资源描述:
《Isolating JavaScript in Dynamic Code Environments》由会员上传分享,免费在线阅读,更多相关内容在学术论文-天天文库。
1、IsolatingJavaScriptinDynamicCodeEnvironmentsAntonisKrithinakisEliasAthanasopoulosEvangelosP.MarkatosInstituteofComputerScience,FoundationforResearchandTechnology-Hellas{krithin,elathan,markatos}@ics.forth.grAbstractmodernwebapplicationsarebasedonframeworksthatcom-binemultipleserver
2、-sideandclient-sidetechnologiesforWeanalyzethesourcecodeoffourwell-knownlargewebproducingdynamiccontent.Intheseapplications,isolatingapplications,namelyWordPress,phpBB,phpMyAdminandonetechnologyfromtheotherisnotconsideredatrivialtask.Drupal.Wewanttoquantifytheleveloflanguageintermi
3、x-Forexample,considerascriptwritteninPHP(aserver-sideinginmodernwebapplicationsand,ifpossible,wewantlanguage)whichdynamicallyproducesJavaScriptsourcetocategorizeallcodingidiomsthatinvolveintermixingofcode.Thisisacode-mixingcasewherePHPandJavaScriptJavaScriptwithaserver-sideprogramm
4、inglanguage,likeareintermixed.TheJavaScriptsourcecodestructureisnotPHP.OuranalysisprocessesmorethanhalfofamillionofcompletepriortheexecutionofthePHPscript.LoCsandidentifiesabout1,000scripts.Thesescriptscon-Tothebestofourknowledge,therehasbeennosystem-tain163cases,wherethesourcecodei
5、smixedinawaythataticeffortforidentifyinghowclient-sideandserver-sidelan-ishardtoisolateJavaScriptfromPHP.Wemanuallyinves-guagesintermixtogetherinmodernwebapplicationsandtigateall163scriptsandproceedinaclassificationschemehowhardistoisolatetheonefromtheother.Inthispaperoffivedistinctc
6、lasses.Ouranalysiscanbebeneficialforallwetrytoidentifythelevelofintermixingbetweendiffer-applicationsthatapplyoperationsintheclient-sidepartofaentprogramminglanguagesinwebapplicationsthatenablewebapplication,variousXSSmitigationschemes,aswellasreal-worldwebsites.Moreprecisely,weanal
7、yzethesourcecoderefactoringandoptimizationtools.codeoffourpopularapplications,namelyphpBB,Word-CategoriesandSubjectDescriptorsD.2.3[SoftwareEn-Press,phpMyAdminandDrupal.Ourfindingssuggestthatgineering]:CodingToolsandTechniquesallthesewebapplicationsareexperiencingmixingofPHPGeneralT
8、ermsLanguages,SecurityandJ