that can be done to detect vulnerabilities inside web applications is to perform a static code analysis. A number of static code analysis tools have been developed and are able to detect vulnerabilities inside JavaScript-based applications. However, these tools only use abstract syntax tree (AST) in their analysis, therefore analysis can’t be performed efficiently.
In this final project, a static code analysis tool is developed to detect vulnerabilities inside JavaScript-based applications. The analysis tool is able to detect vulnerabilities in the form of injections and three variations of cross-site scripting, which are reflected XSS, persistent XSS and DOM-based XSS. For analysis, this tool uses taint analysis method which is a form of data-flow analysis. With this method, data-flow graph (DFG), control-flow graph (CFG), and call graph are used for analysis.
The static code analysis tool has been tested with unit testing, and system testing by analyzing four JavaScript-based open source projects which have vulnerabilities. The analysis tool successfully detected 8 vulnerabilities in the form of command injection and XSS. However, 4 vulnerabilities failed to be detected by the analysis tool because of native function calls from JavaScript which is not supported by the analysis tool. |
|---|