Browse > Article
http://dx.doi.org/10.13089/JKIISC.2021.31.2.263

Detecting Security Vulnerabilities in TypeScript Code with Static Taint Analysis  

Moon, Taegeun (Department of Computer Science and Engineering, Sungkyunkwan University)
Kim, Hyoungshick (Department of Computer Science and Engineering, Sungkyunkwan University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.31, no.2, 2021 , pp. 263-277 More about this Journal
Abstract
Taint analysis techniques are popularly used to detect web vulnerabilities originating from unverified user input data, such as Cross-Site Scripting (XSS) and SQL Injection, in web applications written in JavaScript. To detect such vulnerabilities, it would be necessary to trace variables affected by user-submitted inputs. However, because of the dynamic nature of JavaScript, it has been a challenging issue to identify those variables without running the web application code. Therefore, most existing taint analysis tools have been developed based on dynamic taint analysis, which requires the overhead of running the target application. In this paper, we propose a novel static taint analysis technique using symbol information obtained from the TypeScript (a superset of JavaScript) compiler to accurately track data flow and detect security vulnerabilities in TypeScript code. Our proposed technique allows developers to annotate variables that can contain unverified user input data, and uses the annotation information to trace variables and data affected by user input data. Since our proposed technique can seamlessly be incorporated into the TypeScript compiler, developers can find vulnerabilities during the development process, unlike existing analysis tools performed as a separate tool. To show the feasibility of the proposed method, we implemented a prototype and evaluated its performance with 8 web applications with known security vulnerabilities. We found that our prototype implementation could detect all known security vulnerabilities correctly.
Keywords
Taint analysis; Static analysis; Software test; TypeScript; JavaScript;
Citations & Related Records
연도 인용수 순위
  • Reference
1 B. Stock, S. Lekies, T. Mueller, P. Spiegel, and M. Johns, "Precise Client-side Protection against DOM-based Cross-Site Scripting," 23rd USENIX Security Symposium, pp.655-670, Aug. 2014
2 nhn/tui-editor #1022, https://github.com/nhn/tui.editor/pull/1022, accessed on Feb. 28. 2021
3 SQL Injection | OWASP, https://owasp.org/www-community/attacks/SQL_Injection, accessed on Feb. 28. 2021
4 Cross Site Scripting (XSS) Software Attack | OWASP Foundation, https://owasp.org/www-community/attacks/xss/, accessed on Feb. 28. 2021
5 OWASP Top 10 Application Security Risks - 2017, https://owasp.org/www-project-top-ten/2017/Top_10.html, accessed on Feb. 28. 2021
6 K. Cao, J. He, W. Fan, W. Huang, L. Chen, and Y. Pan, "PHP vulnerability detection based on taint analysis," 6th International Conference on Reliability, Infocom Technologies and Optimization (Trends and Future Directions) (ICRITO), pp. 436-439, Sept. 2017
7 S.F. Syed, A. Ahmed, G. D'mello, and Z. Ansari, "Removal of Web Application Vulnerabilities using Taint Analyzer and Code Corrector," 2019 International Conference on Nascent Technologies in Engineering (ICNTE), pp. 1-7, Jan. 2019
8 W. Huang, Y. Dong, and A. Milanova, "Type-Based Taint Analysis for Java Web Applications," Fundamental Approaches to Software Engineering. FASE 2014, pp. 140-154, Apr. 2014
9 M. Backes, K. Rieck, M. Skoruppa, B. Stock, and F. Yamaguchi, "Efficient and Flexible Discovery of PHP Application Vulnerabilities," 2017 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 334-349, Apr. 2017
10 Usage statistics of server-side programming languages for websites, https://w3techs.com/technologies/overview/programming_language, accessed on Feb. 28. 2021
11 SonarQube - Code Quality and Code Security, https://www.sonarqube.org, accessed on Feb. 22. 2021
12 R. Jahanshahi and A. Doupe, and Manuel Egele, "You shall not pass: Mitigating SQL Injection Attacks on Legacy Web Applications," Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, pp. 445-457, Oct. 2020
13 TypeScript: Typed JavaScript at Any Scale, https://www.typescriptlang.org, accessed on Feb. 28. 2021
14 J. Strimpel and M. Najim, Building Isomorphic JavaScript Apps, ISBN: 9781491932933, O'Reilly Media, Inc., pp. 3-13, Sept. 2016
15 The exponential cost of fixing bugs, https://deepsource.io/blog/exponential-cost-of-fixing-bugs/, accessed on Mar. 25. 2021
16 FineUploader/server-examples, https://github.com/FineUploader/server-examples, accessed on Feb. 28. 2021
17 C. Staicu, M.T. Torp, M. Schafer, A. Moller, and M. Pradel, "Extracting Taint Specifications for JavaScript Libraries," 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE), pp. 198-209, Jun. 2020
18 S. Lekies, B. Stock, and M. Johns, "25 million flows later: large-scale detection of DOM-based XSS," Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pp. 1193-1204, Nov. 2013
19 B. Livshits and M. Lam, "Finding Security Vulnerabilities in Java Applications with Static Analysis," 14th USENIX Security Symposium, Jul. 2005
20 LGTM - Continuous security analysis, https://lgtm.com, accessed on Feb. 22. 2021
21 DeepSource: Automate code reviews with static analysis, https://deepsource.io, accessed on Feb. 22. 2021
22 Use JSDoc: Index, https://jsdoc.app, accessed on Feb. 28. 2021
23 Declaration Files, https://www.typescriptlang.org/docs/handbook/declaration-files/introduction.html, accessed on Feb. 28. 2021
24 Definitely Typed/Definitely Typed, https://github.com/DefinitelyTyped/DefinitelyTyped, accessed on Feb. 28. 2021
25 Express - Node.js web application framework, https://expressjs.com, accessed on Feb. 28. 2021
26 mysql2 - npm, https://www.npmjs.com/package/mysql2, accessed on Feb. 28. 2021
27 C. Staicu, M. Pradel, and B. Livshits, "SYNODE: Understanding and Automatically Preventing Injection Attacks on NODE.JS," Network and Distributed Systems Security (NDSS) Symposium 2018, Feb. 2018
28 mnutt/davros, https://github.com/mnutt/davros, accessed on Feb. 28. 2021
29 giper45/DockerSecurityPlayground, https://github.com/giper45/DockerSecurityPlayground, accessed on Feb. 28. 2021
30 spikebrehm/isomorphic-tutorial , https://github.com/spikebrehm/isomorphic-tutorial, accessed on Feb. 28. 2021
31 halohalospecial/atom-elmjutsu, https://github.com/halohalospecial/atom-elmjutsu, accessed on Feb. 28. 2021
32 taser/new-lgtm-alerts.md, https://github.com/cs-au-dk/taser/blob/master/data/new-lgtm-alerts.md, accessed on Feb. 28. 2021
33 R. Wang, Guangquan Xu, Xianjiao Zeng, X. Li, and Z. Feng, "TT-XSS: A novel taint tracking based dynamic detection framework for DOM Cross-Site Scripting," J. Parallel Distributed Comput, vol. 118, pp. 100-106, Aug. 2018   DOI
34 Flow: A Static Type Checker for JavaScript, https://flow.org, accessed on Mar. 25. 2021
35 CVE-2019-1020008: stacktable.js before 1.0.4 allows XSS, https://www.cvedetails.com/cve/CVE-2019-1020008/, accessed on Feb. 28. 2021
36 R. Karim, F. Tip, A. Sochurkova, and K. Sen, "Platform-Independent Dynamic Taint Analysis for JavaScript," IEEE Transactions on Software Engineering, vol. 46, no. 12, pp. 1364-1379, Dec. 2020   DOI
37 S. Wei and B. Ryder. "Practical blended taint analysis for JavaScript," Proceedings of the 2013 International Symposium on Software Testing and Analysis (ISSTA 2013), pp. 336-346, Jul. 2013
38 Static Code Analysis Control | OWASP Foundation, https://owasp.org/www-community/controls/Static_Code_Analysis#taint-analysis, accessed on Feb. 28. 2021
39 Z. Gao, C. Bird, and E. Barr, "To Type or Not to Type: QuantifyingDetectable Bugs in JavaScript," 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE), pp. 758-769, May. 2017
40 State of JS 2020: JavaScript Flavors, https://2020.stateofjs.com/en-US/technologies/javascript-flavors, accessed on Feb. 28. 2021
41 TypeScript Compiler Internals, https://basarat.gitbook.io/typescript/overview, accessed on Feb. 28. 2021
42 AmpersandJS/ampersand, https://github.com/AmpersandJS/ampersand, accessed on Feb. 28. 2021