Detecting and Understanding JavaScript Global Identifier Conflicts on the Web
JavaScript is widely used for implementing client-side web applications, and it is common to include JavaScript code from many different hosts. However, in a web browser, all the scripts loaded in the same frame share a single global namespace. As a result, a script may read or even overwrite the global objects or functions in other scripts, causing unexpected behaviors. For example, a script can redefine a function in a different script as an object, so that any call of that function would cause an exception at run time.
We systematically investigate the client-side JavaScript code integrity problem caused by JavaScript global identifier conflicts in this paper. We developed a browser-based analysis framework, JSObserver, to collect and analyze the write operations to global memory locations by JavaScript code. We identified three categories of conflicts using JSObserver on the Alexa top 100K websites, and detected 145,918 conflicts on 31,615 websites.
We reveal that JavaScript global identifier conflicts are prevalent and could cause behavior deviation at run time. In particular, we discovered that 1,611 redefined functions were called after being overwritten, and many scripts modified the value of cookies or redefined cookie-related functions. Our research demonstrated that JavaScript global identifier conflict is an emerging threat to both the web users and the integrity of web applications.
Tue 10 NovDisplayed time zone: (UTC) Coordinated Universal Time change
01:00 - 01:30 | |||
01:00 2mTalk | A Behavioral Notion of Robustness for Software Systems Research Papers Changjian Zhang Carnegie Mellon University, USA, David Garlan Carnegie Mellon University, USA, Eunsuk Kang Carnegie Mellon University, USA Link to publication DOI Media Attached | ||
01:03 1mTalk | C2S: Translating Natural Language Comments to Formal Program Specifications Research Papers Juan Zhai Rutgers University, USA, Yu Shi Purdue University, USA, Minxue Pan Nanjing University, China, Guian Zhou Nanjing University, China, Yongxiang Liu Nanjing University, China, Chunrong Fang Nanjing University, China, Shiqing Ma Rutgers University, USA, Lin Tan Purdue University, USA, Xiangyu Zhang Purdue University DOI | ||
01:05 1mTalk | Detecting and Understanding JavaScript Global Identifier Conflicts on the Web Research Papers Mingxue Zhang Chinese University of Hong Kong, China, Wei Meng Chinese University of Hong Kong, China DOI | ||
01:07 1mTalk | PAClab: A Program Analysis Collaboratory Tool Demos Rebecca Brunner Bowling Green State University, USA, Robert Dyer University of Nebraska - Lincoln, Maria Paquin Boise State University, Elena Sherman Boise State University DOI | ||
01:09 1mTalk | Towards Learning Visual Semantics Visions and Reflections Haipeng Cai Washington State University, USA, Shiv Raj Pant Washington State University, USA, Wen Li DOI | ||
01:11 1mTalk | WebJShrink: A Web Service for Debloating Java Bytecode Tool Demos Konner Macias University of California at Los Angeles, USA, Mihir Mathur University of California, Los Angeles, Bobby Bruce University of California at Davis, USA, Tianyi Zhang Harvard University, USA, Miryung Kim University of California at Los Angeles, USA DOI | ||
01:13 17mTalk | Conversations on Analysis 1 Research Papers Juan Zhai Rutgers University, USA, Changjian Zhang Carnegie Mellon University, USA, Konner Macias University of California at Los Angeles, USA, Haipeng Cai Washington State University, USA, Mingxue Zhang Chinese University of Hong Kong, China, Robert Dyer University of Nebraska - Lincoln, M: Shin Hwei Tan Southern University of Science and Technology | ||