Untrusted JS Detection with Chrome Dev Tools and static code analysis

Jun 1, 20170 likes120 views

1. The document discusses using Chrome Developer Tools and static code analysis to detect untrusted JavaScript. It describes profiling JavaScript execution in web apps using the Chrome Developer Tools Profiles Panel and analyzing JavaScript code statically to detect suspicious URLs. 2. The Chrome Developer Tools allows debugging JavaScript, identifying performance issues, and understanding memory usage. The CPU Profiling feature logs information about JavaScript function names, URLs, time metrics, and call hierarchies. 3. Static code analysis of JavaScript uses a Wget command line tool to parse code and look for external URLs, which are categorized and logged to a testing database.

Università degli Studi del Sannio
Sicurezza delle Reti e dei Sistemi Software
Prof. Corrado Aaron Visaggio
Guerrera Alessandro
Micco Enrico
399/40
399/38
UntrustedJSDetection
withChromeDevToolsand
staticcodeanalyzer

Future Web with HTML 5
• No longer just a draft
• Only best with CSS 3 and JavaScript
• JavaScript emerged in web and mobile app
development
Sicurezza delle Reti e dei Sistemi Software

HTML 5 risks
• Client-side execution
• XSS vulnerabilities with new tags
• Client-side Database
• Web storage and SQL injection
• Web Sockets
• Web Workers (JavaAcript)

• It is a part of standard Chrome distribution
• Used for:
• Debugging JavaScript
• Identifying performance issues
• Understanding memory usage
Chrome Developer Tools

Chrome Developer Tools
• Profiles Panel: CPU

CPU Profiling
• JS profiling output:
{"head":{"functionName":"(root)","url":"","lineNumber":0,"tot
alTime":54969.14940502423,"selfTime":0,"numberOfCalls“:0,"vis
ible":true,"callUID":3671317361,"children":[{"functionName":"
(program)","url":"","lineNumber":0,"totalTime":37895.14804279
017,"selfTime":37895.14804279017,"numberOfCalls":0,"visible":
true,"callUID":3079893573,"children“:[],"id":2},{"functionNam
e":"(anonymousfunction)"function)","url":"chromeextension://e
panfjkfahimkgomnigadpkobaefekcd/webkit/chrome/content.js","li
neNumber":6,"totalTime":9.014784246163707,"selfTime":0,"numbe
rOfCalls":0,"visible“:true,"callUID":1398769603,"children":[{
"functionName":"bridge.extension.sendRequest","url":"chrome-
extension://epanfjkfahimkgomnigadpkobaefekcd/webkit/chrome/co
ntent.js“,"lineNumber":3,"totalTime":9.014784246163707,"selfT
ime":0,"numberOfCalls":0,"visible":true,"callUID":2480584708,
"children":[{"functionName":"(anonymous…

$JavaScript static code analysis /*! jQuery v1.7 jquery.com | jquery.org/license @JsDoNotOptimize */(function(a,b){function cA(a){return f.isWindow(a)?a:a.nodeType= ==9?a.defaultView||a.parent Window:!1}function cx(a){if(!cm[a]){var b=c.body,d=f("<"+a+">").app endTo(b),e=d.css("display") ;d.remove();if(e==="none"|| e===""){cn||(cn=c.createEle ment("iframe"),cn.frameBord er=cn.width=cn.height=0),b. appendChild(cn)… http://www.facebook.com/dia log/feed? http://pinterest.com/pin/cr eate/button/? http://reco.stratus.qa.ebay .com http://p.ebaystatic.com/aw/ home/feed/spinner_lrg.gif … • JS static parser:$

Static JS Analyzer
Wget command line tool JS code parser in Java

Testing
• URLs list group by category:
1. Audio-video
2. Banking
3. Cooking
4. Ecommerce
5. Education
6. Gardening
7. Government
8. Medical
9. Motori Di Ricerca
10. …

Testing Database
Dynamic Analysis Dynamic Analysis

Testing results
• Metrics:
1. Max JS function execution time
2. Avg JS function execution time
3. Max JS function calls number
4. Avg JS function calls number
5. Total URL number
6. Extern URL ratio

Testing results
0
500
1000
1500
2000
2500
Max JS function execution time

Testing results
0
1000
2000
3000
4000
5000
6000
Avg JS function execution time

Testing results
0
0,5
1
1,5
2
2,5
3
3,5
4
4,5
Max JS function calls number

Testing results
0
100
200
300
400
500
600
700
800
900
1000
Avg JS function calls number

Testing results
0
20
40
60
80
100
120
140
160
180
Total URL number

Testing results
0
0,2
0,4
0,6
0,8
1
1,2
Extern URL ratio

This document discusses marker-based augmented reality on mobile devices. It describes using black and white markers to recognize 3D models and render them over the camera view in real-time. The key steps are importing 3D models, recognizing markers in video frames using OpenCV, and rendering the associated 3D models using OpenGL. The application loads 3D models from XML files, detects markers to identify models, and displays the augmented reality view on iPhone/iPad.

Session 42 - Struts 2 Hibernate IntegrationPawanMM

Security asp.net applicationZAIYAUL HAQUE

This document provides an overview of security in ASP.NET applications. It discusses authentication, which verifies a user's identity, and authorization, which determines what authorized users are allowed to do. Authentication can be done through forms, Windows, or Passport authentication. Authorization uses roles to group users and access rules to allow or deny access to pages. Security settings are configured in the web.config file. The document also discusses SSL and how it encrypts data in transit for secure connections.

Lecture 05 web_applicationframeworksk. Nour el houda SLIMANI

The document discusses web application frameworks and provides examples using Apache Struts 2 and Spring frameworks. It defines a web application framework as software designed to support dynamic website and web application development. It then covers key aspects of the Struts 2 and Spring frameworks like the MVC architecture, configuration, tag libraries, and provides a Hello World example using Struts 2.

Struts BasicsHarjinder Singh

The document provides an overview of Struts, an open source MVC framework for building web applications in Java. It discusses the key components of Struts, including the controller, request processor, actions, and action mappings. The controller acts as the central coordinator and uses action mappings configured in XML to route requests to the appropriate actions. Actions perform business logic and return a forwarding path. The framework handles request processing and forwarding the response to the corresponding view.

Struts(mrsurwar) pptmrsurwar

This document discusses the Struts framework, which uses the Model-View-Controller (MVC) design pattern to separate the display logic from the business logic in Java-based web applications. It describes the core components of Struts, including the base framework, tag libraries, tiles plugin, and validator plugin. It also explains the MVC architecture, with the model managing the data/services, the view generating responses, and the controller handling requests and coordinating the model and view. In conclusion, the document notes that Struts takes complexity out of web application development and provides a stable, feature-rich, and flexible open-source platform.

Introduction to Struts 1.3Ilio Catallo

This document provides an introduction to Jakarta Struts 1.3, an open source MVC framework for building Java web applications. It discusses the limitations of using the traditional MVC pattern for web applications due to HTTP's stateless nature. Struts implements an MVC2 pattern to address this, using the controller to manage state. The core Struts components like ActionForms, Actions, and ActionMappings are explained. It also covers setting up the Struts controller through configuration files, defining forms and actions, and creating views with JSP and custom tag libraries.

AJAX Security - LAC2016Julia Logan a.k.a. IrishWonder

This document discusses security considerations for AJAX applications. It notes that while AJAX itself is not inherently less secure, the increased complexity presents extra risks. Typical vulnerabilities include XSS and SQL injection from user input, and unauthorized access to files on the server. Popular CMS platforms like WordPress that include AJAX functionality can be targets if not updated properly. A common scenario involves credentials being displayed unencoded in URLs and then sent back to servers without authentication, allowing hacking. The document provides recommendations like proper user input validation, authentication, authorization, and use of HTTPS to help secure AJAX applications.

Struts introductionMuthukumaran Subramanian

Apache Struts is an open source MVC framework for developing Java web applications. It divides applications into three parts - the model contains application logic and database connection code, the view is the user interface like HTML/JSP pages, and the controller acts as an interface between the user and model. Struts uses the MVC pattern to separate business logic from presentation for easy maintenance of web applications.

Struts presentationNicolaescu Petru

This document discusses the Struts framework for building Java web applications using the MVC pattern. It provides a history of web technologies and frameworks, an overview of the Model 1 and Model 2 approaches, and a detailed look at how Struts implements the MVC pattern. Key aspects of Struts covered include the front controller, action classes, configuration file, tags, and request lifecycle. The document also briefly compares Struts to other frameworks like Django and Ruby on Rails.

Browser Security 101 Stormpath

Join Stormpath Developer Evangelist, Robert Damphousse, to dive deep into browser security. Robert will explain how Session IDs, Man in the Middle (MITM), Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF) attacks work, and how to use cookies to support security best practices. Topics Covered: - Security concerns for modern web apps - Cookies, the right way - MITM, XSS, and CSRF attacks - Session ID problems - Examples in an Angular app

Strutss4al_com

Day8madamewoolf

The document discusses AJAX, presentation layer security, and web attacks. It introduces AJAX, explaining that it uses asynchronous JavaScript and XML to improve performance by avoiding full page reloads and transferring smaller amounts of data. It then covers AJAX flow and the difference between postback and callbacks. Various web attacks are described like resource enumeration, parameter manipulation, cross-site scripting, and prevention techniques. AJAX security issues and how attacks differ for traditional vs. AJAX applications are also summarized. The document concludes with assigning a lab and mentioning references.

Step by Step Guide for building a simple Struts Applicationelliando dias

This document provides a step-by-step guide for building a simple Struts application. It outlines 8 steps: 1) Create the development directory structure, 2) Write the web.xml file, 3) Write the struts-config.xml file, 4) Write ActionForm classes, 5) Write Action classes, 6) Create resource properties files, 7) Write JSP pages, and 8) Write the Ant build script. For each step, it provides details on what to include and examples of code.

Session 41 - Struts 2 IntroductionPawanMM

ASP.NET Web SecuritySharePointRadi

The document discusses various web security topics such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and parameter tampering. It provides examples of these vulnerabilities and methods to prevent them, including input validation, output encoding, anti-forgery tokens, and limiting exposed functionality. The document is intended as an educational guide on common web security issues and best practices.

Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah

The document summarizes Shreeraj Shah's presentation on securing Ajax and web services. It discusses trends in web 2.0 technologies like Ajax and web services being adopted by many companies, and outlines various attacks and defenses related to securing these technologies, including cross-site scripting, injection flaws, and insecure direct object references in web services. It also proposes methodologies for assessing web services security, including footprinting, profiling, scanning for vulnerabilities, and implementing defenses like firewalls and secure coding practices.

Design & Development of Web Applications using SpringMVC Naresh Chintalcheru

Spring MVC is a web MVC framework that provides a reusable presentation layer for web applications. It removes boilerplate code and standardizes navigation flow and validation. Spring MVC controllers handle HTTP requests and delegate work to service objects. It uses the front controller design pattern and is view-agnostic, allowing different view technologies. Spring MVC applications are configured through XML files and use annotations for components and request mapping.

Struts course materialVibrant Technologies & Computers

ng-owasp: OWASP Top 10 for AngularJS ApplicationsKevin Hakanson

The OWASP Top 10 provides a list of the 10 most critical web application security risks. How do these relate to AngularJS applications? What security vulnerabilities should developers be aware of beyond XSS and CSRF? This session will review the OWASP Top 10 with a front-end development focus on HTML and JavaScript. It will look at patterns to implement and others to consider avoiding. We will also explore several built-in features of AngularJS that help secure your application.

ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraDataStax Academy

In this session Les Hazlewood, the Apache Shiro PMC Chair, will cover Shiro's enterprise session management capabilities, how it can be used across any application (not just web or JEE applications) and how to use Cassandra as Shiro's session store, enabling a distributed session cluster supporting hundreds of thousands or even millions of concurrent sessions. As a working example, Les will show how to set up a session cluster in under 10 minutes using Cassandra. If you need to scale user session load, you won't want to miss this!

Asp.Net MVC3 - BasicsSaravanan Subburayal

The document discusses the basics of ASP.Net MVC, including: - The MVC pattern separates application logic into three components: Model, View, Controller - ASP.Net MVC aims to follow the MVC pattern and improve on ASP.Net Web Forms by allowing for more testable code and cleaner URLs - The core components in ASP.Net MVC are controllers which handle requests and select views, views which generate the UI, and models which contain app data and logic

Avoiding Cross Site Scripting - Not as easy as you might thinkErlend Oftedal

The document discusses avoiding cross-site scripting (XSS) attacks. It notes that while some experts say XSS protection is easy, it can actually be challenging. It provides statistics on how common XSS errors are. It then discusses the risks of XSS attacks, including stealing data from clients or servers and exploiting browsers. It explains different types of XSS attacks and demonstrates examples. The document emphasizes the importance of input validation and output encoding to prevent XSS. It also discusses challenges like DOM-based XSS and provides recommendations for developing secure code.

Struts 1Lalit Garg

Struts2.x is a MVC framework that implements the MVC pattern using Java technologies. It divides an application into model, view, and controller components. The model are Java classes that represent the application's data and business logic. Views are JSP pages that represent the user interface. The controller is a servlet filter that routes requests to actions and returns the appropriate view. Struts provides tags and libraries that make building MVC web apps with features like validation easier compared to plain JSP/Servlet programming.

Token Authentication in ASP.NET CoreStormpath

Learn Apache ShiroSmita Prasad

Apache Shiro is a security framework that provides authentication, authorization, cryptography and session management. It uses a SecurityManager to centrally manage security operations. A Realm acts as a bridge to connect Shiro to the application's security data source. Shiro supports user login via tokens, role-based authorization checks and permission-based authorization checks. It also provides hashing functions for cryptography and remembers user sessions.

J2EE Security with Apache SHIROCygnet Infotech

In this webinar, we focus specifically on how Apache SHIRO can help developers in providing better security architecture. You will also learn the following Application security is gaining critical attention due to increase in cyber-attacks and risks of business and financial losses. In the context of J2EE development and Java web application development, security concerns are addressed through multiple means. This informative 45 min session to understand approaches and strategies for building secure web applications. - Planning for Security: Authentication, Authorization, Session Management and Cryptography - Comparing Different Approaches for Security: JAAS, Spring, Grails - How to use the simplified universal approach of Apache SHIRO - A LIVE DEMO on using SHIRO to secure web applications If you have any query please write to us at [email protected]

How do JavaScript frameworks impact the security of applications?Ksenia Peguero

The best way to enable developers to create secure applications is to “shift left” in security. That means providing developers with the tools and techniques that help build more secure applications from the get-go. Developers may get security controls into their applications in different ways. They may write them from scratch following security training or guidance, they may use open source libraries, or they may use frameworks that have the security features built in already. In this talk we explore JavaScript applications that use different types of security controls implemented at levels ranging from developer code, to libraries and plugins, to different frameworks, and analyze which applications actually turn out to be more secure. This work is based on analysis of over 500 open source JavaScript applications on GitHub that use client-side frameworks and template engines to prevent XSS, as well as server-side frameworks (Express, Koa, Hapi, Sails, Meteor) and CSRF prevention mechanisms. In conclusion, we provide data-driven recommendations for framework maintainers and application developers on how to develop and choose a framework that will actually make applications more secure.

Continuous Integration: Live Static Analysis with Puma ScanCypress Data Defense

This document discusses using the Roslyn compiler API to build .NET static code analyzers. It begins with an overview of existing free and open source .NET static analysis tools. It then covers the basics of the Roslyn API and how to create a code analyzer that checks for weak password lengths in ASP.NET Identity. It also discusses challenges with analyzing non-code files and demonstrates a tool called Puma Scan that contains over 40 security rules for .NET applications. The document encourages contributions to help expand analysis capabilities and rule coverage.

Security for developersAbdelrhman Shawky

This document discusses security best practices for software developers. It covers topics like the secure software development lifecycle (SDLC), threat modeling, static code analysis, and resources for developers. The SDLC framework defines the process for building applications from start to finish. Threat modeling involves analyzing potential threats and vulnerabilities. Static code analysis tools can find security issues. Resources recommended include OWASP documentation and Microsoft's security engineering practices. The goal is to integrate security practices into development like training, requirements, testing, and incident response.

More Related Content

What's hot (19)

Struts introductionMuthukumaran Subramanian

Struts presentationNicolaescu Petru

Browser Security 101 Stormpath

Strutss4al_com

Day8madamewoolf

Step by Step Guide for building a simple Struts Applicationelliando dias

Session 41 - Struts 2 IntroductionPawanMM

ASP.NET Web SecuritySharePointRadi

Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah

Design & Development of Web Applications using SpringMVC Naresh Chintalcheru

Struts course materialVibrant Technologies & Computers

ng-owasp: OWASP Top 10 for AngularJS ApplicationsKevin Hakanson

ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraDataStax Academy

Asp.Net MVC3 - BasicsSaravanan Subburayal

Avoiding Cross Site Scripting - Not as easy as you might thinkErlend Oftedal

Struts 1Lalit Garg

Token Authentication in ASP.NET CoreStormpath

Learn Apache ShiroSmita Prasad

J2EE Security with Apache SHIROCygnet Infotech

Struts introductionMuthukumaran Subramanian

Struts presentationNicolaescu Petru

Browser Security 101 Stormpath

Strutss4al_com

Day8madamewoolf

Step by Step Guide for building a simple Struts Applicationelliando dias

Session 41 - Struts 2 IntroductionPawanMM

ASP.NET Web SecuritySharePointRadi

Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah

Design & Development of Web Applications using SpringMVC Naresh Chintalcheru

Struts course materialVibrant Technologies & Computers

ng-owasp: OWASP Top 10 for AngularJS ApplicationsKevin Hakanson

ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraDataStax Academy

Asp.Net MVC3 - BasicsSaravanan Subburayal

Avoiding Cross Site Scripting - Not as easy as you might thinkErlend Oftedal

Struts 1Lalit Garg

Token Authentication in ASP.NET CoreStormpath

Learn Apache ShiroSmita Prasad

J2EE Security with Apache SHIROCygnet Infotech

Similar to Untrusted JS Detection with Chrome Dev Tools and static code analysis (20)

How do JavaScript frameworks impact the security of applications?Ksenia Peguero

Continuous Integration: Live Static Analysis with Puma ScanCypress Data Defense

Security for developersAbdelrhman Shawky

Please, Please, PLEASE Defend Your Mobile Apps!Jerod Brennen

The document discusses how to strengthen the security of mobile apps. It recommends conducting source code reviews, security testing apps during QA, and analyzing deployed apps. It provides examples of security checks like reviewing for vulnerabilities and threats. The document also shares tools for analyzing iOS and Android apps, such as reverse engineering toolkits and decompiling APK files. Resources are listed for tasks like monitoring network traffic and examining app databases and files.

Software Analytics: Data Analytics for Software Engineering and SecurityTao Xie

Frodo Baggins presents on software analytics for software engineering and security tasks. The presentation discusses how software and how it is built and used is changing, with data now being ubiquitous and software having continuous development and release. Software analytics aims to enable software practitioners to perform data exploration and analysis to obtain useful insights. Examples of software analytics techniques discussed include XIAO for scalable code clone analysis, and SAS for incident management of online services. The presentation then shifts to discussing software analytics techniques for mobile app security, including WHYPER for natural language processing on app descriptions to link permissions to functionality, and AppContext for machine learning to classify malware.

Code Quality - Securitysedukull

Badneedlesdimisec

Application Security ToolsLalit Kale

This presentation is part of one of talk, I gave in Microsoft .NET Bootcamp. The contents are slightly edited to share the information in public domain. In this presentation, I tried to cover Application Security Tools that can be helpful for analyzing security threats as well as putting up some defense . This presentation will be useful for software architects/Managers,developers and QAs. Do share your feedback in comments.

JavaScript Engine and WebAssemblyChanghwan Yi

This document discusses JavaScript engines and WebAssembly. It describes several popular JavaScript engines like SpiderMonkey, V8, and Chakra. It explains how SpiderMonkey evolved through different optimizations like TraceMonkey and IonMonkey. It also discusses emscripten which compiles C/C++ to JavaScript, and asm.js which aimed for native performance from browser apps. Finally, it introduces WebAssembly as a binary format that can be decoded much faster than JavaScript and avoids constraints of asm.js while maintaining the same functionality and security permissions.

Attacking and Defending Mobile ApplicationsJerod Brennen

How to generate customized java 8 code from your databaseSpeedment, Inc.

Did you know that database classes, that require many lines of Java and SQL code, may be replaced with a single line of Java 8 code? In this tutorial session you will learn how to use standard Java 8 Streams as an alternative to traditional Object Relational Mappers (ORM). We will use the open-source tool Speedment to show how development speed can be increased and how the application code can be more concise and run faster.

Silicon Valley JUG - How to generate customized java 8 code from your databaseSpeedment, Inc.

The best code is the one you never need to write. Using code generation and automated builds you can minimize the risk of human error when developing software, but how do you maintain control over code when large parts of it is handed over to a machine? In this tutorial, you will learn how to use open-source software to create and control code automation. You will see how you can generate a completely object-oriented domain model by automatically analyzing your database schemas. Every aspect of the process is transparent and configurable, giving you as a developer 100% control of the generated code. This will not only increase your productivity, but also help you build safer and more maintainable Java applications.

WWW/Internet 2011 - A Framework for Web 2.0 Secure WidgetsVagner Santana

This document proposes a framework for securely reusing Web 2.0 widgets using JavaScript. It discusses common security attacks related to JavaScript like XSS and CSRF. The framework uses a proxy pattern to mediate cross-domain requests and ensure proper filtering of content at the client. It assumes the web page and communication channels are secure and free of vulnerabilities. The overall architecture is inspired by MVC and templates are used to embed filtered UI components from widgets. The framework aims to address gaps in the literature around securely enabling cross-domain functionality without requiring changes from users.

Web development tips and tricksmaxo_64

This document provides an overview of web development tips and tricks. It defines a web application and examples like social networks. It describes the typical architecture with storage, server, and client tiers. It discusses choosing relational or NoSQL databases for storage and securing the server tier against attacks. It also covers optimizing performance through caching, compression, and scalability methods. Lastly, it touches on client-side programming, user experience best practices, and ensuring browser compatibility.

JavaOne2016 - How to Generate Customized Java 8 Code from Your Database [TUT4...Speedment, Inc.

The best code is the one you never need to write. Using code generation and automated builds, you can minimize the risk of human error when developing software, but how do you maintain control over code when large parts of it are handed over to a machine? In this tutorial, you will learn how to use open source software to create and control code automation. You will see how you can generate a completely object-oriented domain model by automatically analyzing your database schemas. Every aspect of the process is transparent and configurable, giving you, as a developer, 100 percent control of the generated code. This will not only increase your productivity but also help you build safer, more maintainable Java applications and is a perfect solution for Microservices.

How to JavaOne 2016 - Generate Customized Java 8 Code from Your Database [TUT...Malin Weiss

Modern Web 2019 從零開始加入自動化資安測試Secview

CI/CD 是現在企業常用的開發流程，敏捷的開發速度自然需要自動化的流程幫助我們加速驗證和部署。但為了求快速，資安測試和檢查往往在開發流程中會被捨去。議題會大致分成兩大部分：資安測試以及 DevSecOps。這次議題內容會講解如何在現有的 DevOps 開發文化中，加上自動化的資安測試。會介紹像是靜態測試（SAST）和動態測試（DAST），以及要套用哪些標準來提升測試的價值。並且以自身經驗，跟大家分享要導入這些資安測試時，在 CI/CD 每個階段不同的需求和做法。同時也會簡單介紹 DevSecOps，希望能將資安融入在快速、敏捷開發的文化中，讓產品可以不斷推進，產品也可以持續保持在足夠的安全性上。

A Dynamic Analysis Framework for Front-end JavaScriptLiang Gong

A dynamic analysis framework for front-end JavaScript. It allows you to plug in your analysis code to analyse JavaScript code running in any real-world websites. This framework is programmable and extensible. Like Pin, Valgrind, Dynamorio for C\C++, Jalangi Firefox extension instrument JavaScript code in webpage to facilitate different kinds of program analysis, for example, profiling, taint analysis, object allocation tracking, finding bugs, detecting performance issues, or even heavy weight analysis like symbolic execution or concolic execution. Please check out our project website: https://www.eecs.berkeley.edu/~gongliang13/jalangi_ff/

Code Review with SonarMax Kleiner

Vulnerabilities in modern web applicationsNiyas Nazar

How do JavaScript frameworks impact the security of applications?Ksenia Peguero

Continuous Integration: Live Static Analysis with Puma ScanCypress Data Defense

Security for developersAbdelrhman Shawky

Please, Please, PLEASE Defend Your Mobile Apps!Jerod Brennen

Software Analytics: Data Analytics for Software Engineering and SecurityTao Xie

Code Quality - Securitysedukull

Badneedlesdimisec

Application Security ToolsLalit Kale

JavaScript Engine and WebAssemblyChanghwan Yi

Attacking and Defending Mobile ApplicationsJerod Brennen

How to generate customized java 8 code from your databaseSpeedment, Inc.

Silicon Valley JUG - How to generate customized java 8 code from your databaseSpeedment, Inc.

WWW/Internet 2011 - A Framework for Web 2.0 Secure WidgetsVagner Santana

Web development tips and tricksmaxo_64

JavaOne2016 - How to Generate Customized Java 8 Code from Your Database [TUT4...Speedment, Inc.

How to JavaOne 2016 - Generate Customized Java 8 Code from Your Database [TUT...Malin Weiss

Modern Web 2019 從零開始加入自動化資安測試Secview

A Dynamic Analysis Framework for Front-end JavaScriptLiang Gong

Code Review with SonarMax Kleiner

Vulnerabilities in modern web applicationsNiyas Nazar

Recently uploaded (20)

Cybersecurity Identity and Access Solutions using Azure ADVICTOR MAESTRE RAMIREZ

Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveScyllaDB

Want to learn practical tips for designing systems that can scale efficiently without compromising speed? Join us for a workshop where we’ll address these challenges head-on and explore how to architect low-latency systems using Rust. During this free interactive workshop oriented for developers, engineers, and architects, we’ll cover how Rust’s unique language features and the Tokio async runtime enable high-performance application development. As you explore key principles of designing low-latency systems with Rust, you will learn how to: - Create and compile a real-world app with Rust - Connect the application to ScyllaDB (NoSQL data store) - Negotiate tradeoffs related to data modeling and querying - Manage and monitor the database for consistently low latencies

Build 3D Animated Safety Induction - Tech EHSTECH EHS Solution

Train Smarter, Not Harder – Let 3D Animation Lead the Way! Discover how 3D animation makes inductions more engaging, effective, and cost-efficient. Check out the slides to see how you can transform your safety training process! Slide 1: Why 3D animation changes the game Slide 2: Site-specific induction isn’t optional—it’s essential Slide 3: Visitors are most at risk. Keep them safe Slide 4: Videos beat text—especially when safety is on the line Slide 5: TechEHS makes safety engaging and consistent Slide 6: Better retention, lower costs, safer sites Slide 7: Ready to elevate your induction process? Can an animated video make a difference to your site's safety? Let's talk.

Greenhouse_Monitoring_Presentation.pptx.hpbmnnxrvb

Dev Dives: Automate and orchestrate your processes with UiPath MaestroUiPathCommunity

This session is designed to equip developers with the skills needed to build mission-critical, end-to-end processes that seamlessly orchestrate agents, people, and robots. 📕 Here's what you can expect: - Modeling: Build end-to-end processes using BPMN. - Implementing: Integrate agentic tasks, RPA, APIs, and advanced decisioning into processes. - Operating: Control process instances with rewind, replay, pause, and stop functions. - Monitoring: Use dashboards and embedded analytics for real-time insights into process instances. This webinar is a must-attend for developers looking to enhance their agentic automation skills and orchestrate robust, mission-critical processes. 👨‍🏫 Speaker: Andrei Vintila, Principal Product Manager @UiPath This session streamed live on April 29, 2025, 16:00 CET. Check out all our upcoming Dev Dives sessions at https://community.uipath.com/dev-dives-automation-developer-2025/.

Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul

Artificial intelligence is changing how businesses operate. Companies are using AI agents to automate tasks, reduce time spent on repetitive work, and focus more on high-value activities. Noah Loul, an AI strategist and entrepreneur, has helped dozens of companies streamline their operations using smart automation. He believes AI agents aren't just tools—they're workers that take on repeatable tasks so your human team can focus on what matters. If you want to reduce time waste and increase output, AI agents are the next move.

HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungenpanagenda

Webinar Recording: https://www.panagenda.com/webinars/hcl-nomad-web-best-practices-und-verwaltung-von-multiuser-umgebungen/ HCL Nomad Web wird als die nächste Generation des HCL Notes-Clients gefeiert und bietet zahlreiche Vorteile, wie die Beseitigung des Bedarfs an Paketierung, Verteilung und Installation. Nomad Web-Client-Updates werden “automatisch” im Hintergrund installiert, was den administrativen Aufwand im Vergleich zu traditionellen HCL Notes-Clients erheblich reduziert. Allerdings stellt die Fehlerbehebung in Nomad Web im Vergleich zum Notes-Client einzigartige Herausforderungen dar. Begleiten Sie Christoph und Marc, während sie demonstrieren, wie der Fehlerbehebungsprozess in HCL Nomad Web vereinfacht werden kann, um eine reibungslose und effiziente Benutzererfahrung zu gewährleisten. In diesem Webinar werden wir effektive Strategien zur Diagnose und Lösung häufiger Probleme in HCL Nomad Web untersuchen, einschließlich - Zugriff auf die Konsole - Auffinden und Interpretieren von Protokolldateien - Zugriff auf den Datenordner im Cache des Browsers (unter Verwendung von OPFS) - Verständnis der Unterschiede zwischen Einzel- und Mehrbenutzerszenarien - Nutzung der Client Clocking-Funktion

Into The Box Conference Keynote Day 1 (ITB2025)Ortus Solutions, Corp

Vaibhav Gupta BAML: AI work flows without Hallucinationsjohn409870

Shipping Agents Vaibhav Gupta Cofounder @ Boundary in/vaigup boundaryml/baml Imagine if every API call you made failed only 5% of the time boundaryml/baml Imagine if every LLM call you made failed only 5% of the time boundaryml/baml Imagine if every LLM call you made failed only 5% of the time boundaryml/baml Fault tolerant systems are hard but now everything must be fault tolerant boundaryml/baml We need to change how we think about these systems Aaron Villalpando Cofounder @ Boundary Boundary Combinator boundaryml/baml We used to write websites like this: boundaryml/baml But now we do this: boundaryml/baml Problems web dev had: boundaryml/baml Problems web dev had: Strings. Strings everywhere. boundaryml/baml Problems web dev had: Strings. Strings everywhere. State management was impossible. boundaryml/baml Problems web dev had: Strings. Strings everywhere. State management was impossible. Dynamic components? forget about it. boundaryml/baml Problems web dev had: Strings. Strings everywhere. State management was impossible. Dynamic components? forget about it. Reuse components? Good luck. boundaryml/baml Problems web dev had: Strings. Strings everywhere. State management was impossible. Dynamic components? forget about it. Reuse components? Good luck. Iteration loops took minutes. boundaryml/baml Problems web dev had: Strings. Strings everywhere. State management was impossible. Dynamic components? forget about it. Reuse components? Good luck. Iteration loops took minutes. Low engineering rigor boundaryml/baml React added engineering rigor boundaryml/baml The syntax we use changes how we think about problems boundaryml/baml We used to write agents like this: boundaryml/baml Problems agents have: boundaryml/baml Problems agents have: Strings. Strings everywhere. Context management is impossible. Changing one thing breaks another. New models come out all the time. Iteration loops take minutes. boundaryml/baml Problems agents have: Strings. Strings everywhere. Context management is impossible. Changing one thing breaks another. New models come out all the time. Iteration loops take minutes. Low engineering rigor boundaryml/baml Agents need the expressiveness of English, but the structure of code F*** You, Show Me The Prompt. boundaryml/baml <show don’t tell> Less prompting + More engineering = Reliability + Maintainability BAML Sam Greg Antonio Chris turned down openai to join ex-founder, one of the earliest BAML users MIT PhD 20+ years in compilers made his own database, 400k+ youtube views Vaibhav Gupta in/vaigup [email protected] boundaryml/baml Thank you!

SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfPrecisely

Top 10 IT Help Desk Outsourcing ServicesInfrassist Technologies Pvt. Ltd.

Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Aqusag Technologies

Linux Professional Institute LPIC-1 Exam.pdfRHCSA Guru

Unlocking the Power of IVR: A Comprehensive Guidevikasascentbpo

Heap, Types of Heap, Insertion and DeletionJaydeep Kale

Technology Trends in 2025: AI and Big Data AnalyticsInData Labs

At InData Labs, we have been keeping an ear to the ground, looking out for AI-enabled digital transformation trends coming our way in 2025. Our report will provide a look into the technology landscape of the future, including: -Artificial Intelligence Market Overview -Strategies for AI Adoption in 2025 -Anticipated drivers of AI adoption and transformative technologies -Benefits of AI and Big data for your business -Tips on how to prepare your business for innovation -AI and data privacy: Strategies for securing data privacy in AI models, etc. Download your free copy nowand implement the key findings to improve your business.

Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxAnoop Ashok

Build Your Own Copilot & Agents For DevsBrian McKeiver

MINDCTI revenue release Quarter 1 2025 PRMIND CTI

Role of Data Annotation Services in AI-Powered ManufacturingAndrew Leo

Cybersecurity Identity and Access Solutions using Azure ADVICTOR MAESTRE RAMIREZ

Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveScyllaDB

Build 3D Animated Safety Induction - Tech EHSTECH EHS Solution

Greenhouse_Monitoring_Presentation.pptx.hpbmnnxrvb

Dev Dives: Automate and orchestrate your processes with UiPath MaestroUiPathCommunity

Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul

HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungenpanagenda

Into The Box Conference Keynote Day 1 (ITB2025)Ortus Solutions, Corp

Vaibhav Gupta BAML: AI work flows without Hallucinationsjohn409870

SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfPrecisely

Top 10 IT Help Desk Outsourcing ServicesInfrassist Technologies Pvt. Ltd.

Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Aqusag Technologies

Linux Professional Institute LPIC-1 Exam.pdfRHCSA Guru

Unlocking the Power of IVR: A Comprehensive Guidevikasascentbpo

Heap, Types of Heap, Insertion and DeletionJaydeep Kale

Technology Trends in 2025: AI and Big Data AnalyticsInData Labs

Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxAnoop Ashok

Build Your Own Copilot & Agents For DevsBrian McKeiver

MINDCTI revenue release Quarter 1 2025 PRMIND CTI

Role of Data Annotation Services in AI-Powered ManufacturingAndrew Leo

Untrusted JS Detection with Chrome Dev Tools and static code analysis

1. Università degli Studi del Sannio Sicurezza delle Reti e dei Sistemi Software Prof. Corrado Aaron Visaggio Guerrera Alessandro Micco Enrico 399/40 399/38 UntrustedJSDetection withChromeDevToolsand staticcodeanalyzer

2. Future Web with HTML 5 • No longer just a draft • Only best with CSS 3 and JavaScript • JavaScript emerged in web and mobile app development Sicurezza delle Reti e dei Sistemi Software

3. HTML 5 risks • Client-side execution • XSS vulnerabilities with new tags • Client-side Database • Web storage and SQL injection • Web Sockets • Web Workers (JavaAcript)

4. JavaScript Security Analysis • Dynamic analysis: Profile JavaScript execution in web apps Logging and post elaboration • Static Analysis: Detect suspicious URLs in JavaScript code (i.e. web workers) Trusted JavaScript vs Untrusted JavaScript

5. • It is a part of standard Chrome distribution • Used for: • Debugging JavaScript • Identifying performance issues • Understanding memory usage Chrome Developer Tools

6. Chrome Developer Tools • Profiles Panel: CPU

7. CPU Profiling • JS profiling output: {"head":{"functionName":"(root)","url":"","lineNumber":0,"tot alTime":54969.14940502423,"selfTime":0,"numberOfCalls“:0,"vis ible":true,"callUID":3671317361,"children":[{"functionName":" (program)","url":"","lineNumber":0,"totalTime":37895.14804279 017,"selfTime":37895.14804279017,"numberOfCalls":0,"visible": true,"callUID":3079893573,"children“:[],"id":2},{"functionNam e":"(anonymousfunction)"function)","url":"chromeextension://e panfjkfahimkgomnigadpkobaefekcd/webkit/chrome/content.js","li neNumber":6,"totalTime":9.014784246163707,"selfTime":0,"numbe rOfCalls":0,"visible“:true,"callUID":1398769603,"children":[{ "functionName":"bridge.extension.sendRequest","url":"chromeextension://epanfjkfahimkgomnigadpkobaefekcd/webkit/chrome/co ntent.js“,"lineNumber":3,"totalTime":9.014784246163707,"selfT ime":0,"numberOfCalls":0,"visible":true,"callUID":2480584708, "children":[{"functionName":"(anonymous…

8. CPU Profile logging • CPU profile information: 1. URL 2. Line Number 3. Function Name 4. Self Time 5. Total Time 6. CallUID 7. Visible

9. JavaScript static code analysis /*! jQuery v1.7 jquery.com | jquery.org/license @JsDoNotOptimize */(function(a,b){function cA(a){return f.isWindow(a)?a:a.nodeType= ==9?a.defaultView||a.parent Window:!1}function cx(a){if(!cm[a]){var b=c.body,d=f("<"+a+">").app endTo(b),e=d.css("display") ;d.remove();if(e==="none"|| e===""){cn||(cn=c.createEle ment("iframe"),cn.frameBord er=cn.width=cn.height=0),b. appendChild(cn)… http://www.facebook.com/dia log/feed? http://pinterest.com/pin/cr eate/button/? http://reco.stratus.qa.ebay .com http://p.ebaystatic.com/aw/ home/feed/spinner_lrg.gif … • JS static parser:

10. Dynamic JS Analyzer Chrome Dev Tools CPU profile parser in Java

11. Static JS Analyzer Wget command line tool JS code parser in Java

12. Testing • URLs list group by category: 1. Audio-video 2. Banking 3. Cooking 4. Ecommerce 5. Education 6. Gardening 7. Government 8. Medical 9. Motori Di Ricerca 10. …

13. Testing Database Dynamic Analysis Dynamic Analysis

14. Testing results • Metrics: 1. Max JS function execution time 2. Avg JS function execution time 3. Max JS function calls number 4. Avg JS function calls number 5. Total URL number 6. Extern URL ratio

15. Testing results 0 500 1000 1500 2000 2500 Max JS function execution time

16. Testing results 0 1000 2000 3000 4000 5000 6000 Avg JS function execution time

17. Testing results 0 0,5 1 1,5 2 2,5 3 3,5 4 4,5 Max JS function calls number

18. Testing results 0 100 200 300 400 500 600 700 800 900 1000 Avg JS function calls number

19. Testing results 0 20 40 60 80 100 120 140 160 180 Total URL number

20. Testing results 0 0,2 0,4 0,6 0,8 1 1,2 Extern URL ratio

Untrusted JS Detection with Chrome Dev Tools and static code analysis

Recommended

More Related Content

What's hot (19)

Similar to Untrusted JS Detection with Chrome Dev Tools and static code analysis (20)

Recently uploaded (20)

Untrusted JS Detection with Chrome Dev Tools and static code analysis