TaintJSec: um método de análise estática de marcação em código Javascript para detecção de vazamento de dados sensíveis

Abstract

Javascript is one of the most used programming languages in the world and continues to expand gradually. Such success is due to the great flexibility and dynamicity that the language has, which greatly facilitates the creation of applications. However, this same characteristic that makes it a successful language is also what makes it difficult to analyze static execution flow, which aims to identify the presence of malicious code in applications. This work presents TaintJSec, a new approach that uses static code marking analysis to identify and prevent leakage of sensitive information in web applications. Unlike other works based on static analysis, TaintJSec is able to check the explicit and implicit code flow, accompanies the propagation of the taint tag in the execution of the eval function, and is able to identify information leakage in obfuscated codes. To validate the effectiveness of the approach, taint tag propagation tests were performed in a range of tests divided into 13 different test groups. Then, tests were performed to evaluate the propagation of the eval function. Finally, the approach was tested in a malicious code, obscured by five different tools, specific for that purpose. The results demonstrated that the approach is effective in detecting information leakage and more efficient than other methods of the state of the art.