Hackers of India

Automating JavaScript Static Analysis

By  Lavakumar Kuppan  on 01 Mar 2013 @ Nullcon

Abstract

Use of Static analysis to identify vulnerabilities is common for server-side code. However for JavaScript, this avenue has only been explored by a few commercial software and their analysis algorithm and methodology is a guarded secret. I took a shot at cracking this last year and created a JavaScript static analyzer inside IronWASP, my first attempt at writing a static analysis tool. Given the complexity of the task, the static analyzer was limited in only analysing one JS file at a time and did not handle variable scoping and other advanced features. These tasks were instead offloaded to the tester and the result was a tool that required a lot effort to use. That was last year, I am taking a crack at this again, as a wiser man. This time the target is complete automated JavaScript static analysis for the entire site with a single button click. It is an ambitious goal but something worth pursuing given the increasing focus on DOM based XSS and HTML5 Security. Come and see how I have tried to tackle the problem, the design and inner workings of an Automated JavaScript Static Analyzer.