Gelato: Feedback-driven and Guided Security Analysis of Client-side Web Applications
This addresses the problem of insufficient security analysis for modern web applications, which is crucial for developers and security researchers, though it appears incremental by building on existing crawling and taint analysis methods.
The paper tackles the challenge of analyzing complex client-side JavaScript applications for security vulnerabilities by proposing Gelato, a feedback-driven guided crawler that increases coverage of security-sensitive parts and a lightweight taint analysis that outperforms state-of-the-art tools, reporting non-trivial taint flows without browser modifications.
Even though a lot of effort has been invested in analyzing client-side web applications during the past decade, the existing tools often fail to deal with the complexity of modern JavaScript applications. However, from an attacker point of view, the client side of such web applications can reveal invaluable information about the server side. In this paper, first we study the existing tools and enumerate the most crucial features a security-aware client-side analysis should be supporting. Next, we propose GELATO to detect vulnerabilities in modern client-side JavaScript applications that are built upon complex libraries and frameworks. In particular, we take the first step in closing the gap between state-aware crawling and client-side security analysis by proposing a feedback-driven security-aware guided crawler that is able to analyze complex frameworks automatically, and increase the coverage of security-sensitive parts of the program efficiently. Moreover, we propose a new lightweight client-side taint analysis that outperforms the start-of-the-art tools, requires no modification to browsers, and reports non-trivial taint flows on modern JavaScript applications.