ACTARUS: Static Analysis for JavaScript Security       


JavaScript is the most popular language of use for Web-application clients. Detecting security issues in JavaScript programs is extremely important, but recent taint-analysis work, both in the industry and academia, has focused more on server-side code, written in other languages. Although JavaScript code is executed on the client, it is generated on the server and interacts with the server's code. Thus, client-side vulnerabilities should not be underestimated because they could make enterprises liable and less reputable, and compromise integrity and confidentiality in clients as well as servers.

Static analysis of JavaScript code is very challenging due to the dynamic nature of the language. We have designed and developed ACTARUS, a novel static taint-analysis for JavaScript that soundly models all the JavaScript constructs with the exception of reflective calls.

We publish here a set of unit tests that exhaustively expose the challenges that a static taint analysis for JavaScript must address.

Contributors

IBM JavaScript Security Test Suite

We have developed a large number of unit tests that exhibit various challenges faced by static analyzers for JavaScript security. Such challenges include prototype-chain property lookups, lexical-scoping rules for variable resolution, reflective property accesses, function pointers, and the fact that the properties and prototype chain of any object can be modified. It is our hope that these tests will be used and expanded by future researchers in JavaScript analysis. For this reason, we are making them available to the scientific community. Actarus currently passes all of the tests.

Please note that each HTML file published in the ZIP file below contains a number embedded in a comment at the top of the file itself. That number indicates the number of expected issues.

Download IBMJavaScriptUnitTests.zip.