Journal "Software Engineering"
a journal on theoretical and applied science and technology
ISSN 2220-3397

Issue N5 2023 year

DOI: 10.17587/prin.14.245-253
Mining Server HTTP Endpoints from Commented-Out Client-Side Code of Web Applications
D. I. Nazarov, Security Researcher, dmitry.nazarov@solidwall.io, LTD "SolidSoft", Moscow, 117312, Russian Federation, D. A. Sigalov, Junior Researcher, asterite@seclab.cs.msu.ru, D. Yu. Gamayunov, Associate Professor, gamajun@seclab.cs.msu.su, Lomonosov Moscow State University, Moscow, 119991, Russian Federation
Corresponding author: Dmitry I. Nazarov, Security Researcher, LTD "SolidSoft", Moscow, 117312, Russian Federation, E-mail: dmitry.nazarov@solidwall.io
Received on March 04, 2023
Accepted on March 22, 2023

In this paper we consider the problem of detecting information about HTTP endpoints on the server by extracting requests from the commented-out client code of web applications. The algorithm that extracts commented-out requests is proposed and implemented. The developed module was integrated into a static analyzer. An experiment was conducted on more than a million web pages belonging to more than 50 thousand web applications from the Alexa Top 1 million list. Requests unique to the commented code were selected for each page. Then a check was made for the existence of an associated endpoint on the server for each of them. According to the results of the experiment, it was found that commented-out requests actually occur in real web applications, they were detected in ~2.78 % of all explored sites. In addition, ~40 % of them were marked as "live", that is having an endpoint on the server. Also, a cursory analysis has shown that such endpoints often turn out to be vulnerable. The module can be used as part of a web security scanner to obtain more complete information about the server side of a web application using the black box method.

Keywords: information security, web application, static analysis, search for vulnerabilities, HTTP-request, com-mented-out code
pp. 245–253
For citation:
Nazarov D. I., Sigalov D. A., Gamayunov D. Yu. Mining Server HTTP Endpoints from Commented-Out Client-Side Code of Web Applications, Programmnaya Ingeneria, 2023, vol. 14, no. 5, pp. 245—253. DOI: 10.17587/prin.14.245-253 (in Russian).
References:
  1. Hedin D., Sabelfeld A. Information-Flow Security for a Core of JavaScript, IEEE 25th Computer Security Foundations Symposium, 2012, pp. 3—18. DOI: 10.1109/CSF.2012.19.
  2. OWASP Foundation. DOM Based XSS, available at: https:// owasp.org/www-community/attacks/DOM_Based_XSS (date of ac­cess 02.03.2023).
  3. Guha A., Krishnamurthi S., Jim T. Using static analy­sis for Ajax intrusion detection, Proceedings of the 18th international conference on World wide web, 2009, pp. 561—570. DOI: 10.1145/1526709.1526785.
  4. Jensen S. H., Moller A., Thiemann P. Type Analysis for JavaScript, International Static Analysis Symposium, 2009, pp. 238—255. DOI: 10.1007/978-3-642-03237-0_17.
  5. Lee H., Won S., Jin J., Cho J., Ryu S. Safe: Formal specification and implementation of a scalable analysis framework for ec-mascript, International Workshop on Foundations of Object- Oriented Languages, 2012, available at: https://junheecho.com/assets/papers/ fool12.pdf (date of access 02.03.2023).
  6. The T. J. Watson Libraries for Analysis (WALA), available at: http://wala.sourceforge.net/ (date of access 02.03.2023).
  7. Sigalov D. A., Khashaev A. A., Gamayunov D. Yu. Detecting server-side endpoints in web applications based on static analysis of client-side JavaScript code, Prikladnaya Diskretnaya Matematika, 2021, no. 53, pp. 32—54. DOI: 10.17223/20710410/53/3 (in Russian).
  8. Berners-Lee T., Fielding R., Masinter L. Uniform Resource Identifier (URI): Generic Syntax, document RFC 3986. 2005. avail­able at: https://www.ietf.org/rfc/rfc3986.txt (date of access 02.03.2023).
  9. The URL standard, available at: https://url.spec.whatwg.org/(date of access 02.03.2023).