Enrico Micco, profile picture
Uploaded byEnrico Micco
PDF, PPTX126 views

Untrusted JS Detection with Chrome Dev Tools and static code analysis

1. The document discusses using Chrome Developer Tools and static code analysis to detect untrusted JavaScript. It describes profiling JavaScript execution in web apps using the Chrome Developer Tools Profiles Panel and analyzing JavaScript code statically to detect suspicious URLs. 2. The Chrome Developer Tools allows debugging JavaScript, identifying performance issues, and understanding memory usage. The CPU Profiling feature logs information about JavaScript function names, URLs, time metrics, and call hierarchies. 3. Static code analysis of JavaScript uses a Wget command line tool to parse code and look for external URLs, which are categorized and logged to a testing database.

Technology
Related topics:
Information Security

Embed presentation

Download as PDF, PPTX
Università degli Studi del Sannio Sicurezza delle Reti e dei Sistemi Software Prof. Corrado Aaron Visaggio Guerrera Alessandro Micco Enrico 399/40 399/38 UntrustedJSDetection withChromeDevToolsand staticcodeanalyzer
Future Web with HTML 5 • No longer just a draft • Only best with CSS 3 and JavaScript • JavaScript emerged in web and mobile app development Sicurezza delle Reti e dei Sistemi Software
HTML 5 risks • Client-side execution • XSS vulnerabilities with new tags • Client-side Database • Web storage and SQL injection • Web Sockets • Web Workers (JavaAcript)
JavaScript Security Analysis • Dynamic analysis: Profile JavaScript execution in web apps Logging and post elaboration • Static Analysis: Detect suspicious URLs in JavaScript code (i.e. web workers) Trusted JavaScript vs Untrusted JavaScript
• It is a part of standard Chrome distribution • Used for: • Debugging JavaScript • Identifying performance issues • Understanding memory usage Chrome Developer Tools
Chrome Developer Tools • Profiles Panel: CPU
CPU Profiling • JS profiling output: {"head":{"functionName":"(root)","url":"","lineNumber":0,"tot alTime":54969.14940502423,"selfTime":0,"numberOfCalls“:0,"vis ible":true,"callUID":3671317361,"children":[{"functionName":" (program)","url":"","lineNumber":0,"totalTime":37895.14804279 017,"selfTime":37895.14804279017,"numberOfCalls":0,"visible": true,"callUID":3079893573,"children“:[],"id":2},{"functionNam e":"(anonymousfunction)"function)","url":"chromeextension://e panfjkfahimkgomnigadpkobaefekcd/webkit/chrome/content.js","li neNumber":6,"totalTime":9.014784246163707,"selfTime":0,"numbe rOfCalls":0,"visible“:true,"callUID":1398769603,"children":[{ "functionName":"bridge.extension.sendRequest","url":"chrome- extension://epanfjkfahimkgomnigadpkobaefekcd/webkit/chrome/co ntent.js“,"lineNumber":3,"totalTime":9.014784246163707,"selfT ime":0,"numberOfCalls":0,"visible":true,"callUID":2480584708, "children":[{"functionName":"(anonymous…
CPU Profile logging • CPU profile information: 1. URL 2. Line Number 3. Function Name 4. Self Time 5. Total Time 6. CallUID 7. Visible
JavaScript static code analysis /*! jQuery v1.7 jquery.com | jquery.org/license @JsDoNotOptimize */(function(a,b){function cA(a){return f.isWindow(a)?a:a.nodeType= ==9?a.defaultView||a.parent Window:!1}function cx(a){if(!cm[a]){var b=c.body,d=f("<"+a+">").app endTo(b),e=d.css("display") ;d.remove();if(e==="none"|| e===""){cn||(cn=c.createEle ment("iframe"),cn.frameBord er=cn.width=cn.height=0),b. appendChild(cn)… http://www.facebook.com/dia log/feed? http://pinterest.com/pin/cr eate/button/? http://reco.stratus.qa.ebay .com http://p.ebaystatic.com/aw/ home/feed/spinner_lrg.gif … • JS static parser:
Dynamic JS Analyzer Chrome Dev Tools CPU profile parser in Java
Static JS Analyzer Wget command line tool JS code parser in Java
Testing • URLs list group by category: 1. Audio-video 2. Banking 3. Cooking 4. Ecommerce 5. Education 6. Gardening 7. Government 8. Medical 9. Motori Di Ricerca 10. …
Testing Database Dynamic Analysis Dynamic Analysis
Testing results • Metrics: 1. Max JS function execution time 2. Avg JS function execution time 3. Max JS function calls number 4. Avg JS function calls number 5. Total URL number 6. Extern URL ratio
Testing results 0 500 1000 1500 2000 2500 Max JS function execution time
Testing results 0 1000 2000 3000 4000 5000 6000 Avg JS function execution time
Testing results 0 0,5 1 1,5 2 2,5 3 3,5 4 4,5 Max JS function calls number
Testing results 0 100 200 300 400 500 600 700 800 900 1000 Avg JS function calls number
Testing results 0 20 40 60 80 100 120 140 160 180 Total URL number
Testing results 0 0,2 0,4 0,6 0,8 1 1,2 Extern URL ratio

More Related Content

PDF
Marker-based Augmented Monuments on iPhone and iPad
byEnrico Micco
 
PPTX
Session 42 - Struts 2 Hibernate Integration
byPawanMM
 
PPTX
Security asp.net application
byZAIYAUL HAQUE
 
PDF
Lecture 05 web_applicationframeworks
byk. Nour el houda SLIMANI
 
PDF
Struts Basics
byHarjinder Singh
 
PPT
Struts(mrsurwar) ppt
bymrsurwar
 
PDF
Introduction to Struts 1.3
byIlio Catallo
 
PDF
AJAX Security - LAC2016
byJulia Logan a.k.a. IrishWonder
 
Marker-based Augmented Monuments on iPhone and iPad
byEnrico Micco
 
Session 42 - Struts 2 Hibernate Integration
byPawanMM
 
Security asp.net application
byZAIYAUL HAQUE
 
Lecture 05 web_applicationframeworks
byk. Nour el houda SLIMANI
 
Struts Basics
byHarjinder Singh
 
Struts(mrsurwar) ppt
bymrsurwar
 
Introduction to Struts 1.3
byIlio Catallo
 
AJAX Security - LAC2016
byJulia Logan a.k.a. IrishWonder
 

What's hot

PPTX
Struts introduction
byMuthukumaran Subramanian
 
PDF
Struts presentation
byNicolaescu Petru
 
PPTX
Browser Security 101
byStormpath
 
PPT
Struts
bys4al_com
 
PPTX
Day8
bymadamewoolf
 
PDF
Step by Step Guide for building a simple Struts Application
byelliando dias
 
PPTX
Session 41 - Struts 2 Introduction
byPawanMM
 
PPTX
ASP.NET Web Security
bySharePointRadi
 
PPT
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
byShreeraj Shah
 
PDF
Design & Development of Web Applications using SpringMVC
byNaresh Chintalcheru
 
PPT
Struts course material
byVibrant Technologies & Computers
 
PDF
ng-owasp: OWASP Top 10 for AngularJS Applications
byKevin Hakanson
 
PPTX
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
byDataStax Academy
 
PPTX
Asp.Net MVC3 - Basics
bySaravanan Subburayal
 
PPTX
Avoiding Cross Site Scripting - Not as easy as you might think
byErlend Oftedal
 
PPTX
Struts 1
byLalit Garg
 
PPTX
Token Authentication in ASP.NET Core
byStormpath
 
PPTX
Learn Apache Shiro
bySmita Prasad
 
PDF
J2EE Security with Apache SHIRO
byCygnet Infotech
 
Struts introduction
byMuthukumaran Subramanian
 
Struts presentation
byNicolaescu Petru
 
Browser Security 101
byStormpath
 
Struts
bys4al_com
 
Day8
bymadamewoolf
 
Step by Step Guide for building a simple Struts Application
byelliando dias
 
Session 41 - Struts 2 Introduction
byPawanMM
 
ASP.NET Web Security
bySharePointRadi
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
byShreeraj Shah
 
Design & Development of Web Applications using SpringMVC
byNaresh Chintalcheru
 
Struts course material
byVibrant Technologies & Computers
 
ng-owasp: OWASP Top 10 for AngularJS Applications
byKevin Hakanson
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
byDataStax Academy
 
Asp.Net MVC3 - Basics
bySaravanan Subburayal
 
Avoiding Cross Site Scripting - Not as easy as you might think
byErlend Oftedal
 
Struts 1
byLalit Garg
 
Token Authentication in ASP.NET Core
byStormpath
 
Learn Apache Shiro
bySmita Prasad
 
J2EE Security with Apache SHIRO
byCygnet Infotech
 

Similar to Untrusted JS Detection with Chrome Dev Tools and static code analysis

PPTX
Web security: Securing Untrusted Web Content in Browsers
byPhú Phùng
 
PPTX
Web security: Securing untrusted web content at browsers
byPhú Phùng
 
PDF
Secure java script-for-developers
byn|u - The Open Security Community
 
PPTX
Phu appsec13
bydrewz lin
 
PPTX
Preventing In-Browser Malicious Code Execution
byStefano Di Paola
 
PDF
BSides Leeds - Performing JavaScript Static Analysis
byLewis Ardern
 
PPTX
Javascript Security
byjgrahamc
 
Web security: Securing Untrusted Web Content in Browsers
byPhú Phùng
 
Web security: Securing untrusted web content at browsers
byPhú Phùng
 
Secure java script-for-developers
byn|u - The Open Security Community
 
Phu appsec13
bydrewz lin
 
Preventing In-Browser Malicious Code Execution
byStefano Di Paola
 
BSides Leeds - Performing JavaScript Static Analysis
byLewis Ardern
 
Javascript Security
byjgrahamc
 

Recently uploaded

PPT
HDTV and DTV Standards: The United States Opts for a Digital HDTV Standard
byJeffrey Hart
 
PDF
From Compliance to Competitive Advantage Board-Level Cyber Governance Under D...
bySaraDavis91
 
PPTX
Digital transformation success powered by EPM and NexInfo.pptx
byjayasuryanexinfo
 
PPTX
DATALIVA-Presentation-EN_2026 Budgeting SAP Odoo ERP
byMustafa Kuğu
 
PPTX
AI Bot Traffic Surge: Retail Fraud Threat for Age-Restricted Websites
byFTx Identity
 
PDF
Achieving Interoperability in Healthcare IT: A Strategic Guide
byHart, Inc.
 
PPTX
AN Introduction to UNIX File System—An Approach
bysonjuktaweb
 
PDF
A Brief Introduction About Christopher Elwell Woburn
byChristopher Elwell Woburn
 
PDF
Scott M. Graffius' Phases of Team Development - Applied to Human Teams and Hu...
byScott M. Graffius
 
PDF
The Future of AI-Powered Fashion Design 10 Top Generators for 2026
bymockitseo
 
PPTX
Route_Inspection_Problem_Presentation.pptx
byIqraHanif27
 
PDF
The map to conquer linear algebra for IT engineer
byakipii ogaoga
 
PDF
Industrial RFID Landscape for 2025 - Readers, Tags, Antennas, Printers, etc
byRich Rogers
 
PPTX
Document Reconstruction using AI & Deep Learning
bysonjuktaweb
 
PPTX
Cesium formate brine - A brief history - prepared by John Downs in May 2011
byJohn Downs
 
PDF
Azure Identity, Governance, and Monitoring solutions
byVICTOR MAESTRE RAMIREZ
 
PDF
The_Boardroom_Cyber_Playbook_Research_Edition
bySaraDavis91
 
PPT
Information and Communication Technologies and Power
byJeffrey Hart
 
PDF
oracle_apex_tamil_export_an_application.pdf
byUthamaselvan M
 
PDF
threat-hunters-cookbook for cybersecurity
bylobster6719
 
HDTV and DTV Standards: The United States Opts for a Digital HDTV Standard
byJeffrey Hart
 
From Compliance to Competitive Advantage Board-Level Cyber Governance Under D...
bySaraDavis91
 
Digital transformation success powered by EPM and NexInfo.pptx
byjayasuryanexinfo
 
DATALIVA-Presentation-EN_2026 Budgeting SAP Odoo ERP
byMustafa Kuğu
 
AI Bot Traffic Surge: Retail Fraud Threat for Age-Restricted Websites
byFTx Identity
 
Achieving Interoperability in Healthcare IT: A Strategic Guide
byHart, Inc.
 
AN Introduction to UNIX File System—An Approach
bysonjuktaweb
 
A Brief Introduction About Christopher Elwell Woburn
byChristopher Elwell Woburn
 
Scott M. Graffius' Phases of Team Development - Applied to Human Teams and Hu...
byScott M. Graffius
 
The Future of AI-Powered Fashion Design 10 Top Generators for 2026
bymockitseo
 
Route_Inspection_Problem_Presentation.pptx
byIqraHanif27
 
The map to conquer linear algebra for IT engineer
byakipii ogaoga
 
Industrial RFID Landscape for 2025 - Readers, Tags, Antennas, Printers, etc
byRich Rogers
 
Document Reconstruction using AI & Deep Learning
bysonjuktaweb
 
Cesium formate brine - A brief history - prepared by John Downs in May 2011
byJohn Downs
 
Azure Identity, Governance, and Monitoring solutions
byVICTOR MAESTRE RAMIREZ
 
The_Boardroom_Cyber_Playbook_Research_Edition
bySaraDavis91
 
Information and Communication Technologies and Power
byJeffrey Hart
 
oracle_apex_tamil_export_an_application.pdf
byUthamaselvan M
 
threat-hunters-cookbook for cybersecurity
bylobster6719
 

Untrusted JS Detection with Chrome Dev Tools and static code analysis

  • 1.
    Università degli Studidel Sannio Sicurezza delle Reti e dei Sistemi Software Prof. Corrado Aaron Visaggio Guerrera Alessandro Micco Enrico 399/40 399/38 UntrustedJSDetection withChromeDevToolsand staticcodeanalyzer
  • 2.
    Future Web withHTML 5 • No longer just a draft • Only best with CSS 3 and JavaScript • JavaScript emerged in web and mobile app development Sicurezza delle Reti e dei Sistemi Software
  • 3.
    HTML 5 risks •Client-side execution • XSS vulnerabilities with new tags • Client-side Database • Web storage and SQL injection • Web Sockets • Web Workers (JavaAcript)
  • 4.
    JavaScript Security Analysis •Dynamic analysis: Profile JavaScript execution in web apps Logging and post elaboration • Static Analysis: Detect suspicious URLs in JavaScript code (i.e. web workers) Trusted JavaScript vs Untrusted JavaScript
  • 5.
    • It isa part of standard Chrome distribution • Used for: • Debugging JavaScript • Identifying performance issues • Understanding memory usage Chrome Developer Tools
  • 6.
    Chrome Developer Tools •Profiles Panel: CPU
  • 7.
    CPU Profiling • JSprofiling output: {"head":{"functionName":"(root)","url":"","lineNumber":0,"tot alTime":54969.14940502423,"selfTime":0,"numberOfCalls“:0,"vis ible":true,"callUID":3671317361,"children":[{"functionName":" (program)","url":"","lineNumber":0,"totalTime":37895.14804279 017,"selfTime":37895.14804279017,"numberOfCalls":0,"visible": true,"callUID":3079893573,"children“:[],"id":2},{"functionNam e":"(anonymousfunction)"function)","url":"chromeextension://e panfjkfahimkgomnigadpkobaefekcd/webkit/chrome/content.js","li neNumber":6,"totalTime":9.014784246163707,"selfTime":0,"numbe rOfCalls":0,"visible“:true,"callUID":1398769603,"children":[{ "functionName":"bridge.extension.sendRequest","url":"chrome- extension://epanfjkfahimkgomnigadpkobaefekcd/webkit/chrome/co ntent.js“,"lineNumber":3,"totalTime":9.014784246163707,"selfT ime":0,"numberOfCalls":0,"visible":true,"callUID":2480584708, "children":[{"functionName":"(anonymous…
  • 8.
    CPU Profile logging •CPU profile information: 1. URL 2. Line Number 3. Function Name 4. Self Time 5. Total Time 6. CallUID 7. Visible
  • 9.
    JavaScript static codeanalysis /*! jQuery v1.7 jquery.com | jquery.org/license @JsDoNotOptimize */(function(a,b){function cA(a){return f.isWindow(a)?a:a.nodeType= ==9?a.defaultView||a.parent Window:!1}function cx(a){if(!cm[a]){var b=c.body,d=f("<"+a+">").app endTo(b),e=d.css("display") ;d.remove();if(e==="none"|| e===""){cn||(cn=c.createEle ment("iframe"),cn.frameBord er=cn.width=cn.height=0),b. appendChild(cn)… http://www.facebook.com/dia log/feed? http://pinterest.com/pin/cr eate/button/? http://reco.stratus.qa.ebay .com http://p.ebaystatic.com/aw/ home/feed/spinner_lrg.gif … • JS static parser:
  • 10.
    Dynamic JS Analyzer ChromeDev Tools CPU profile parser in Java
  • 11.
    Static JS Analyzer Wgetcommand line tool JS code parser in Java
  • 12.
    Testing • URLs listgroup by category: 1. Audio-video 2. Banking 3. Cooking 4. Ecommerce 5. Education 6. Gardening 7. Government 8. Medical 9. Motori Di Ricerca 10. …
  • 13.
  • 14.
    Testing results • Metrics: 1.Max JS function execution time 2. Avg JS function execution time 3. Max JS function calls number 4. Avg JS function calls number 5. Total URL number 6. Extern URL ratio
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.