{"id":2855,"date":"2019-07-01T00:00:05","date_gmt":"2019-06-30T22:00:05","guid":{"rendered":"https:\/\/cyberawareness.sk\/?p=2855"},"modified":"2024-10-31T13:56:52","modified_gmt":"2024-10-31T12:56:52","slug":"zranitelnosti-v-javascript-webovych-aplikaciach","status":"publish","type":"post","link":"https:\/\/cyberawareness.sk\/en\/2019\/07\/01\/zranitelnosti-v-javascript-webovych-aplikaciach\/","title":{"rendered":"Zranite\u013enosti v JavaScript webov\u00fdch aplik\u00e1ci\u00e1ch"},"content":{"rendered":"
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t
\n\t\t\t\t\t
\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Autor: <\/strong>Bc. Mari\u00e1n Babic
\u0160kolite\u013e: <\/strong>MSc. Ter\u00e9zia M\u00e9ze\u0161ov\u00e1<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t

Abstrakt<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Programovac\u00ed jazyk JavaScript patr\u00ed k trom z\u00e1kladn\u00fdm technol\u00f3gi\u00e1m (spolu s technol\u00f3giami HTML a CSS), na ktor\u00fdch s\u00fa postaven\u00e9 modern\u00e9 webov\u00e9 aplik\u00e1cie. Aplik\u00e1cie m\u00f4\u017eu obsahova\u0165 chyby, obzvl\u00e1\u0161\u0165 citlivo s\u00fa v\u0161ak vn\u00edman\u00e9 bezpe\u010dnostn\u00e9 zranite\u013enosti. Za zranite\u013enos\u0165 aplik\u00e1cie m\u00f4\u017eeme vo v\u0161eobecnosti pova\u017eova\u0165 ka\u017ed\u00fa chybu alebo nedokonalos\u0165 v programe, ktor\u00e1 m\u00f4\u017ee vies\u0165 k poru\u0161eniu d\u00f4vernosti, integrity alebo dostupnosti \u013eubovo\u013enej \u010dasti syst\u00e9mu. N\u00e1sledky zneu\u017eitia zranite\u013enosti aplik\u00e1cie m\u00f4\u017eu by\u0165 r\u00f4znorod\u00e9, k t\u00fdm najz\u00e1va\u017enej\u0161\u00edm patria znefunk\u010dnenie aplik\u00e1cie alebo \u00fanik citliv\u00fdch inform\u00e1ci\u00ed. Ke\u010f\u017ee JavaScript je pou\u017eit\u00fd vo ve\u013ekej v\u00e4\u010d\u0161ine webov\u00fdch aplik\u00e1ci\u00ed, jeho zranite\u013enostiam je potrebn\u00e9 venova\u0165 ve\u013ek\u00fa pozornos\u0165. V tejto pr\u00e1ci sme sa zamerali na vybran\u00e9 triedy zranite\u013enost\u00ed, predov\u0161etk\u00fdm na injekcie, Cross-Site Scripting (XSS) a podvrhnutie po\u017eiadavky medzi r\u00f4znymi str\u00e1nkami (CrossSite Request Forgery). Pri t\u00fdchto zranite\u013enostiach sme analyzovali sp\u00f4sob ich detekcie a mo\u017en\u00e9 pr\u00edstupy k ich odstr\u00e1neniu. N\u00e1sledne sme implementovali n\u00e1stroj, ktor\u00fd tieto zranite\u013enosti v zdrojovom k\u00f3de aplik\u00e1cie deteguje a pon\u00faka mo\u017enosti na ich opravu. Detekcia prebieha formou statickej anal\u00fdzy zdrojov\u00e9ho k\u00f3du v re\u00e1lnom \u010dase, pri\u010dom podporovan\u00e9 programovacie jazyky s\u00fa JavaScript a TypeScript.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t

Ciele<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t
  • Analyzova\u0165 a spracova\u0165 vybran\u00e9 triedy zranite\u013enost\u00ed a sp\u00f4sob ich detekcie v JavaScript webov\u00fdch aplik\u00e1ci\u00e1ch<\/li>
  • Analyzova\u0165 a spracova\u0165 pr\u00edstupy k odstr\u00e1neniu vybran\u00fdch tried zranite\u013enost\u00ed v JavaScript webov\u00fdch aplik\u00e1ci\u00e1ch<\/li>
  • Navrhn\u00fa\u0165, implementova\u0165, a vyhodnoti\u0165 n\u00e1stroj na opravu vybran\u00fdch tried zranite\u013enost\u00ed detekovan\u00fdch v JavaScript webov\u00fdch aplik\u00e1ci\u00e1ch<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t

    Literat\u00fara<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t
    • Ryu, S., Park, J., Park, J .: Towards Analysis and Bug Finding of JavaScript Web Applications in the Wild. IEEE Softw. 1-1 (2018).<\/li>
    • Sherman, E., Dwyer, M.B .: Structurally Defined Conditional Data-Flow Static Analysis. In: International Conference on Tools and Algorithms for the Construction and Analysis of Systems. pp. 249-265. Springer, Cham (2018).<\/li>
    • Saoji, T., Austin, T.H., Flanagan, C .: Using Precise Taint Tracking for Auto- sanitization. In: Proceedings of the 2017 Workshop on Programming Languages and Analysis for Security – PLAS ’17. pp. 15-24. ACM Press, New York, New York, USA (2017).<\/li>
    • Nicolay, J., Spruyt, V., De Roover, C .: Static Detection of User-specified Security Vulnerabilities in Client-side JavaScript. In: Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security – PLAS’16. pp. 3-13 (2016).<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
      \n\t\t\t\t
      \n\t\t\t\t\t

      Priebeh pr\u00e1ce<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
      \n\t\t\t\t
      \n\t\t\t\t\t\t\t\t\t

      Zatia\u013e nezverejnen\u00e9<\/p>

      \u00a0<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>","protected":false},"excerpt":{"rendered":"

      Autor: Bc. Mari\u00e1n Babic
      \n\u0160kolite\u013e: MSc. Ter\u00e9zia M\u00e9ze\u0161ov\u00e1<\/p>","protected":false},"author":8,"featured_media":2397,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ocean_post_layout":"full-width","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[12],"tags":[],"class_list":["post-2855","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bakalarske-prace","entry","has-media"],"_links":{"self":[{"href":"https:\/\/cyberawareness.sk\/en\/wp-json\/wp\/v2\/posts\/2855","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cyberawareness.sk\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyberawareness.sk\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyberawareness.sk\/en\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/cyberawareness.sk\/en\/wp-json\/wp\/v2\/comments?post=2855"}],"version-history":[{"count":8,"href":"https:\/\/cyberawareness.sk\/en\/wp-json\/wp\/v2\/posts\/2855\/revisions"}],"predecessor-version":[{"id":3416,"href":"https:\/\/cyberawareness.sk\/en\/wp-json\/wp\/v2\/posts\/2855\/revisions\/3416"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cyberawareness.sk\/en\/wp-json\/wp\/v2\/media\/2397"}],"wp:attachment":[{"href":"https:\/\/cyberawareness.sk\/en\/wp-json\/wp\/v2\/media?parent=2855"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyberawareness.sk\/en\/wp-json\/wp\/v2\/categories?post=2855"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyberawareness.sk\/en\/wp-json\/wp\/v2\/tags?post=2855"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}