| Web apps are mobile applications developed by web technology. In recent years, with the development of HTML5 technology, web-based mobile applications become increasingly pop-ular. However these apps are developed by traditional techniques,HTML\CSS and JavaScript, in which program code and UI code are mixed together, making the application vulnerable to cross site script attacks. What's worse, there are more channels can be used by malicious code comparing to traditional web sites, such as SMS message, QR code scanning, NFC. Therefore, this thesis propose a static taint analysis to detect the XSS vulnerabilities in web apps. Firstly, we scan the injection channels and unsafe display APIs in a web app, then construct its control flow graph, in the end, apply a taint analysis on it to search a path between injection channels and display APIs. If there exits a path, we judge it to be vulnerable.The main accomplishments and innovations of this thesis are follows:· A static taint analysis on web apps to detect XSS vulnerabilities is proposed. We first detect code injection channels and vulnerable apis of the application, and then construct its control flow graph, at last, we apply a method tainting the graph nodes to find out if there exits a path between injection channels and vulnerable apis. We judge if the app is unsafe according to the existence of a path.· A points-to analysis based control flow graph constructing method is proposed. Firstly an intra-procedure control flow graph is build with the help of a JavaScript parser, and then the point-to relationship of function calls,asynchronous calls and function pointors will be obtained by using the flow-insensitive points-to analysis technology, and then the final control flow graph can be realized.· A points-to analysis method of JavaScript is given. Firstly the points-to relationship of existing statements will be translated into points-to relationship logs, and then a set of derivation rules will be applied to these logs inorder to reach a result when a points-to question is raised.· Design and accomplish a tool for detecting cross cite script vulnerabilities in web apps. The tool is divided into three modules, including source code extracting module, control flow graph constructing module and taint analysis module. In source code extracting module, an android apk file will be reversed and the source code of HTML\CSS and JavaScript will be obtained, and then again JavaScript code will be extracted from these files. In control flow constructing module, the key code will be obtained by applying a program slicing algorithm to the source code, and the intra-procedure control flow graph will be constructed by the help of a JavaScript parser, at last, the final control flow graph of the web app will be constructed by using the points-to analysis. In taint analysis module, the nodes of injection channels on the control flow graph will be marked as tainted and a deep-first search algorithm based tainting method will be applied on the graph, in the end, the location of unsafe apis on graph will be checked to find vulnerabilities in web apps. We test the tool with 29 apps downloaded from the application market WanDouJia, and find 2 apps with vulnerability and more apps containing uncertain vulnerable points.At last, we evaluate the accuracy and recall rate of the tool. |
PDF Full Text Request